howone 0.1.18 → 0.1.19

package/bin/index.mjs

@@ -1,16 +1,19 @@
 #!/usr/bin/env bun
 import { createRequire } from "node:module";
-import { say, spinner } from "@astrojs/cli-kit";
-import { cancel, confirm, isCancel, select, text } from "@clack/prompts";
+import { execFile } from "node:child_process";
 import { readdir, rename, stat, writeFile } from "node:fs/promises";
-import { copy, emptyDir, ensureDir, pathExists } from "fs-extra/esm";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
+import { promisify } from "node:util";
+import { say, spinner } from "@astrojs/cli-kit";
+import { cancel, confirm, isCancel, select, text } from "@clack/prompts";
+import { copy, emptyDir, ensureDir, pathExists } from "fs-extra/esm";
 import pc from "picocolors";
 import validatePackageName from "validate-npm-package-name";
 import yargsParser from "yargs-parser";
 //#region src/index.ts
 const packageJson = createRequire(import.meta.url)("../package.json");
+const execFileAsync = promisify(execFile);
 const DEFAULT_PROJECT_NAME = "howone-app";
 const TEMPLATES = ["vite", "nextjs"];
 const TEMPLATE_ALIASES = {
@@ -111,10 +114,13 @@ function compact(values) {
 async function runInitApp(pathArgs, options) {
 	const plan = await resolveCreatePlan(pathArgs, options, path.resolve(options.cwd ?? process.cwd()), process.stdout.isTTY && !options.yes && !options.json);
 	const howoneContext = resolveHowoneCreateContext();
-	if (options.json) await createTemplate(plan, howoneContext, true);
-	else {
+	if (options.json) {
+		await createTemplate(plan, howoneContext, true);
+		await installTemplateDependencies(plan, true);
+	} else {
 		await say(pc.bold("HowOne"));
 		await createTemplate(plan, howoneContext, false);
+		await installTemplateDependencies(plan, false);
 	}
 	const result = {
 		ok: true,
@@ -128,11 +134,7 @@ async function runInitApp(pathArgs, options) {
 			env: howoneContext.env,
 			envFile: path.join(plan.targetDir, ".env")
 		} } : {},
-		nextSteps: [
-			`cd ${formatPathForShell(path.relative(plan.cwd, plan.targetDir) || ".")}`,
-			"bun install",
-			"bun run dev"
-		]
+		nextSteps: [`cd ${formatPathForShell(path.relative(plan.cwd, plan.targetDir) || ".")}`, "bun run dev"]
 	};
 	if (options.json) {
 		console.log(JSON.stringify(result, null, 2));
@@ -291,6 +293,30 @@ async function createTemplate(plan, howoneContext, json) {
 		while: () => performCreateTemplate(plan, howoneContext)
 	});
 }
+async function installTemplateDependencies(plan, json) {
+	const install = async () => {
+		try {
+			await execFileAsync("bun", ["install"], {
+				cwd: plan.targetDir,
+				maxBuffer: 10 * 1024 * 1024
+			});
+		} catch (error) {
+			throw new CliError("E_DEP_INSTALL_FAILED", "Failed to install dependencies with bun.", error && typeof error === "object" ? {
+				stdout: "stdout" in error ? String(error.stdout ?? "") : void 0,
+				stderr: "stderr" in error ? String(error.stderr ?? "") : void 0
+			} : void 0);
+		}
+	};
+	if (json) {
+		await install();
+		return;
+	}
+	await spinner({
+		start: "Installing dependencies with bun",
+		end: "Dependencies installed",
+		while: install
+	});
+}
 async function performCreateTemplate(plan, howoneContext) {
 	const templateDir = getTemplateDir(plan.template);
 	if (plan.force && await pathExists(plan.targetDir)) await emptyDir(plan.targetDir);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "howone",
-  "version": "0.1.18",
+  "version": "0.1.19",
   "private": false,
   "description": "HowOne command line tools for creating app templates.",
   "type": "module",

package/templates/vite/AGENTS.md

@@ -1,53 +1,45 @@
 # AGENTS.md
 
-This file defines project-specific instructions for coding agents.
+This is a standard HowOne Vite app.
 
-Read this file once when entering the project.
-Follow it during implementation.
-Do not repeatedly reread it unless it changes or the current task requires checking project rules again.
+Read this file once when entering the project, follow it during implementation, and do not reread it unless it changes or the current task genuinely requires checking project rules again.
 
-## Multi-turn Policy
+## Project Defaults
 
-After reading this file, maintain a concise project policy summary for the active workspace session.
-Use that summary across turns instead of rereading this file or relying on old chat history.
+- Package manager: `bun`
+- Common commands: `bun run dev`, `bun run typecheck`, `bun run build`
+- The scaffold normally installs dependencies during `howone init app`. If `node_modules` is missing, run `bun install` before validation instead of treating missing binaries as code failures.
+- Default stack: React, Vite, TypeScript, Tailwind CSS, shadcn/ui-style components, `@howone/sdk`
 
-The project policy summary should stay short and include only durable rules:
+## Source of Truth
 
-- package manager and common commands
-- trusted libraries and framework assumptions
-- context-loading rules
-- validation rules
-- project-specific constraints
+Use project-local sources in this order:
 
-Do not store transient command output, temporary reasoning, full file contents, or step-by-step logs in the project policy.
+1. Synced HowOne manifests under `.howone/`
+2. Generated SDK bindings such as `src/lib/sdk.ts`
+3. The smallest directly relevant app files
+4. Package/config metadata
+5. Dependency source only when a concrete mismatch or missing detail remains
 
-Maintain a separate short task state summary while implementing a user request:
+Do not guess generated entity names, AI action names, schemas, workflow IDs, or auth behavior when a synced manifest exists.
 
-- current goal
-- current phase: explore, implement, validate, fix, or done
-- files already read
-- files changed
-- last validation command and result
-- known blockers or open questions
+## Context Discipline
 
-Use task state to avoid repeating exploration or rereading unchanged files. Reset or replace it when the user starts a new unrelated task.
-
-Do not reread this file unless:
-
-- this file changed
-- the project policy summary is unavailable
-- the task enters a nested project with its own `AGENTS.md`
-- validation errors suggest a project rule was missed
+Start with the smallest useful context:
 
-## Library Trust Policy
+1. Read the smallest file that directly controls the requested behavior.
+2. Prefer manifests, config, and public library APIs before local library internals.
+3. Expand only when implementation, validation, or a concrete ambiguity requires it.
 
-For common public libraries already known to modern coding models, prefer model knowledge and package metadata over reading local source files.
+For ordinary page or feature work:
 
-This project may include generated or vendored library-style files, such as shadcn/ui components under `src/components/ui/*`.
+- Start with the relevant route, page, feature component, or entry file.
+- Read additional local files only when they directly control the behavior being changed or resolve a specific uncertainty.
+- If a manifest, config file, or validation error answers the question, prefer that over widening the file search.
 
-Do not inspect these files during ordinary feature work just to confirm standard APIs.
+## Trusted Libraries
 
-Examples of trusted public libraries:
+Treat common public libraries as known dependencies during ordinary feature work:
 
 - React
 - Vite
@@ -59,39 +51,38 @@ Examples of trusted public libraries:
 - clsx
 - class-variance-authority
 
-When implementing ordinary usage of these libraries:
+Do not inspect `src/components/ui/*` or other library-style source files just to rediscover standard APIs.
 
-1. Use standard public APIs first.
-2. Read `package.json`, `components.json`, `tsconfig.json`, or alias config only when needed.
-3. Implement the feature.
-4. Run build/typecheck.
-5. Inspect the smallest relevant local file only if validation fails or the API is genuinely unclear.
+Using or importing a standard UI primitive is not by itself a reason to read its local source. For ordinary feature work, use the public component name and existing import path first.
 
-Only read local component or library-style source files when:
+Read local component or library-style source only when:
 
-- build/typecheck fails
-- imports cannot be resolved from `package.json`, `tsconfig.json`, or `components.json`
-- the component API is unclear
-- the task requires modifying the component implementation
-- the project has custom wrappers, custom variants, or unusual exports
+- validation fails
+- imports cannot be resolved from package/config metadata
+- the API is genuinely unclear
+- the task edits that component
+- the project has custom wrappers, variants, or unusual exports
 - the user explicitly asks to follow local component conventions
 
 Prefer failure-driven inspection over speculative context loading.
 
-## Context Budget Policy
-
-Start with the smallest useful context:
+## HowOne Runtime and Auth
 
-1. Identify the app root and relevant scripts.
-2. Read the smallest file that directly controls the requested behavior.
-3. Prefer package metadata, config files, and public API usage before local library internals.
-4. Expand to additional files only when implementation, validation, or ambiguity requires it.
+- Use synced HowOne manifests plus `src/lib/sdk.ts` as the source of truth for generated entity and AI bindings.
+- For SDK work, use the `howone-sdk` skill before relying on package internals.
+- Choose auth posture from the schema access contract, not from guesswork:
+  - authenticated/private app data uses `howone.entities.*`; the backend derives ownership from the JWT
+  - public pages use `howone.public.entities.*` only when the manifest explicitly allows public access
+- For private authenticated features, use the app-level HowOne auth flow instead of inventing unauthenticated fallback data paths.
+- Do not pass owner fields such as `created_by_id`, `created_by_user_id`, `ownerId`, or `puid` into authenticated entity queries or writes.
 
-Avoid broad project scans unless the user asks for a repository-wide change or the relevant files are genuinely unknown.
+## Validation
 
-## Validation Policy
+After meaningful code changes:
 
-After meaningful code changes, run the narrowest relevant validation command available in this project.
-Prefer build or typecheck before deeper investigation into library internals.
+1. If dependencies are unavailable, run `bun install` first.
+2. Run the narrowest relevant validation, usually `bun run typecheck`.
+3. Run `bun run build` when the change affects app wiring, SDK integration, routes, or production bundling.
+4. If validation fails, inspect the smallest failing surface before widening context.
 
-If validation fails, inspect the smallest file or error location needed to fix the failure.
+Work is complete when the requested change is implemented, relevant validation has been run, and any remaining blocker is reported clearly.

package/templates/vite/package.json

@@ -14,7 +14,7 @@
   "dependencies": {
     "@base-ui/react": "^1.4.1",
     "@fontsource-variable/inter": "^5.2.8",
-    "@howone/sdk": "2.0.0-beta.15",
+    "@howone/sdk": "2.0.0-beta.16",
     "@tailwindcss/vite": "^4.2.1",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",