ont-run 0.0.1 → 0.0.2

package/README.md

@@ -21,12 +21,14 @@ export default defineOntology({
     getTicket: {
       description: 'Get ticket details',
       access: ['support', 'admin'],
+      entities: ['Ticket'],
       inputs: z.object({ ticketId: z.string().uuid() }),
       resolver: './resolvers/getTicket.ts',
     },
     assignTicket: {
       description: 'Assign ticket to an agent',
       access: ['admin'],  // If AI tries to add 'public' here, review is triggered
+      entities: ['Ticket'],
       inputs: z.object({ ticketId: z.string().uuid(), assignee: z.string() }),
       resolver: './resolvers/assignTicket.ts',
     },

package/dist/bin/ont.js

@@ -6165,9 +6165,26 @@ function getFieldFromMetadata(schema) {
   }
   return null;
 }
-var FIELD_FROM_METADATA;
+function hasUserContextMetadata(schema) {
+  return schema !== null && typeof schema === "object" && USER_CONTEXT_METADATA in schema && schema[USER_CONTEXT_METADATA] === true;
+}
+function getUserContextFields(schema) {
+  const fields = [];
+  if (schema instanceof exports_external.ZodObject) {
+    const shape = schema.shape;
+    for (const [key, value] of Object.entries(shape)) {
+      if (hasUserContextMetadata(value)) {
+        fields.push(key);
+      }
+    }
+  }
+  return fields;
+}
+var FIELD_FROM_METADATA, USER_CONTEXT_METADATA;
 var init_categorical = __esm(() => {
+  init_zod();
   FIELD_FROM_METADATA = Symbol.for("ont:fieldFrom");
+  USER_CONTEXT_METADATA = Symbol.for("ont:userContext");
 });
 
 // src/lockfile/hasher.ts
@@ -6226,13 +6243,16 @@ function extractOntology(config) {
       }
     }
     const fieldReferences = extractFieldReferences(fn.inputs);
+    const userContextFields = getUserContextFields(fn.inputs);
+    const usesUserContext = userContextFields.length > 0;
     functions[name] = {
       description: fn.description,
       access: [...fn.access].sort(),
       entities: [...fn.entities].sort(),
       inputsSchema,
       outputsSchema,
-      fieldReferences: fieldReferences.length > 0 ? fieldReferences : undefined
+      fieldReferences: fieldReferences.length > 0 ? fieldReferences : undefined,
+      usesUserContext: usesUserContext || undefined
     };
   }
   return {
@@ -6330,7 +6350,8 @@ function diffOntology(oldOntology, newOntology) {
       const outputsChanged = JSON.stringify(oldFn.outputsSchema) !== JSON.stringify(newFn.outputsSchema);
       const entitiesChanged = JSON.stringify(oldFn.entities) !== JSON.stringify(newFn.entities);
       const fieldReferencesChanged = JSON.stringify(oldFn.fieldReferences) !== JSON.stringify(newFn.fieldReferences);
-      if (accessChanged || descriptionChanged || inputsChanged || outputsChanged || entitiesChanged || fieldReferencesChanged) {
+      const userContextChanged = !!oldFn.usesUserContext !== !!newFn.usesUserContext;
+      if (accessChanged || descriptionChanged || inputsChanged || outputsChanged || entitiesChanged || fieldReferencesChanged || userContextChanged) {
         functions.push({
           name,
           type: "modified",
@@ -6343,7 +6364,9 @@ function diffOntology(oldOntology, newOntology) {
           entitiesChanged: entitiesChanged || undefined,
           oldEntities: entitiesChanged ? oldFn.entities : undefined,
           newEntities: entitiesChanged ? newFn.entities : undefined,
-          fieldReferencesChanged: fieldReferencesChanged || undefined
+          fieldReferencesChanged: fieldReferencesChanged || undefined,
+          userContextChanged: userContextChanged || undefined,
+          usesUserContext: userContextChanged ? newFn.usesUserContext : undefined
         });
       }
     }
@@ -6421,6 +6444,9 @@ function formatDiffForConsole(diff) {
         if (fn.fieldReferencesChanged) {
           lines.push(`    Field references: changed`);
         }
+        if (fn.userContextChanged) {
+          lines.push(`    User context: ${fn.usesUserContext ? "added" : "removed"}`);
+        }
       }
     }
   }
@@ -8405,7 +8431,7 @@ var initCommand = defineCommand({
     if (!existsSync(resolversDir)) {
       mkdirSync(resolversDir, { recursive: true });
     }
-    const configTemplate = `import { defineOntology } from 'ont-run';
+    const configTemplate = `import { defineOntology, userContext } from 'ont-run';
 import { z } from 'zod';
 
 export default defineOntology({
@@ -8417,13 +8443,22 @@ export default defineOntology({
   },
 
   // Pluggable auth - customize this for your use case
+  // Return { groups, user } for row-level access control
   auth: async (req) => {
     const token = req.headers.get('Authorization');
-    // Return access groups based on auth
+    // Return access groups and optional user data
     // This is where you'd verify JWTs, API keys, etc.
-    if (!token) return ['public'];
-    if (token === 'admin-secret') return ['admin', 'support', 'public'];
-    return ['support', 'public'];
+    if (!token) return { groups: ['public'] };
+    if (token === 'admin-secret') {
+      return {
+        groups: ['admin', 'support', 'public'],
+        user: { id: 'admin-1', email: 'admin@example.com' },
+      };
+    }
+    return {
+      groups: ['support', 'public'],
+      user: { id: 'user-1', email: 'user@example.com' },
+    };
   },
 
   accessGroups: {
@@ -8432,21 +8467,32 @@ export default defineOntology({
     admin: { description: 'Administrators' },
   },
 
+  entities: {
+    User: { description: 'A user account' },
+  },
+
   functions: {
     // Example: Public function
     healthCheck: {
       description: 'Check API health status',
       access: ['public', 'support', 'admin'],
+      entities: [],
       inputs: z.object({}),
       resolver: './resolvers/healthCheck.ts',
     },
 
-    // Example: Restricted function
+    // Example: Restricted function with row-level access
     getUser: {
       description: 'Get user details by ID',
       access: ['support', 'admin'],
+      entities: ['User'],
       inputs: z.object({
         userId: z.string().uuid(),
+        // currentUser is injected from auth - not visible to API callers
+        currentUser: userContext(z.object({
+          id: z.string(),
+          email: z.string(),
+        })),
       }),
       resolver: './resolvers/getUser.ts',
     },
@@ -8455,6 +8501,7 @@ export default defineOntology({
     deleteUser: {
       description: 'Delete a user account',
       access: ['admin'],
+      entities: ['User'],
       inputs: z.object({
         userId: z.string().uuid(),
         reason: z.string().optional(),
@@ -8482,10 +8529,21 @@ export default async function healthCheck(ctx: ResolverContext, args: {}) {
 
 interface GetUserArgs {
   userId: string;
+  currentUser: {
+    id: string;
+    email: string;
+  };
 }
 
 export default async function getUser(ctx: ResolverContext, args: GetUserArgs) {
   ctx.logger.info(\`Getting user: \${args.userId}\`);
+  ctx.logger.info(\`Requested by: \${args.currentUser.email}\`);
+
+  // Example: Check if user can access this resource
+  // Support can only view their own account
+  if (!ctx.accessGroups.includes('admin') && args.userId !== args.currentUser.id) {
+    throw new Error('You can only view your own account');
+  }
 
   // This is where you'd query your database
   // Example response:
@@ -10786,6 +10844,8 @@ function transformToGraphData(config) {
     for (const entity of fn.entities) {
       entityCounts[entity] = (entityCounts[entity] || 0) + 1;
     }
+    const userContextFields = getUserContextFields(fn.inputs);
+    const usesUserContext = userContextFields.length > 0;
     nodes.push({
       id: `function:${name}`,
       type: "function",
@@ -10794,7 +10854,8 @@ function transformToGraphData(config) {
       metadata: {
         inputs: safeZodToJsonSchema(fn.inputs),
         outputs: fn.outputs ? safeZodToJsonSchema(fn.outputs) : undefined,
-        resolver: fn.resolver
+        resolver: fn.resolver,
+        usesUserContext: usesUserContext || undefined
       }
     });
     for (const group of fn.access) {
@@ -11386,6 +11447,27 @@ function generateBrowserUI(graphData) {
       color: var(--change-modified);
     }
 
+    /* User Context Badge */
+    .user-context-badge {
+      display: inline-flex;
+      align-items: center;
+      gap: 4px;
+      padding: 2px 8px;
+      border-radius: 9999px;
+      font-size: 10px;
+      font-weight: 500;
+      background: rgba(21, 168, 168, 0.12);
+      color: var(--vanna-teal);
+      text-transform: uppercase;
+      letter-spacing: 0.03em;
+      margin-left: 8px;
+    }
+
+    .user-context-badge svg {
+      width: 12px;
+      height: 12px;
+    }
+
     /* Review Footer */
     .review-footer {
       position: fixed;
@@ -12854,9 +12936,14 @@ function generateBrowserUI(graphData) {
         ? \`<span class="detail-change-badge \${changeStatus}">\${changeStatus === 'added' ? 'New' : changeStatus === 'removed' ? 'Removed' : 'Modified'}</span>\`
         : '';
 
+      // Build user context badge if applicable
+      const userContextBadge = data.metadata?.usesUserContext
+        ? \`<span class="user-context-badge"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>User Context</span>\`
+        : '';
+
       let html = \`
         <div class="detail-header">
-          <div class="detail-type \${data.type}">\${formatType(data.type)}\${changeBadge}</div>
+          <div class="detail-type \${data.type}">\${formatType(data.type)}\${changeBadge}\${userContextBadge}</div>
           <div class="detail-name">\${data.label}</div>
           <div class="detail-description">\${data.description || 'No description'}</div>
         </div>

package/dist/index.js

@@ -4007,10 +4007,31 @@ function getFieldFromMetadata(schema) {
   }
   return null;
 }
-var FIELD_FROM_METADATA;
+function userContext(schema) {
+  const marked = schema;
+  marked[USER_CONTEXT_METADATA] = true;
+  return marked;
+}
+function hasUserContextMetadata(schema) {
+  return schema !== null && typeof schema === "object" && USER_CONTEXT_METADATA in schema && schema[USER_CONTEXT_METADATA] === true;
+}
+function getUserContextFields(schema) {
+  const fields = [];
+  if (schema instanceof exports_external.ZodObject) {
+    const shape = schema.shape;
+    for (const [key, value] of Object.entries(shape)) {
+      if (hasUserContextMetadata(value)) {
+        fields.push(key);
+      }
+    }
+  }
+  return fields;
+}
+var FIELD_FROM_METADATA, USER_CONTEXT_METADATA;
 var init_categorical = __esm(() => {
   init_zod();
   FIELD_FROM_METADATA = Symbol.for("ont:fieldFrom");
+  USER_CONTEXT_METADATA = Symbol.for("ont:userContext");
 });
 
 // node_modules/consola/dist/chunks/prompt.mjs
@@ -6229,13 +6250,16 @@ function extractOntology(config) {
       }
     }
     const fieldReferences = extractFieldReferences(fn.inputs);
+    const userContextFields = getUserContextFields(fn.inputs);
+    const usesUserContext = userContextFields.length > 0;
     functions[name] = {
       description: fn.description,
       access: [...fn.access].sort(),
       entities: [...fn.entities].sort(),
       inputsSchema,
       outputsSchema,
-      fieldReferences: fieldReferences.length > 0 ? fieldReferences : undefined
+      fieldReferences: fieldReferences.length > 0 ? fieldReferences : undefined,
+      usesUserContext: usesUserContext || undefined
     };
   }
   return {
@@ -6333,7 +6357,8 @@ function diffOntology(oldOntology, newOntology) {
       const outputsChanged = JSON.stringify(oldFn.outputsSchema) !== JSON.stringify(newFn.outputsSchema);
       const entitiesChanged = JSON.stringify(oldFn.entities) !== JSON.stringify(newFn.entities);
       const fieldReferencesChanged = JSON.stringify(oldFn.fieldReferences) !== JSON.stringify(newFn.fieldReferences);
-      if (accessChanged || descriptionChanged || inputsChanged || outputsChanged || entitiesChanged || fieldReferencesChanged) {
+      const userContextChanged = !!oldFn.usesUserContext !== !!newFn.usesUserContext;
+      if (accessChanged || descriptionChanged || inputsChanged || outputsChanged || entitiesChanged || fieldReferencesChanged || userContextChanged) {
         functions.push({
           name,
           type: "modified",
@@ -6346,7 +6371,9 @@ function diffOntology(oldOntology, newOntology) {
           entitiesChanged: entitiesChanged || undefined,
           oldEntities: entitiesChanged ? oldFn.entities : undefined,
           newEntities: entitiesChanged ? newFn.entities : undefined,
-          fieldReferencesChanged: fieldReferencesChanged || undefined
+          fieldReferencesChanged: fieldReferencesChanged || undefined,
+          userContextChanged: userContextChanged || undefined,
+          usesUserContext: userContextChanged ? newFn.usesUserContext : undefined
         });
       }
     }
@@ -6424,6 +6451,9 @@ function formatDiffForConsole(diff) {
         if (fn.fieldReferencesChanged) {
           lines.push(`    Field references: changed`);
         }
+        if (fn.userContextChanged) {
+          lines.push(`    User context: ${fn.usesUserContext ? "added" : "removed"}`);
+        }
       }
     }
   }
@@ -13531,6 +13561,41 @@ function validateFieldFromReferences(config) {
     }
   }
 }
+async function validateUserContextRequirements(config) {
+  const functionsWithUserContext = [];
+  for (const [fnName, fn] of Object.entries(config.functions)) {
+    const userContextFields = getUserContextFields(fn.inputs);
+    if (userContextFields.length > 0) {
+      functionsWithUserContext.push(fnName);
+    }
+  }
+  if (functionsWithUserContext.length === 0) {
+    return;
+  }
+  const mockRequest = new Request("http://localhost/test", {
+    headers: { Authorization: "test-token" }
+  });
+  try {
+    const authResult = await config.auth(mockRequest);
+    const hasUserField = authResult !== null && typeof authResult === "object" && !Array.isArray(authResult) && "user" in authResult;
+    if (!hasUserField) {
+      throw new Error(`The following functions use userContext() but auth() does not return a user object:
+` + `  ${functionsWithUserContext.join(", ")}
+
+` + `To fix this, update your auth function to return an AuthResult:
+` + `  auth: async (req) => {
+` + `    return {
+` + `      groups: ['user'],
+` + `      user: { id: '...', email: '...' }  // Add user data here
+` + `    };
+` + `  }`);
+    }
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("userContext")) {
+      throw error;
+    }
+  }
+}
 
 // src/config/define.ts
 function defineOntology(config) {
@@ -16277,11 +16342,19 @@ function createLogger(debug = false) {
 }
 
 // src/server/api/middleware.ts
+function normalizeAuthResult(result) {
+  if (Array.isArray(result)) {
+    return { groups: result };
+  }
+  return result;
+}
 function createAuthMiddleware(config) {
   return createMiddleware(async (c3, next) => {
     try {
-      const accessGroups = await config.auth(c3.req.raw);
-      c3.set("accessGroups", accessGroups);
+      const rawResult = await config.auth(c3.req.raw);
+      const authResult = normalizeAuthResult(rawResult);
+      c3.set("authResult", authResult);
+      c3.set("accessGroups", authResult.groups);
       await next();
     } catch (error) {
       return c3.json({
@@ -16336,15 +16409,24 @@ function errorHandler2() {
 }
 
 // src/server/api/router.ts
+init_categorical();
 function createApiRoutes(config, configDir) {
   const router = new Hono2;
   for (const [name, fn] of Object.entries(config.functions)) {
     const path = `/${name}`;
+    const userContextFields = getUserContextFields(fn.inputs);
     router.post(path, createAccessControlMiddleware(fn.access), async (c3) => {
       const resolverContext = c3.get("resolverContext");
+      const authResult = c3.get("authResult");
       let args;
       try {
-        const body = await c3.req.json();
+        let body = await c3.req.json();
+        if (userContextFields.length > 0 && authResult.user) {
+          body = { ...body };
+          for (const field of userContextFields) {
+            body[field] = authResult.user;
+          }
+        }
         const parsed = fn.inputs.safeParse(body);
         if (!parsed.success) {
           return c3.json({
@@ -16354,7 +16436,13 @@ function createApiRoutes(config, configDir) {
         }
         args = parsed.data;
       } catch {
-        const parsed = fn.inputs.safeParse({});
+        let emptyBody = {};
+        if (userContextFields.length > 0 && authResult.user) {
+          for (const field of userContextFields) {
+            emptyBody[field] = authResult.user;
+          }
+        }
+        const parsed = fn.inputs.safeParse(emptyBody);
         if (!parsed.success) {
           return c3.json({
             error: "Validation failed",
@@ -22822,6 +22910,31 @@ data:
 init_zod();
 init_esm();
 init_categorical();
+function stripUserContextFromJsonSchema(jsonSchema, zodSchema) {
+  if (jsonSchema.type !== "object" || !jsonSchema.properties) {
+    return jsonSchema;
+  }
+  const userContextFields = getUserContextFields(zodSchema);
+  if (userContextFields.length === 0) {
+    return jsonSchema;
+  }
+  const properties = { ...jsonSchema.properties };
+  const required2 = jsonSchema.required ? [...jsonSchema.required] : undefined;
+  for (const field of userContextFields) {
+    delete properties[field];
+    if (required2) {
+      const idx = required2.indexOf(field);
+      if (idx !== -1) {
+        required2.splice(idx, 1);
+      }
+    }
+  }
+  return {
+    ...jsonSchema,
+    properties,
+    required: required2 && required2.length > 0 ? required2 : undefined
+  };
+}
 function extractFieldReferencesForMcp(schema, path = "") {
   const results = [];
   const metadata = getFieldFromMetadata(schema);
@@ -22861,6 +22974,7 @@ function generateMcpTools(config2) {
         $refStrategy: "none"
       });
       delete inputSchema.$schema;
+      inputSchema = stripUserContextFromJsonSchema(inputSchema, fn.inputs);
     } catch {
       inputSchema = { type: "object", properties: {} };
     }
@@ -22892,16 +23006,28 @@ function filterToolsByAccess(tools, accessGroups) {
   return tools.filter((tool) => tool.access.some((group) => accessGroups.includes(group)));
 }
 function createToolExecutor(config2, configDir, env2, envConfig, logger) {
-  return async (toolName, args, accessGroups) => {
+  const userContextFieldsCache = new Map;
+  for (const [name, fn] of Object.entries(config2.functions)) {
+    userContextFieldsCache.set(name, getUserContextFields(fn.inputs));
+  }
+  return async (toolName, args, authResult) => {
     const fn = config2.functions[toolName];
     if (!fn) {
       throw new Error(`Unknown tool: ${toolName}`);
     }
-    const hasAccess = fn.access.some((group) => accessGroups.includes(group));
+    const hasAccess = fn.access.some((group) => authResult.groups.includes(group));
     if (!hasAccess) {
       throw new Error(`Access denied to tool "${toolName}". Requires: ${fn.access.join(", ")}`);
     }
-    const parsed = fn.inputs.safeParse(args);
+    const userContextFields = userContextFieldsCache.get(toolName) || [];
+    let argsWithContext = args;
+    if (userContextFields.length > 0 && authResult.user) {
+      argsWithContext = { ...args };
+      for (const field of userContextFields) {
+        argsWithContext[field] = authResult.user;
+      }
+    }
+    const parsed = fn.inputs.safeParse(argsWithContext);
     if (!parsed.success) {
       throw new Error(`Invalid input for tool "${toolName}": ${parsed.error.message}`);
     }
@@ -22909,7 +23035,7 @@ function createToolExecutor(config2, configDir, env2, envConfig, logger) {
       env: env2,
       envConfig,
       logger,
-      accessGroups
+      accessGroups: authResult.groups
     };
     const resolver = await loadResolver(fn.resolver, configDir);
     return resolver(resolverContext, parsed.data);
@@ -22949,10 +23075,20 @@ async function serve2(app, port) {
 }
 
 // src/server/mcp/index.ts
-function getAccessGroups(authInfo) {
-  if (!authInfo?.extra?.accessGroups)
-    return [];
-  return authInfo.extra.accessGroups;
+function normalizeAuthResult2(result) {
+  if (Array.isArray(result)) {
+    return { groups: result };
+  }
+  return result;
+}
+function getAuthResult(authInfo) {
+  if (!authInfo?.extra?.authResult) {
+    if (authInfo?.extra?.accessGroups) {
+      return { groups: authInfo.extra.accessGroups };
+    }
+    return { groups: [] };
+  }
+  return authInfo.extra.authResult;
 }
 function createMcpServer(options) {
   const { config: config2, configDir, env: env2 } = options;
@@ -22972,8 +23108,8 @@ function createMcpServer(options) {
     }
   });
   server.setRequestHandler(ListToolsRequestSchema, async (_request, extra) => {
-    const accessGroups = getAccessGroups(extra.authInfo);
-    const accessibleTools = filterToolsByAccess(allTools, accessGroups);
+    const authResult = getAuthResult(extra.authInfo);
+    const accessibleTools = filterToolsByAccess(allTools, authResult.groups);
     return {
       tools: accessibleTools.map((tool) => ({
         name: tool.name,
@@ -22984,9 +23120,9 @@ function createMcpServer(options) {
   });
   server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
     const { name, arguments: args } = request.params;
-    const accessGroups = getAccessGroups(extra.authInfo);
+    const authResult = getAuthResult(extra.authInfo);
     try {
-      const result = await executeToolWithAccess(name, args || {}, accessGroups);
+      const result = await executeToolWithAccess(name, args || {}, authResult);
       return {
         content: [
           {
@@ -23027,13 +23163,15 @@ async function startMcpServer(options) {
   });
   app.all("/mcp", async (c3) => {
     try {
-      const accessGroups = await config2.auth(c3.req.raw);
+      const rawResult = await config2.auth(c3.req.raw);
+      const authResult = normalizeAuthResult2(rawResult);
       const authInfo = {
         token: c3.req.header("Authorization") || "",
         clientId: "ontology-client",
         scopes: [],
         extra: {
-          accessGroups
+          authResult,
+          accessGroups: authResult.groups
         }
       };
       return transport.handleRequest(c3.req.raw, { authInfo });
@@ -23071,6 +23209,12 @@ async function startOnt(options = {}) {
   const isDev = mode === "development";
   consola.info("Loading ontology config...");
   const { config: config2, configDir } = await loadConfig();
+  try {
+    await validateUserContextRequirements(config2);
+  } catch (error2) {
+    consola.error("User context validation failed:");
+    throw error2;
+  }
   consola.info("Checking lockfile...");
   const { ontology, hash } = computeOntologyHash(config2);
   if (!lockfileExists(configDir)) {
@@ -23146,6 +23290,7 @@ Run \`bun run review\` to approve the changes.`;
 init_zod();
 export {
   exports_external as z,
+  userContext,
   startOnt,
   fieldFrom,
   defineOntology

package/dist/src/browser/transform.d.ts

@@ -13,6 +13,7 @@ export interface GraphNode {
         outputs?: Record<string, unknown>;
         resolver?: string;
         functionCount?: number;
+        usesUserContext?: boolean;
     };
 }
 export interface GraphEdge {

package/dist/src/config/categorical.d.ts

@@ -3,6 +3,10 @@ import { z } from "zod";
  * Symbol for storing fieldFrom metadata on Zod schemas
  */
 export declare const FIELD_FROM_METADATA: unique symbol;
+/**
+ * Symbol for storing userContext metadata on Zod schemas
+ */
+export declare const USER_CONTEXT_METADATA: unique symbol;
 /**
  * Metadata stored on fieldFrom Zod schemas
  */
@@ -74,3 +78,58 @@ export declare function hasFieldFromMetadata(schema: unknown): schema is FieldFr
  * Extract fieldFrom metadata from a Zod schema
  */
 export declare function getFieldFromMetadata(schema: unknown): FieldFromMetadata | null;
+/**
+ * Type for a Zod schema with userContext metadata
+ */
+export type UserContextSchema<T extends z.ZodType> = T & {
+    [USER_CONTEXT_METADATA]: true;
+};
+/**
+ * Mark a schema as user context that will be injected at runtime.
+ *
+ * Fields marked with `userContext()` are:
+ * - **Injected**: Populated from `auth()` result's `user` field
+ * - **Hidden**: Not exposed in public API/MCP schemas
+ * - **Type-safe**: Resolver receives typed user object
+ *
+ * @param schema - Zod schema for the user context shape
+ *
+ * @example
+ * ```ts
+ * defineOntology({
+ *   auth: async (req) => {
+ *     const user = await verifyToken(req);
+ *     return {
+ *       groups: user.isAdmin ? ['admin'] : ['user'],
+ *       user: { id: user.id, email: user.email }
+ *     };
+ *   },
+ *
+ *   functions: {
+ *     editPost: {
+ *       description: 'Edit a post',
+ *       access: ['user', 'admin'],
+ *       entities: ['Post'],
+ *       inputs: z.object({
+ *         postId: z.string(),
+ *         title: z.string(),
+ *         currentUser: userContext(z.object({
+ *           id: z.string(),
+ *           email: z.string(),
+ *         })),
+ *       }),
+ *       resolver: './resolvers/editPost.ts',
+ *     },
+ *   },
+ * })
+ * ```
+ */
+export declare function userContext<T extends z.ZodType>(schema: T): UserContextSchema<T>;
+/**
+ * Check if a Zod schema has userContext metadata
+ */
+export declare function hasUserContextMetadata(schema: unknown): schema is UserContextSchema<z.ZodType>;
+/**
+ * Get all userContext field names from a Zod object schema
+ */
+export declare function getUserContextFields(schema: z.ZodType): string[];

package/dist/src/config/index.d.ts

@@ -1,4 +1,4 @@
 export { defineOntology } from "./define.js";
-export { fieldFrom } from "./categorical.js";
-export type { OntologyConfig, FunctionDefinition, AccessGroupConfig, EnvironmentConfig, EntityDefinition, AuthFunction, ResolverContext, ResolverFunction, FieldOption, } from "./types.js";
-export { OntologyConfigSchema, FunctionDefinitionSchema, AccessGroupConfigSchema, EnvironmentConfigSchema, EntityDefinitionSchema, validateAccessGroups, validateEntityReferences, validateFieldFromReferences, } from "./schema.js";
+export { fieldFrom, userContext } from "./categorical.js";
+export type { OntologyConfig, FunctionDefinition, AccessGroupConfig, EnvironmentConfig, EntityDefinition, AuthFunction, AuthResult, ResolverContext, ResolverFunction, FieldOption, } from "./types.js";
+export { OntologyConfigSchema, FunctionDefinitionSchema, AccessGroupConfigSchema, EnvironmentConfigSchema, EntityDefinitionSchema, validateAccessGroups, validateEntityReferences, validateFieldFromReferences, validateUserContextRequirements, } from "./schema.js";