minutework 0.1.40 → 0.1.41

package/assets/templates/vuilder-shell/src/features/shell/components/authenticated-app-layout-shell.tsx

@@ -0,0 +1,84 @@
+"use client";
+
+import type { ReactNode } from "react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { LayoutDashboard, LogOut, PlaySquare } from "lucide-react";
+
+import { ThemeModeToggle } from "@/design-system/patterns/theme-mode-toggle";
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+import type {
+  AuthenticatedPlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function AuthenticatedAppLayoutShell({
+  appName,
+  membership,
+  session,
+  children,
+}: {
+  appName: string;
+  membership: SessionMembership;
+  session: AuthenticatedPlatformSession;
+  children: ReactNode;
+}) {
+  const router = useRouter();
+
+  async function handleLogout() {
+    await fetch("/api/auth/logout", { method: "POST" }).catch(() => undefined);
+    router.replace(appRoutes.loginForWorkspace(membership.workspace_slug));
+    router.refresh();
+  }
+
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-7xl flex-col gap-6 px-6 py-8">
+        <header className="flex flex-col gap-6 xl:flex-row xl:items-start xl:justify-between">
+          <div className="space-y-2">
+            <p className="text-sm font-semibold uppercase tracking-widest text-muted-foreground">
+              {membership.workspace_name || membership.tenant_name}
+            </p>
+            <h1 className="max-w-3xl text-4xl font-semibold tracking-tight text-balance sm:text-5xl">
+              {appName}
+            </h1>
+            <p className="max-w-3xl text-base leading-7 text-muted-foreground sm:text-lg">
+              Signed in as {session.user?.email || session.user?.username}.
+            </p>
+          </div>
+
+          <div className="flex flex-col gap-3 sm:flex-row sm:items-start">
+            <ThemeModeToggle className="w-full sm:w-72" />
+            <Button
+              type="button"
+              variant="outline"
+              className="gap-2"
+              onClick={handleLogout}
+            >
+              <LogOut className="size-4" />
+              Log out
+            </Button>
+          </div>
+        </header>
+
+        <nav className="flex flex-wrap gap-2">
+          <Button asChild variant="default">
+            <Link href={appRoutes.workspaceShell(membership.workspace_slug)}>
+              <LayoutDashboard className="size-4" />
+              Dashboard
+            </Link>
+          </Button>
+          <Button asChild variant="outline">
+            <Link href={appRoutes.demo}>
+              <PlaySquare className="size-4" />
+              Demo
+            </Link>
+          </Button>
+        </nav>
+
+        {children}
+      </div>
+    </main>
+  );
+}

package/assets/templates/vuilder-shell/src/features/shell/components/private-app-shell.tsx

@@ -0,0 +1,22 @@
+import { TenantDashboard } from "@/features/dashboard/components/tenant-dashboard";
+import { VuilderConnectScreen } from "@/features/vuilder-shell/components/vuilder-connect-screen";
+import type {
+  PlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function PrivateAppShell({
+  appName,
+  membership,
+  session,
+}: {
+  appName: string;
+  membership: SessionMembership | null;
+  session: PlatformSession;
+}) {
+  if (!session.authenticated || !membership) {
+    return <VuilderConnectScreen session={session} workspaceSlug="workspace" />;
+  }
+
+  return <TenantDashboard appName={appName} membership={membership} session={session} />;
+}

package/assets/templates/vuilder-shell/src/features/vuilder-shell/components/vuilder-connect-screen.tsx

@@ -0,0 +1,89 @@
+import Link from "next/link";
+import { ArrowRight, CheckCircle2, ServerCog } from "lucide-react";
+
+import { PanelFrame } from "@/design-system/patterns/panel-frame";
+import { StatusBadge } from "@/design-system/patterns/status-badge";
+import { Button } from "@/design-system/primitives/button";
+import { appRoutes } from "@/lib/app-routes";
+import type { PlatformSession } from "@/lib/platform/contracts";
+import { workspaceMembershipForSession } from "@/lib/platform/contracts";
+
+export function VuilderConnectScreen({
+  session,
+  workspaceSlug,
+}: {
+  session: PlatformSession;
+  workspaceSlug: string;
+}) {
+  const membership = workspaceMembershipForSession(session, workspaceSlug);
+  const tenantName = membership?.workspace_name || membership?.tenant_name || workspaceSlug;
+  const hasWorkspaceMembership = Boolean(membership);
+  const isAuthenticated = session.authenticated;
+
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-5xl items-center px-6 py-10">
+        <PanelFrame tone="floating" radius="xl" padding="lg" className="w-full space-y-6">
+          <div className="flex items-center gap-3 text-primary">
+            {hasWorkspaceMembership ? (
+              <CheckCircle2 className="size-5" />
+            ) : (
+              <ServerCog className="size-5" />
+            )}
+            <p className="text-sm font-semibold uppercase tracking-widest">
+              Vuilder Shell
+            </p>
+          </div>
+
+          <div className="space-y-3">
+            <h1 className="text-4xl font-semibold tracking-tight text-balance">
+              {hasWorkspaceMembership
+                ? `${tenantName} is ready to open.`
+                : isAuthenticated
+                  ? "Workspace access is not available."
+                  : "Sign in to open this customer workspace."}
+            </h1>
+            <p className="max-w-2xl text-base leading-7 text-muted-foreground">
+              Runtime provisioning and app-pack installation are owned by the
+              platform onboarding intent. This shell opens the branded tenant
+              experience after the customer session is available.
+            </p>
+          </div>
+
+          <div className="grid gap-3 sm:grid-cols-3">
+            <StatusBadge tone={isAuthenticated ? "success" : "default"}>
+              Identity
+            </StatusBadge>
+            <StatusBadge tone="primary">Runtime</StatusBadge>
+            <StatusBadge tone="primary">App Pack</StatusBadge>
+          </div>
+
+          <div className="flex flex-col gap-3 sm:flex-row">
+            {hasWorkspaceMembership ? (
+              <Button asChild className="gap-2">
+                <Link href={appRoutes.workspaceShell(workspaceSlug)}>
+                  Open Workspace
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            ) : !isAuthenticated ? (
+              <Button asChild className="gap-2">
+                <Link href={appRoutes.loginForWorkspaceConnect(workspaceSlug)}>
+                  Open Login
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            ) : (
+              <Button asChild variant="outline" className="gap-2">
+                <Link href={appRoutes.appHome}>
+                  Workspace Home
+                  <ArrowRight className="size-4" />
+                </Link>
+              </Button>
+            )}
+          </div>
+        </PanelFrame>
+      </div>
+    </main>
+  );
+}

package/assets/templates/vuilder-shell/src/features/vuilder-shell/components/vuilder-workspace-screen.tsx

@@ -0,0 +1,49 @@
+import { Building2, Package, ServerCog } from "lucide-react";
+
+import { PanelFrame } from "@/design-system/patterns/panel-frame";
+import { StatusBadge } from "@/design-system/patterns/status-badge";
+import { TenantDashboard } from "@/features/dashboard/components/tenant-dashboard";
+import type {
+  AuthenticatedPlatformSession,
+  SessionMembership,
+} from "@/lib/platform/contracts";
+
+export function VuilderWorkspaceScreen({
+  appName,
+  membership,
+  session,
+  workspaceSlug,
+}: {
+  appName: string;
+  membership: SessionMembership;
+  session: AuthenticatedPlatformSession;
+  workspaceSlug: string;
+}) {
+  return (
+    <div className="grid gap-6">
+      <PanelFrame tone="floating" radius="xl" padding="lg" className="space-y-4">
+        <div className="flex flex-wrap gap-3">
+          <StatusBadge tone="primary">
+            <Building2 className="mr-1 size-3" />
+            {membership.workspace_slug || workspaceSlug}
+          </StatusBadge>
+          <StatusBadge tone="primary">
+            <ServerCog className="mr-1 size-3" />
+            {membership.runtime_status || "Runtime status"}
+          </StatusBadge>
+          <StatusBadge tone="primary">
+            <Package className="mr-1 size-3" />
+            App pack status
+          </StatusBadge>
+        </div>
+        <p className="max-w-3xl text-sm leading-7 text-muted-foreground">
+          This branded shell renders the tenant experience for the active
+          customer session. Identity, provisioning, and install authority remain
+          on the MinuteWork platform path.
+        </p>
+      </PanelFrame>
+
+      <TenantDashboard appName={appName} membership={membership} session={session} />
+    </div>
+  );
+}

package/assets/templates/vuilder-shell/src/lib/app-routes.test.ts

@@ -0,0 +1,37 @@
+import { describe, expect, it } from "vitest";
+
+import { appRoutes } from "@/lib/app-routes";
+
+describe("appRoutes", () => {
+  it("builds a blog route from a single slug segment", () => {
+    expect(appRoutes.blogPost("launching-the-combined-web-starter")).toBe(
+      "/blog/launching-the-combined-web-starter",
+    );
+    expect(appRoutes.blogPost(["launching-the-combined-web-starter"])).toBe(
+      "/blog/launching-the-combined-web-starter",
+    );
+  });
+
+  it("rejects multi-segment blog slugs instead of truncating them", () => {
+    expect(() => appRoutes.blogPost(["release", "v1"])).toThrow(
+      "Blog routes require exactly one slug segment.",
+    );
+  });
+
+  it("builds branded workspace shell routes", () => {
+    expect(appRoutes.workspaceConnect("fleet-alpha")).toBe("/w/fleet-alpha/connect");
+    expect(appRoutes.workspaceShell(["fleet alpha"])).toBe("/w/fleet%20alpha");
+    expect(appRoutes.loginForWorkspace("fleet-alpha")).toBe(
+      "/login?return_to=%2Fw%2Ffleet-alpha",
+    );
+    expect(appRoutes.loginForWorkspaceConnect("fleet-alpha")).toBe(
+      "/login?return_to=%2Fw%2Ffleet-alpha%2Fconnect",
+    );
+  });
+
+  it("rejects ambiguous workspace route segments", () => {
+    expect(() => appRoutes.workspaceShell(["fleet", "alpha"])).toThrow(
+      "Workspace routes require exactly one slug segment.",
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/lib/app-routes.ts

@@ -0,0 +1,86 @@
+import type { Route } from "next";
+
+function joinRouteSegments(segments: readonly string[]) {
+  return segments.map((segment) => encodeURIComponent(segment)).join("/");
+}
+
+function requireSingleRouteSegment(
+  slug: string | readonly string[],
+  routeLabel: string,
+) {
+  if (typeof slug === "string") {
+    const segment = slug.trim();
+
+    if (segment.length === 0) {
+      throw new Error(`${routeLabel} require a non-empty slug segment.`);
+    }
+
+    return segment;
+  }
+
+  if (slug.length !== 1) {
+    throw new Error(`${routeLabel} require exactly one slug segment.`);
+  }
+
+  const [segment] = slug;
+  const normalizedSegment = segment?.trim();
+
+  if (!normalizedSegment) {
+    throw new Error(`${routeLabel} require a non-empty slug segment.`);
+  }
+
+  return normalizedSegment;
+}
+
+const publicHomeRoute: Route = "/";
+const pricingRoute: Route = "/pricing";
+const docsIndexRoute: Route = "/docs";
+const blogIndexRoute: Route = "/blog";
+const loginRoute: Route = "/login";
+const appHomeRoute: Route = "/app";
+const demoRoute = "/app/demo" as Route;
+
+function loginWithReturnTo(returnTo: Route) {
+  const params = new URLSearchParams({ return_to: returnTo });
+  return `${loginRoute}?${params.toString()}` as Route;
+}
+
+function workspaceShellRoute(workspaceSlug: string | readonly string[]) {
+  return `/w/${encodeURIComponent(
+    requireSingleRouteSegment(workspaceSlug, "Workspace routes"),
+  )}` as Route;
+}
+
+function workspaceConnectRoute(workspaceSlug: string | readonly string[]) {
+  return `${workspaceShellRoute(workspaceSlug)}/connect` as Route;
+}
+
+export const appRoutes = {
+  publicHome: publicHomeRoute,
+  pricing: pricingRoute,
+  docsIndex: docsIndexRoute,
+  docsPage(slugParts: readonly string[]) {
+    return `/docs/${joinRouteSegments(slugParts)}` as Route;
+  },
+  blogIndex: blogIndexRoute,
+  blogPost(slug: string | readonly string[]) {
+    return `/blog/${encodeURIComponent(
+      requireSingleRouteSegment(slug, "Blog routes"),
+    )}` as Route;
+  },
+  login: loginRoute,
+  loginForWorkspace(workspaceSlug: string | readonly string[]) {
+    return loginWithReturnTo(workspaceShellRoute(workspaceSlug));
+  },
+  loginForWorkspaceConnect(workspaceSlug: string | readonly string[]) {
+    return loginWithReturnTo(workspaceConnectRoute(workspaceSlug));
+  },
+  appHome: appHomeRoute,
+  demo: demoRoute,
+  workspaceShell(workspaceSlug: string | readonly string[]) {
+    return workspaceShellRoute(workspaceSlug);
+  },
+  workspaceConnect(workspaceSlug: string | readonly string[]) {
+    return workspaceConnectRoute(workspaceSlug);
+  },
+};

package/assets/templates/vuilder-shell/src/lib/auth-routes.server.test.ts

@@ -0,0 +1,26 @@
+import { describe, expect, it } from "vitest";
+
+import { buildCentralSsoLoginUrl, buildShellAbsoluteUrl } from "@/lib/auth-routes.server";
+
+describe("auth route helpers", () => {
+  it("builds an SSO login URL that returns to the requested workspace path", () => {
+    expect(buildCentralSsoLoginUrl("/w/fleet-alpha/connect", "state-1")).toBe(
+      "http://127.0.0.1:3400/login?returnTo=http%3A%2F%2F127.0.0.1%3A3301%2Fw%2Ffleet-alpha%2Fconnect%3Fmw_shell_state%3Dstate-1",
+    );
+  });
+
+  it("normalizes bare workspace returns to the connect route for shell handoff", () => {
+    expect(buildCentralSsoLoginUrl("/w/fleet-alpha", "state-1")).toBe(
+      "http://127.0.0.1:3400/login?returnTo=http%3A%2F%2F127.0.0.1%3A3301%2Fw%2Ffleet-alpha%2Fconnect%3Fmw_shell_state%3Dstate-1",
+    );
+  });
+
+  it("falls back to /app for unsafe return paths", () => {
+    expect(buildShellAbsoluteUrl("https://evil.example.com")).toBe(
+      "http://127.0.0.1:3301/app",
+    );
+    expect(buildShellAbsoluteUrl("//evil.example.com")).toBe(
+      "http://127.0.0.1:3301/app",
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/lib/auth-routes.server.ts

@@ -0,0 +1,53 @@
+import "server-only";
+
+import type { Route } from "next";
+
+import { appRoutes } from "@/lib/app-routes";
+import { getEnv } from "@/lib/platform/env.server";
+
+const SHELL_HANDOFF_STATE_PARAM = "mw_shell_state";
+
+function normalizeShellReturnPath(value?: string | null): Route {
+  const candidate = String(value ?? "").trim();
+  if (!candidate || !candidate.startsWith("/") || candidate.startsWith("//")) {
+    return appRoutes.appHome;
+  }
+
+  try {
+    const parsed = new URL(candidate, "http://localhost");
+    if (parsed.origin !== "http://localhost" || !parsed.pathname.startsWith("/")) {
+      return appRoutes.appHome;
+    }
+    const segments = parsed.pathname.split("/").filter(Boolean);
+    if (segments.length === 2 && segments[0] === "w") {
+      const workspaceSlug = decodeURIComponent(segments[1] ?? "");
+      return `${appRoutes.workspaceConnect(workspaceSlug)}${parsed.search}${parsed.hash}` as Route;
+    }
+    return `${parsed.pathname}${parsed.search}${parsed.hash}` as Route;
+  } catch {
+    return appRoutes.appHome;
+  }
+}
+
+export function buildShellAbsoluteUrl(
+  path: string | null | undefined,
+  handoffState?: string | null,
+) {
+  const { MW_PUBLIC_BASE_URL } = getEnv();
+  const url = new URL(normalizeShellReturnPath(path), MW_PUBLIC_BASE_URL);
+  const normalizedState = String(handoffState ?? "").trim();
+  if (normalizedState) {
+    url.searchParams.set(SHELL_HANDOFF_STATE_PARAM, normalizedState);
+  }
+  return url.toString();
+}
+
+export function buildCentralSsoLoginUrl(
+  returnPath?: string | null,
+  handoffState?: string | null,
+) {
+  const { MW_AUTH_BASE_URL } = getEnv();
+  const url = new URL("/login", MW_AUTH_BASE_URL);
+  url.searchParams.set("returnTo", buildShellAbsoluteUrl(returnPath, handoffState));
+  return url.toString();
+}

package/assets/templates/vuilder-shell/src/lib/http/same-origin.test.ts

@@ -0,0 +1,23 @@
+import { describe, expect, it } from "vitest";
+
+import { hasTrustedBrowserOrigin } from "@/lib/http/same-origin";
+
+describe("hasTrustedBrowserOrigin", () => {
+  it("accepts a same-origin browser POST", () => {
+    const request = new Request("https://shell.example.com/api/auth/logout", {
+      method: "POST",
+      headers: { origin: "https://shell.example.com" },
+    });
+
+    expect(hasTrustedBrowserOrigin(request)).toBe(true);
+  });
+
+  it("rejects a cross-origin browser POST", () => {
+    const request = new Request("https://shell.example.com/api/auth/logout", {
+      method: "POST",
+      headers: { origin: "https://evil.example.com" },
+    });
+
+    expect(hasTrustedBrowserOrigin(request)).toBe(false);
+  });
+});

package/assets/templates/vuilder-shell/src/lib/http/same-origin.ts

@@ -0,0 +1,18 @@
+export function hasTrustedBrowserOrigin(request: Request) {
+  const requestOrigin = new URL(request.url).origin;
+  const origin = request.headers.get("origin");
+  if (origin) {
+    return origin === requestOrigin;
+  }
+
+  const referer = request.headers.get("referer");
+  if (referer) {
+    try {
+      return new URL(referer).origin === requestOrigin;
+    } catch {
+      return false;
+    }
+  }
+
+  return request.headers.get("sec-fetch-site") === "same-origin";
+}