ont-run 0.0.3 → 0.0.4

package/README.md

@@ -150,11 +150,16 @@ export default defineOntology({
     prod: { debug: false },
   },
 
+  // Auth returns access groups (and optional user identity)
   auth: async (req: Request) => {
     const token = req.headers.get('Authorization');
-    if (!token) return ['public'];
-    if (token === 'admin-secret') return ['admin', 'user', 'public'];
-    return ['user', 'public'];
+    if (!token) return { groups: ['public'] };
+
+    const user = await verifyToken(token);
+    return {
+      groups: user.isAdmin ? ['admin', 'user', 'public'] : ['user', 'public'],
+      user: { id: user.id, email: user.email },  // Optional: for row-level access
+    };
   },
 
   accessGroups: {
@@ -180,6 +185,68 @@ export default defineOntology({
 });
 ```
 
+## Row-Level Access Control
+
+The framework handles **group-based access** (user → group → function) out of the box. For **row-level ownership** (e.g., "users can only edit their own posts"), use `userContext()`:
+
+```typescript
+import { defineOntology, userContext, z } from 'ont-run';
+
+export default defineOntology({
+  // Auth must return user identity for userContext to work
+  auth: async (req) => {
+    const user = await verifyToken(req);
+    return {
+      groups: ['user'],
+      user: { id: user.id, email: user.email },
+    };
+  },
+
+  functions: {
+    editPost: {
+      description: 'Edit a post',
+      access: ['user', 'admin'],
+      entities: ['Post'],
+      inputs: z.object({
+        postId: z.string(),
+        title: z.string(),
+        // currentUser is injected at runtime, hidden from API callers
+        currentUser: userContext(z.object({
+          id: z.string(),
+          email: z.string(),
+        })),
+      }),
+      resolver: './resolvers/editPost.ts',
+    },
+  },
+});
+```
+
+In the resolver, you receive the typed user object:
+
+```typescript
+// resolvers/editPost.ts
+export default async function editPost(
+  ctx: ResolverContext,
+  args: { postId: string; title: string; currentUser: { id: string; email: string } }
+) {
+  const post = await db.posts.findById(args.postId);
+
+  // Row-level check: only author or admin can edit
+  if (args.currentUser.id !== post.authorId && !ctx.accessGroups.includes('admin')) {
+    throw new Error('Not authorized to edit this post');
+  }
+
+  return db.posts.update(args.postId, { title: args.title });
+}
+```
+
+**Key points:**
+- `userContext()` fields are **injected** from `auth()` result's `user` field
+- They're **hidden** from public API/MCP schemas (callers don't see or provide them)
+- They're **type-safe** in resolvers
+- The review UI shows a badge for functions using user context
+
 ## The Lockfile
 
 `ont.lock` is the enforcement mechanism. It contains a hash of your ontology:

package/dist/bin/ont.js

@@ -6170,8 +6170,9 @@ function hasUserContextMetadata(schema) {
 }
 function getUserContextFields(schema) {
   const fields = [];
-  if (schema instanceof exports_external.ZodObject) {
-    const shape = schema.shape;
+  const def = schema._def;
+  if (def?.typeName === "ZodObject" && typeof def.shape === "function") {
+    const shape = def.shape();
     for (const [key, value] of Object.entries(shape)) {
       if (hasUserContextMetadata(value)) {
         fields.push(key);
@@ -6182,7 +6183,6 @@ function getUserContextFields(schema) {
 }
 var FIELD_FROM_METADATA, USER_CONTEXT_METADATA;
 var init_categorical = __esm(() => {
-  init_zod();
   FIELD_FROM_METADATA = Symbol.for("ont:fieldFrom");
   USER_CONTEXT_METADATA = Symbol.for("ont:userContext");
 });
@@ -10840,6 +10840,7 @@ function transformToGraphData(config) {
   const edges = [];
   const accessGroupCounts = {};
   const entityCounts = {};
+  let userContextFunctionCount = 0;
   for (const groupName of Object.keys(config.accessGroups)) {
     accessGroupCounts[groupName] = 0;
   }
@@ -10857,6 +10858,9 @@ function transformToGraphData(config) {
     }
     const userContextFields = getUserContextFields(fn.inputs);
     const usesUserContext = userContextFields.length > 0;
+    if (usesUserContext) {
+      userContextFunctionCount++;
+    }
     nodes.push({
       id: `function:${name}`,
       type: "function",
@@ -10927,7 +10931,8 @@ function transformToGraphData(config) {
       ontologyName: config.name,
       totalFunctions: Object.keys(config.functions).length,
       totalEntities: config.entities ? Object.keys(config.entities).length : 0,
-      totalAccessGroups: Object.keys(config.accessGroups).length
+      totalAccessGroups: Object.keys(config.accessGroups).length,
+      totalUserContextFunctions: userContextFunctionCount
     }
   };
 }
@@ -11173,6 +11178,9 @@ Ontology ${hasChanges ? "Review" : "Browser"} available at: ${url}`);
   });
 }
 function generateBrowserUI(graphData) {
+  const userContextFilterBtn = graphData.meta.totalUserContextFunctions > 0 ? `<button class="filter-btn" data-filter="userContext" title="Functions using userContext()">
+          <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" style="width:14px;height:14px;vertical-align:middle;margin-right:4px;"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>User Context (${graphData.meta.totalUserContextFunctions})
+        </button>` : "";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -12491,6 +12499,7 @@ function generateBrowserUI(graphData) {
         <button class="filter-btn" data-filter="accessGroup">
           <span class="dot access"></span> Access
         </button>
+        ${userContextFilterBtn}
       </div>
 
       <div class="layout-selector">
@@ -12635,6 +12644,7 @@ function generateBrowserUI(graphData) {
             metadata: node.metadata,
             changeStatus: node.changeStatus || 'unchanged',
             changeDetails: node.changeDetails || null,
+            usesUserContext: node.metadata?.usesUserContext || false,
           },
         });
       }
@@ -12687,6 +12697,19 @@ function generateBrowserUI(graphData) {
               'height': 55,
             },
           },
+          // Function nodes with userContext - show indicator below label
+          {
+            selector: 'node[type="function"][?usesUserContext]',
+            style: {
+              'background-image': 'data:image/svg+xml,' + encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><circle cx="16" cy="16" r="14" fill="#e8f4f8" stroke="#023d60" stroke-width="1.5"/><g transform="translate(4, 4)" fill="none" stroke="#023d60" stroke-width="2"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></g></svg>'),
+              'background-width': '18px',
+              'background-height': '18px',
+              'background-position-x': '50%',
+              'background-position-y': '75%',
+              'text-valign': 'center',
+              'text-margin-y': -8,
+            },
+          },
           // Entity nodes - Teal
           {
             selector: 'node[type="entity"]',
@@ -13228,6 +13251,16 @@ function generateBrowserUI(graphData) {
       if (filter === 'all') {
         cy.nodes().removeClass('hidden');
         cy.edges().removeClass('hidden');
+      } else if (filter === 'userContext') {
+        // Special filter: show only functions with userContext
+        cy.nodes().forEach(node => {
+          if (node.data('type') === 'function' && node.data('usesUserContext')) {
+            node.removeClass('hidden');
+          } else {
+            node.addClass('hidden');
+          }
+        });
+        cy.edges().addClass('hidden');
       } else {
         cy.nodes().forEach(node => {
           if (node.data('type') === filter) {
@@ -13744,13 +13777,77 @@ var reviewCommand = defineCommand({
     }
   }
 });
+// package.json
+var package_default = {
+  name: "ont-run",
+  version: "0.0.4",
+  description: "Ontology-enforced API framework for AI coding agents",
+  type: "module",
+  bin: {
+    "ont-run": "./dist/bin/ont.js"
+  },
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      bun: "./src/index.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist",
+    "src",
+    "bin"
+  ],
+  scripts: {
+    dev: "bun run bin/ont.ts",
+    build: "bun build ./src/index.ts --outdir ./dist --target node",
+    "build:cli": "bun build ./bin/ont.ts --outfile ./dist/bin/ont.js --target node --external @modelcontextprotocol/sdk",
+    "build:types": "tsc --declaration --emitDeclarationOnly",
+    prepublishOnly: "bun run build && bun run build:cli && bun run build:types",
+    docs: "cd docs && bun run dev",
+    "docs:build": "cd docs && bun run build",
+    "docs:preview": "cd docs && bun run preview"
+  },
+  dependencies: {
+    "@hono/node-server": "^1.19.8",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    citty: "^0.1.6",
+    consola: "^3.2.0",
+    hono: "^4.6.0",
+    open: "^10.0.0",
+    zod: "^3.24.0",
+    "zod-to-json-schema": "^3.23.0"
+  },
+  devDependencies: {
+    "@types/bun": "latest",
+    typescript: "^5.5.0"
+  },
+  peerDependencies: {
+    bun: ">=1.0.0"
+  },
+  peerDependenciesMeta: {
+    bun: {
+      optional: true
+    }
+  },
+  keywords: [
+    "api",
+    "framework",
+    "access-control",
+    "ai-agents",
+    "hono",
+    "zod",
+    "typescript"
+  ],
+  license: "MIT"
+};
 
 // src/cli/index.ts
 var main = defineCommand({
   meta: {
     name: "ont",
     description: "Ontology - Ontology-first backends with human-approved AI access & edits",
-    version: "0.1.0"
+    version: package_default.version
   },
   subCommands: {
     init: initCommand,

package/dist/index.js

@@ -4017,8 +4017,9 @@ function hasUserContextMetadata(schema) {
 }
 function getUserContextFields(schema) {
   const fields = [];
-  if (schema instanceof exports_external.ZodObject) {
-    const shape = schema.shape;
+  const def = schema._def;
+  if (def?.typeName === "ZodObject" && typeof def.shape === "function") {
+    const shape = def.shape();
     for (const [key, value] of Object.entries(shape)) {
       if (hasUserContextMetadata(value)) {
         fields.push(key);

package/dist/src/browser/transform.d.ts

@@ -31,6 +31,7 @@ export interface GraphData {
         totalFunctions: number;
         totalEntities: number;
         totalAccessGroups: number;
+        totalUserContextFunctions: number;
     };
 }
 export interface EnhancedGraphNode extends GraphNode {

package/dist/src/config/categorical.d.ts

@@ -131,5 +131,8 @@ export declare function userContext<T extends z.ZodType>(schema: T): UserContext
 export declare function hasUserContextMetadata(schema: unknown): schema is UserContextSchema<z.ZodType>;
 /**
  * Get all userContext field names from a Zod object schema
+ *
+ * Note: Uses _def.typeName check instead of instanceof to work across
+ * module boundaries in bundled CLI.
  */
 export declare function getUserContextFields(schema: z.ZodType): string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ont-run",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "Ontology-enforced API framework for AI coding agents",
   "type": "module",
   "bin": {

package/src/browser/server.ts

@@ -122,6 +122,12 @@ export async function startBrowserServer(options: BrowserServerOptions): Promise
 }
 
 function generateBrowserUI(graphData: EnhancedGraphData): string {
+  const userContextFilterBtn = graphData.meta.totalUserContextFunctions > 0
+    ? `<button class="filter-btn" data-filter="userContext" title="Functions using userContext()">
+          <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" style="width:14px;height:14px;vertical-align:middle;margin-right:4px;"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>User Context (${graphData.meta.totalUserContextFunctions})
+        </button>`
+    : '';
+
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -1440,6 +1446,7 @@ function generateBrowserUI(graphData: EnhancedGraphData): string {
         <button class="filter-btn" data-filter="accessGroup">
           <span class="dot access"></span> Access
         </button>
+        ${userContextFilterBtn}
       </div>
 
       <div class="layout-selector">
@@ -1584,6 +1591,7 @@ function generateBrowserUI(graphData: EnhancedGraphData): string {
             metadata: node.metadata,
             changeStatus: node.changeStatus || 'unchanged',
             changeDetails: node.changeDetails || null,
+            usesUserContext: node.metadata?.usesUserContext || false,
           },
         });
       }
@@ -1636,6 +1644,19 @@ function generateBrowserUI(graphData: EnhancedGraphData): string {
               'height': 55,
             },
           },
+          // Function nodes with userContext - show indicator below label
+          {
+            selector: 'node[type="function"][?usesUserContext]',
+            style: {
+              'background-image': 'data:image/svg+xml,' + encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><circle cx="16" cy="16" r="14" fill="#e8f4f8" stroke="#023d60" stroke-width="1.5"/><g transform="translate(4, 4)" fill="none" stroke="#023d60" stroke-width="2"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></g></svg>'),
+              'background-width': '18px',
+              'background-height': '18px',
+              'background-position-x': '50%',
+              'background-position-y': '75%',
+              'text-valign': 'center',
+              'text-margin-y': -8,
+            },
+          },
           // Entity nodes - Teal
           {
             selector: 'node[type="entity"]',
@@ -2177,6 +2198,16 @@ function generateBrowserUI(graphData: EnhancedGraphData): string {
       if (filter === 'all') {
         cy.nodes().removeClass('hidden');
         cy.edges().removeClass('hidden');
+      } else if (filter === 'userContext') {
+        // Special filter: show only functions with userContext
+        cy.nodes().forEach(node => {
+          if (node.data('type') === 'function' && node.data('usesUserContext')) {
+            node.removeClass('hidden');
+          } else {
+            node.addClass('hidden');
+          }
+        });
+        cy.edges().addClass('hidden');
       } else {
         cy.nodes().forEach(node => {
           if (node.data('type') === filter) {

package/src/browser/transform.ts

@@ -38,6 +38,7 @@ export interface GraphData {
     totalFunctions: number;
     totalEntities: number;
     totalAccessGroups: number;
+    totalUserContextFunctions: number;
   };
 }
 
@@ -132,6 +133,7 @@ export function transformToGraphData(config: OntologyConfig): GraphData {
   // Track function counts for access groups and entities
   const accessGroupCounts: Record<string, number> = {};
   const entityCounts: Record<string, number> = {};
+  let userContextFunctionCount = 0;
 
   // Initialize counts
   for (const groupName of Object.keys(config.accessGroups)) {
@@ -158,6 +160,9 @@ export function transformToGraphData(config: OntologyConfig): GraphData {
     // Check if function uses userContext
     const userContextFields = getUserContextFields(fn.inputs);
     const usesUserContext = userContextFields.length > 0;
+    if (usesUserContext) {
+      userContextFunctionCount++;
+    }
 
     // Create function node
     nodes.push({
@@ -242,6 +247,7 @@ export function transformToGraphData(config: OntologyConfig): GraphData {
       totalFunctions: Object.keys(config.functions).length,
       totalEntities: config.entities ? Object.keys(config.entities).length : 0,
       totalAccessGroups: Object.keys(config.accessGroups).length,
+      totalUserContextFunctions: userContextFunctionCount,
     },
   };
 }

package/src/cli/index.ts

@@ -1,12 +1,13 @@
 import { defineCommand, runMain } from "citty";
 import { initCommand } from "./commands/init.js";
 import { reviewCommand } from "./commands/review.js";
+import pkg from "../../package.json";
 
 const main = defineCommand({
   meta: {
     name: "ont",
     description: "Ontology - Ontology-first backends with human-approved AI access & edits",
-    version: "0.1.0",
+    version: pkg.version,
   },
   subCommands: {
     init: initCommand,

package/src/config/categorical.ts

@@ -174,12 +174,17 @@ export function hasUserContextMetadata(
 
 /**
  * Get all userContext field names from a Zod object schema
+ *
+ * Note: Uses _def.typeName check instead of instanceof to work across
+ * module boundaries in bundled CLI.
  */
 export function getUserContextFields(schema: z.ZodType): string[] {
   const fields: string[] = [];
 
-  if (schema instanceof z.ZodObject) {
-    const shape = schema.shape;
+  // Use _def.typeName check for bundler compatibility (instanceof fails across module boundaries)
+  const def = (schema as unknown as { _def?: { typeName?: string; shape?: () => Record<string, unknown> } })._def;
+  if (def?.typeName === "ZodObject" && typeof def.shape === "function") {
+    const shape = def.shape();
     for (const [key, value] of Object.entries(shape)) {
       if (hasUserContextMetadata(value)) {
         fields.push(key);