keryx 0.12.1 → 0.12.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keryx",
-  "version": "0.12.1",
+  "version": "0.12.2",
   "module": "index.ts",
   "type": "module",
   "license": "MIT",

package/templates/scaffold/actions-me.ts.mustache

@@ -0,0 +1,43 @@
+import { eq } from "drizzle-orm";
+import {
+  api,
+  Connection,
+  ErrorType,
+  TypedError,
+  type Action,
+  type ActionParams,
+} from "keryx";
+import { HTTP_METHOD } from "keryx/classes/Action.ts";
+import { z } from "zod";
+import { SessionMiddleware } from "../middleware/session";
+import { serializeUser } from "../ops/UserOps";
+import { users } from "../schema/users";
+
+export class MeView implements Action {
+  name = "me:view";
+  description =
+    "Get the currently authenticated user's profile. Requires an active session.";
+  web = { route: "/me", method: HTTP_METHOD.GET };
+  middleware = [SessionMiddleware];
+  inputs = z.object({});
+
+  async run(
+    _params: ActionParams<MeView>,
+    connection: Connection<{ userId?: number }>,
+  ) {
+    const [user] = await api.db.db
+      .select()
+      .from(users)
+      .where(eq(users.id, connection.session!.data.userId!))
+      .limit(1);
+
+    if (!user) {
+      throw new TypedError({
+        message: "User not found",
+        type: ErrorType.CONNECTION_ACTION_NOT_FOUND,
+      });
+    }
+
+    return { user: serializeUser(user) };
+  }
+}

package/templates/scaffold/actions-session.ts.mustache

@@ -0,0 +1,86 @@
+import { eq } from "drizzle-orm";
+import {
+  api,
+  Connection,
+  ErrorType,
+  secret,
+  TypedError,
+  type Action,
+  type ActionParams,
+} from "keryx";
+import { HTTP_METHOD } from "keryx/classes/Action.ts";
+import type { SessionData } from "keryx/initializers/session.ts";
+import { RateLimitMiddleware } from "keryx/middleware/rateLimit.ts";
+import { z } from "zod";
+import { SessionMiddleware } from "../middleware/session";
+import { checkPassword, serializeUser } from "../ops/UserOps";
+import { users } from "../schema/users";
+
+export type SessionImpl = { userId?: number };
+
+export class SessionCreate implements Action {
+  name = "session:create";
+  description =
+    "Sign in with email and password. Creates an authenticated session and returns the user's profile. Call this before using any endpoints that require authentication.";
+  mcp = { enabled: false, isLoginAction: true };
+  middleware = [RateLimitMiddleware];
+  web = { route: "/session", method: HTTP_METHOD.PUT };
+  inputs = z.object({
+    email: z
+      .string()
+      .refine(
+        (val) => val.includes("@") && val.includes("."),
+        "Must be a valid email address",
+      )
+      .transform((val) => val.toLowerCase()),
+    password: secret(z.string().min(8, "Password must be at least 8 characters")),
+  });
+
+  // @ts-ignore - valid action and response type
+  run = async (
+    params: ActionParams<SessionCreate>,
+    connection: Connection<SessionImpl>,
+  ): Promise<{
+    user: Awaited<ReturnType<typeof serializeUser>>;
+    session: SessionData<SessionImpl>;
+  }> => {
+    const [user] = await api.db.db
+      .select()
+      .from(users)
+      .where(eq(users.email, params.email));
+
+    const passwordMatch = user
+      ? await checkPassword(user, params.password)
+      : false;
+
+    if (!user || !passwordMatch) {
+      throw new TypedError({
+        message: "Invalid email or password",
+        type: ErrorType.CONNECTION_ACTION_RUN,
+      });
+    }
+
+    await connection.updateSession({ userId: user.id });
+
+    return {
+      user: serializeUser(user),
+      session: connection.session!,
+    };
+  };
+}
+
+export class SessionDestroy implements Action {
+  name = "session:destroy";
+  description =
+    "Sign out by destroying the current authenticated session. Requires an active session.";
+  web = { route: "/session", method: HTTP_METHOD.DELETE };
+  middleware = [RateLimitMiddleware, SessionMiddleware];
+
+  async run(
+    _params: ActionParams<SessionDestroy>,
+    connection: Connection<SessionImpl>,
+  ) {
+    await api.session.destroy(connection);
+    return { success: true };
+  }
+}

package/templates/scaffold/actions-user.ts.mustache

@@ -0,0 +1,58 @@
+import { eq } from "drizzle-orm";
+import { Action, api, ErrorType, secret, TypedError, type ActionParams } from "keryx";
+import { HTTP_METHOD } from "keryx/classes/Action.ts";
+import { RateLimitMiddleware } from "keryx/middleware/rateLimit.ts";
+import { z } from "zod";
+import { hashPassword, serializeUser } from "../ops/UserOps";
+import { users } from "../schema/users";
+
+export class UserCreate implements Action {
+  name = "user:create";
+  description =
+    "Register a new user account with a name, email, and password. The email must be unique (case-insensitive). Password must be at least 8 characters. Returns the created user's profile.";
+  mcp = { enabled: false, isSignupAction: true };
+  middleware = [RateLimitMiddleware];
+  web = { route: "/user", method: HTTP_METHOD.PUT };
+  inputs = z.object({
+    name: z
+      .string()
+      .min(3, "Name must be at least 3 characters")
+      .max(256, "Name must be less than 256 characters"),
+    email: z
+      .string()
+      .refine(
+        (val) => val.includes("@") && val.includes("."),
+        "Must be a valid email address",
+      )
+      .transform((val) => val.toLowerCase()),
+    password: secret(
+      z.string().min(8, "Password must be at least 8 characters"),
+    ),
+  });
+
+  async run(params: ActionParams<UserCreate>) {
+    const [existingUser] = await api.db.db
+      .select()
+      .from(users)
+      .where(eq(users.email, params.email))
+      .limit(1);
+
+    if (existingUser) {
+      throw new TypedError({
+        message: "A user with that email already exists",
+        type: ErrorType.ACTION_VALIDATION,
+      });
+    }
+
+    const [user] = await api.db.db
+      .insert(users)
+      .values({
+        name: params.name,
+        email: params.email,
+        password_hash: await hashPassword(params.password),
+      })
+      .returning();
+
+    return { user: serializeUser(user) };
+  }
+}

package/templates/scaffold/middleware-session.ts.mustache

@@ -0,0 +1,13 @@
+import { Connection, ErrorType, TypedError } from "keryx";
+import type { ActionMiddleware } from "keryx/classes/Action.ts";
+
+export const SessionMiddleware: ActionMiddleware = {
+  runBefore: async (_params, connection: Connection<{ userId?: number }>) => {
+    if (!connection.session || !connection.session.data.userId) {
+      throw new TypedError({
+        message: "Session not found",
+        type: ErrorType.CONNECTION_SESSION_NOT_FOUND,
+      });
+    }
+  },
+};

package/templates/scaffold/ops-user.ts.mustache

@@ -0,0 +1,19 @@
+import { type User } from "../schema/users";
+
+export async function hashPassword(password: string) {
+  return Bun.password.hash(password);
+}
+
+export async function checkPassword(user: User, password: string) {
+  return Bun.password.verify(password, user.password_hash);
+}
+
+export function serializeUser(user: User) {
+  return {
+    id: user.id,
+    name: user.name,
+    email: user.email,
+    createdAt: user.createdAt.getTime(),
+    updatedAt: user.updatedAt.getTime(),
+  };
+}

package/templates/scaffold/schema-users.ts.mustache

@@ -0,0 +1,32 @@
+import {
+  pgTable,
+  serial,
+  text,
+  timestamp,
+  uniqueIndex,
+  varchar,
+} from "drizzle-orm/pg-core";
+
+export const users = pgTable(
+  "users",
+  {
+    id: serial("id").primaryKey(),
+    name: varchar("name", { length: 256 }).notNull(),
+    email: text("email").notNull().unique(),
+    password_hash: text("password_hash").notNull(),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at")
+      .notNull()
+      .defaultNow()
+      .$onUpdateFn(() => new Date()),
+  },
+  (users) => {
+    return {
+      nameIndex: uniqueIndex("name_idx").on(users.name),
+      emailIndex: uniqueIndex("email_idx").on(users.email),
+    };
+  },
+);
+
+export type User = typeof users.$inferSelect;
+export type NewUser = typeof users.$inferInsert;

package/util/scaffold.ts

@@ -197,6 +197,60 @@ export async function generateKeryxTsContents(): Promise<string> {
   return loadTemplate("keryx.ts.mustache");
 }
 
+/**
+ * Generate auth scaffold file contents: schema, ops, middleware, and actions
+ * for a working sign-up / sign-in / sign-out / me flow.
+ * Returns a Map of relativePath → content.
+ */
+export async function generateAuthScaffoldContents(): Promise<
+  Map<string, string>
+> {
+  const result = new Map<string, string>();
+
+  const files: [string, string][] = [
+    ["schema/users.ts", "schema-users.ts.mustache"],
+    ["ops/UserOps.ts", "ops-user.ts.mustache"],
+    ["middleware/session.ts", "middleware-session.ts.mustache"],
+    ["actions/user.ts", "actions-user.ts.mustache"],
+    ["actions/session.ts", "actions-session.ts.mustache"],
+    ["actions/me.ts", "actions-me.ts.mustache"],
+  ];
+
+  for (const [filePath, templateName] of files) {
+    const content = await loadTemplate(templateName);
+    result.set(filePath, content);
+  }
+
+  // Pre-generated migration for the users table so the project works out of the box
+  result.set(
+    "drizzle/0000_users.sql",
+    `CREATE TABLE IF NOT EXISTS "users" (\n\t"id" serial PRIMARY KEY NOT NULL,\n\t"name" varchar(256) NOT NULL,\n\t"email" text NOT NULL,\n\t"password_hash" text NOT NULL,\n\t"created_at" timestamp DEFAULT now() NOT NULL,\n\t"updated_at" timestamp DEFAULT now() NOT NULL\n);\n--> statement-breakpoint\nCREATE UNIQUE INDEX IF NOT EXISTS "name_idx" ON "users" ("name");--> statement-breakpoint\nCREATE UNIQUE INDEX IF NOT EXISTS "email_idx" ON "users" ("email");\n`,
+  );
+
+  result.set(
+    "drizzle/meta/_journal.json",
+    JSON.stringify(
+      {
+        version: "5",
+        dialect: "pg",
+        entries: [
+          {
+            idx: 0,
+            version: "5",
+            when: 1711324460394,
+            tag: "0000_users",
+            breakpoints: true,
+          },
+        ],
+      },
+      null,
+      2,
+    ) + "\n",
+  );
+
+  return result;
+}
+
 export async function scaffoldProject(
   projectName: string,
   targetDir: string,
@@ -290,8 +344,16 @@ export async function scaffoldProject(
 
   if (options.includeDb) {
     await writeTemplate("migrations.ts", "migrations.ts.mustache");
-    await write("schema/.gitkeep", "");
-    await write("drizzle/meta/_journal.json", JSON.stringify({ entries: [] }));
+
+    // Auth example replaces the .gitkeep placeholders with real files below;
+    // only write placeholders when not including auth.
+    if (!options.includeExample) {
+      await write("schema/.gitkeep", "");
+      await write(
+        "drizzle/meta/_journal.json",
+        JSON.stringify({ entries: [] }),
+      );
+    }
   }
 
   // --- Built-in actions (always included) ---
@@ -306,10 +368,19 @@ export async function scaffoldProject(
     await write(filePath, content);
   }
 
-  // --- Example action ---
+  // --- Example: auth actions (when db) or hello action (when no db) ---
 
   if (options.includeExample) {
-    await writeTemplate("actions/hello.ts", "hello-action.ts.mustache");
+    if (options.includeDb) {
+      // Full auth starter: sign up, sign in, sign out, and a protected /me endpoint
+      const authFiles = await generateAuthScaffoldContents();
+      for (const [filePath, content] of authFiles) {
+        await write(filePath, content);
+      }
+    } else {
+      // No DB — fall back to the simple hello action
+      await writeTemplate("actions/hello.ts", "hello-action.ts.mustache");
+    }
   }
 
   return createdFiles;