ont-run 0.0.3 → 0.0.5

package/README.md

@@ -7,6 +7,8 @@ A web framework designed for the era of coding agents. You define the ontology
 ```typescript
 // ontology.config.ts
 import { defineOntology, z } from 'ont-run';
+import getTicket from './resolvers/getTicket.js';
+import assignTicket from './resolvers/assignTicket.js';
 
 export default defineOntology({
   name: 'support-desk',
@@ -23,14 +25,14 @@ export default defineOntology({
       access: ['support', 'admin'],
       entities: ['Ticket'],
       inputs: z.object({ ticketId: z.string().uuid() }),
-      resolver: './resolvers/getTicket.ts',
+      resolver: getTicket,
     },
     assignTicket: {
       description: 'Assign ticket to an agent',
       access: ['admin'],  // If AI tries to add 'public' here, review is triggered
       entities: ['Ticket'],
       inputs: z.object({ ticketId: z.string().uuid(), assignee: z.string() }),
-      resolver: './resolvers/assignTicket.ts',
+      resolver: assignTicket,
     },
   },
   // ...
@@ -141,6 +143,7 @@ The resolver context provides:
 
 ```typescript
 import { defineOntology, z } from 'ont-run';
+import getUser from './resolvers/getUser.js';
 
 export default defineOntology({
   name: 'my-api',
@@ -150,11 +153,16 @@ export default defineOntology({
     prod: { debug: false },
   },
 
+  // Auth returns access groups (and optional user identity)
   auth: async (req: Request) => {
     const token = req.headers.get('Authorization');
-    if (!token) return ['public'];
-    if (token === 'admin-secret') return ['admin', 'user', 'public'];
-    return ['user', 'public'];
+    if (!token) return { groups: ['public'] };
+
+    const user = await verifyToken(token);
+    return {
+      groups: user.isAdmin ? ['admin', 'user', 'public'] : ['user', 'public'],
+      user: { id: user.id, email: user.email },  // Optional: for row-level access
+    };
   },
 
   accessGroups: {
@@ -174,12 +182,75 @@ export default defineOntology({
       access: ['user', 'admin'],
       entities: ['User'],
       inputs: z.object({ userId: z.string().uuid() }),
-      resolver: './resolvers/getUser.ts',
+      resolver: getUser,
     },
   },
 });
 ```
 
+## Row-Level Access Control
+
+The framework handles **group-based access** (user → group → function) out of the box. For **row-level ownership** (e.g., "users can only edit their own posts"), use `userContext()`:
+
+```typescript
+import { defineOntology, userContext, z } from 'ont-run';
+import editPost from './resolvers/editPost.js';
+
+export default defineOntology({
+  // Auth must return user identity for userContext to work
+  auth: async (req) => {
+    const user = await verifyToken(req);
+    return {
+      groups: ['user'],
+      user: { id: user.id, email: user.email },
+    };
+  },
+
+  functions: {
+    editPost: {
+      description: 'Edit a post',
+      access: ['user', 'admin'],
+      entities: ['Post'],
+      inputs: z.object({
+        postId: z.string(),
+        title: z.string(),
+        // currentUser is injected at runtime, hidden from API callers
+        currentUser: userContext(z.object({
+          id: z.string(),
+          email: z.string(),
+        })),
+      }),
+      resolver: editPost,
+    },
+  },
+});
+```
+
+In the resolver, you receive the typed user object:
+
+```typescript
+// resolvers/editPost.ts
+export default async function editPost(
+  ctx: ResolverContext,
+  args: { postId: string; title: string; currentUser: { id: string; email: string } }
+) {
+  const post = await db.posts.findById(args.postId);
+
+  // Row-level check: only author or admin can edit
+  if (args.currentUser.id !== post.authorId && !ctx.accessGroups.includes('admin')) {
+    throw new Error('Not authorized to edit this post');
+  }
+
+  return db.posts.update(args.postId, { title: args.title });
+}
+```
+
+**Key points:**
+- `userContext()` fields are **injected** from `auth()` result's `user` field
+- They're **hidden** from public API/MCP schemas (callers don't see or provide them)
+- They're **type-safe** in resolvers
+- The review UI shows a badge for functions using user context
+
 ## The Lockfile
 
 `ont.lock` is the enforcement mechanism. It contains a hash of your ontology:

package/dist/bin/ont.js

@@ -6170,8 +6170,9 @@ function hasUserContextMetadata(schema) {
 }
 function getUserContextFields(schema) {
   const fields = [];
-  if (schema instanceof exports_external.ZodObject) {
-    const shape = schema.shape;
+  const def = schema._def;
+  if (def?.typeName === "ZodObject" && typeof def.shape === "function") {
+    const shape = def.shape();
     for (const [key, value] of Object.entries(shape)) {
       if (hasUserContextMetadata(value)) {
         fields.push(key);
@@ -6182,7 +6183,6 @@ function getUserContextFields(schema) {
 }
 var FIELD_FROM_METADATA, USER_CONTEXT_METADATA;
 var init_categorical = __esm(() => {
-  init_zod();
   FIELD_FROM_METADATA = Symbol.for("ont:fieldFrom");
   USER_CONTEXT_METADATA = Symbol.for("ont:userContext");
 });
@@ -10233,6 +10233,10 @@ var Hono2 = class extends Hono {
   }
 };
 
+// src/browser/server.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { basename } from "path";
+
 // node_modules/open/index.js
 import process7 from "node:process";
 import { Buffer as Buffer2 } from "node:buffer";
@@ -10840,6 +10844,7 @@ function transformToGraphData(config) {
   const edges = [];
   const accessGroupCounts = {};
   const entityCounts = {};
+  let userContextFunctionCount = 0;
   for (const groupName of Object.keys(config.accessGroups)) {
     accessGroupCounts[groupName] = 0;
   }
@@ -10857,6 +10862,9 @@ function transformToGraphData(config) {
     }
     const userContextFields = getUserContextFields(fn.inputs);
     const usesUserContext = userContextFields.length > 0;
+    if (usesUserContext) {
+      userContextFunctionCount++;
+    }
     nodes.push({
       id: `function:${name}`,
       type: "function",
@@ -10865,7 +10873,6 @@ function transformToGraphData(config) {
       metadata: {
         inputs: safeZodToJsonSchema(fn.inputs),
         outputs: fn.outputs ? safeZodToJsonSchema(fn.outputs) : undefined,
-        resolver: fn.resolver,
         usesUserContext: usesUserContext || undefined
       }
     });
@@ -10927,7 +10934,8 @@ function transformToGraphData(config) {
       ontologyName: config.name,
       totalFunctions: Object.keys(config.functions).length,
       totalEntities: config.entities ? Object.keys(config.entities).length : 0,
-      totalAccessGroups: Object.keys(config.accessGroups).length
+      totalAccessGroups: Object.keys(config.accessGroups).length,
+      totalUserContextFunctions: userContextFunctionCount
     }
   };
 }
@@ -11098,7 +11106,7 @@ function enhanceWithDiff(graphData, diff) {
 
 // src/browser/server.ts
 async function startBrowserServer(options) {
-  const { config, diff = null, configDir, port: preferredPort, openBrowser = true } = options;
+  const { config, diff = null, configDir, configPath, port: preferredPort, openBrowser = true } = options;
   const baseGraphData = transformToGraphData(config);
   const graphData = enhanceWithDiff(baseGraphData, diff);
   return new Promise(async (resolve2) => {
@@ -11145,6 +11153,21 @@ async function startBrowserServer(options) {
       }, 500);
       return c3.json({ success: true });
     });
+    app.get("/api/source", (c3) => {
+      if (!configPath) {
+        return c3.json({ error: "Config path not available" }, 400);
+      }
+      try {
+        const source = readFileSync2(configPath, "utf-8");
+        const filename = basename(configPath);
+        return c3.json({ source, filename, path: configPath });
+      } catch (error) {
+        return c3.json({
+          error: "Failed to read config file",
+          message: error instanceof Error ? error.message : "Unknown error"
+        }, 500);
+      }
+    });
     app.get("/", (c3) => c3.html(generateBrowserUI(graphData)));
     const port = preferredPort || await findAvailablePort(3457);
     const server = await serve2(app, port);
@@ -11173,6 +11196,9 @@ Ontology ${hasChanges ? "Review" : "Browser"} available at: ${url}`);
   });
 }
 function generateBrowserUI(graphData) {
+  const userContextFilterBtn = graphData.meta.totalUserContextFunctions > 0 ? `<button class="filter-btn" data-filter="userContext" title="Functions using userContext()">
+          <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" style="width:14px;height:14px;vertical-align:middle;margin-right:4px;"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>User Context (${graphData.meta.totalUserContextFunctions})
+        </button>` : "";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -11750,6 +11776,89 @@ function generateBrowserUI(graphData) {
       color: var(--change-added);
     }
 
+    /* Source View */
+    .source-view {
+      display: none;
+      grid-column: 2 / 4;
+      padding: 24px;
+      overflow-y: auto;
+      background: linear-gradient(to bottom, rgba(255, 255, 255, 0.5), rgba(231, 225, 207, 0.3));
+    }
+
+    .source-view.active {
+      display: flex;
+      flex-direction: column;
+    }
+
+    .source-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      padding: 12px 20px;
+      background: rgba(2, 61, 96, 0.95);
+      border-radius: 12px 12px 0 0;
+      color: white;
+    }
+
+    .source-filename {
+      font-family: 'Space Mono', monospace;
+      font-size: 13px;
+      font-weight: 500;
+    }
+
+    .copy-btn {
+      display: flex;
+      align-items: center;
+      gap: 6px;
+      padding: 6px 12px;
+      background: rgba(255, 255, 255, 0.1);
+      border: 1px solid rgba(255, 255, 255, 0.2);
+      border-radius: 6px;
+      color: white;
+      font-family: 'Space Grotesk', sans-serif;
+      font-size: 12px;
+      cursor: pointer;
+      transition: all 0.2s ease;
+    }
+
+    .copy-btn:hover {
+      background: rgba(255, 255, 255, 0.2);
+    }
+
+    .copy-btn.copied {
+      background: rgba(21, 168, 168, 0.3);
+      border-color: var(--vanna-teal);
+    }
+
+    .source-code {
+      flex: 1;
+      margin: 0;
+      padding: 20px;
+      background: #1e1e1e;
+      border-radius: 0 0 12px 12px;
+      overflow: auto;
+      font-family: 'Space Mono', monospace;
+      font-size: 13px;
+      line-height: 1.6;
+      color: #d4d4d4;
+      tab-size: 2;
+    }
+
+    .source-code code {
+      display: block;
+      white-space: pre;
+    }
+
+    /* Syntax highlighting classes */
+    .source-code .keyword { color: #569cd6; }
+    .source-code .string { color: #ce9178; }
+    .source-code .number { color: #b5cea8; }
+    .source-code .comment { color: #6a9955; }
+    .source-code .function { color: #dcdcaa; }
+    .source-code .type { color: #4ec9b0; }
+    .source-code .property { color: #9cdcfe; }
+    .source-code .punctuation { color: #d4d4d4; }
+
     /* No Changes State */
     .no-changes {
       text-align: center;
@@ -12478,6 +12587,7 @@ function generateBrowserUI(graphData) {
       <div class="view-tabs">
         <button class="view-tab active" data-view="graph">Graph</button>
         <button class="view-tab" data-view="table">Table</button>
+        <button class="view-tab" data-view="source">Source</button>
       </div>
 
       <div class="filter-buttons" id="graphFilters">
@@ -12491,6 +12601,7 @@ function generateBrowserUI(graphData) {
         <button class="filter-btn" data-filter="accessGroup">
           <span class="dot access"></span> Access
         </button>
+        ${userContextFilterBtn}
       </div>
 
       <div class="layout-selector">
@@ -12597,6 +12708,20 @@ function generateBrowserUI(graphData) {
     <div class="table-view" id="tableView">
       <div id="tableContent"></div>
     </div>
+
+    <!-- Source View -->
+    <div class="source-view" id="sourceView">
+      <div class="source-header">
+        <span class="source-filename" id="sourceFilename">ontology.config.ts</span>
+        <button class="copy-btn" id="copySourceBtn" title="Copy to clipboard">
+          <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+            <rect x="9" y="9" width="13" height="13" rx="2" ry="2"/><path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"/>
+          </svg>
+          Copy
+        </button>
+      </div>
+      <pre class="source-code" id="sourceCode"><code>Loading...</code></pre>
+    </div>
   </div>
 
   <!-- Review Footer -->
@@ -12635,6 +12760,7 @@ function generateBrowserUI(graphData) {
             metadata: node.metadata,
             changeStatus: node.changeStatus || 'unchanged',
             changeDetails: node.changeDetails || null,
+            usesUserContext: node.metadata?.usesUserContext || false,
           },
         });
       }
@@ -12687,6 +12813,19 @@ function generateBrowserUI(graphData) {
               'height': 55,
             },
           },
+          // Function nodes with userContext - show indicator below label
+          {
+            selector: 'node[type="function"][?usesUserContext]',
+            style: {
+              'background-image': 'data:image/svg+xml,' + encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><circle cx="16" cy="16" r="14" fill="#e8f4f8" stroke="#023d60" stroke-width="1.5"/><g transform="translate(4, 4)" fill="none" stroke="#023d60" stroke-width="2"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></g></svg>'),
+              'background-width': '18px',
+              'background-height': '18px',
+              'background-position-x': '50%',
+              'background-position-y': '75%',
+              'text-valign': 'center',
+              'text-margin-y': -8,
+            },
+          },
           // Entity nodes - Teal
           {
             selector: 'node[type="entity"]',
@@ -13228,6 +13367,16 @@ function generateBrowserUI(graphData) {
       if (filter === 'all') {
         cy.nodes().removeClass('hidden');
         cy.edges().removeClass('hidden');
+      } else if (filter === 'userContext') {
+        // Special filter: show only functions with userContext
+        cy.nodes().forEach(node => {
+          if (node.data('type') === 'function' && node.data('usesUserContext')) {
+            node.removeClass('hidden');
+          } else {
+            node.addClass('hidden');
+          }
+        });
+        cy.edges().addClass('hidden');
       } else {
         cy.nodes().forEach(node => {
           if (node.data('type') === filter) {
@@ -13449,6 +13598,7 @@ function generateBrowserUI(graphData) {
       const graphContainer = document.querySelector('.graph-container');
       const detailPanel = document.getElementById('detailPanel');
       const tableView = document.getElementById('tableView');
+      const sourceView = document.getElementById('sourceView');
       const graphFilters = document.getElementById('graphFilters');
       const layoutSelector = document.querySelector('.layout-selector');
 
@@ -13456,15 +13606,25 @@ function generateBrowserUI(graphData) {
         graphContainer.style.display = 'block';
         detailPanel.style.display = 'block';
         tableView.classList.remove('active');
+        sourceView.classList.remove('active');
         if (graphFilters) graphFilters.style.display = 'flex';
         if (layoutSelector) layoutSelector.style.display = 'flex';
-      } else {
+      } else if (view === 'table') {
         graphContainer.style.display = 'none';
         detailPanel.style.display = 'none';
         tableView.classList.add('active');
+        sourceView.classList.remove('active');
         if (graphFilters) graphFilters.style.display = 'none';
         if (layoutSelector) layoutSelector.style.display = 'none';
         renderTableView();
+      } else if (view === 'source') {
+        graphContainer.style.display = 'none';
+        detailPanel.style.display = 'none';
+        tableView.classList.remove('active');
+        sourceView.classList.add('active');
+        if (graphFilters) graphFilters.style.display = 'none';
+        if (layoutSelector) layoutSelector.style.display = 'none';
+        loadSourceView();
       }
     }
 
@@ -13506,6 +13666,74 @@ function generateBrowserUI(graphData) {
       });
     }
 
+    // Source view
+    let sourceLoaded = false;
+    let sourceContent = '';
+
+    async function loadSourceView() {
+      if (sourceLoaded) return;
+
+      const codeEl = document.getElementById('sourceCode').querySelector('code');
+      const filenameEl = document.getElementById('sourceFilename');
+
+      try {
+        const res = await fetch('/api/source');
+        if (!res.ok) throw new Error('Failed to load source');
+        const data = await res.json();
+
+        sourceContent = data.source;
+        filenameEl.textContent = data.filename;
+        codeEl.innerHTML = highlightTypeScript(data.source);
+        sourceLoaded = true;
+      } catch (err) {
+        codeEl.textContent = 'Error loading source: ' + err.message;
+      }
+    }
+
+    function highlightTypeScript(code) {
+      // Escape HTML first
+      code = code.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+
+      // Comments (single and multi-line)
+      code = code.replace(/(\\/\\/.*$)/gm, '<span class="comment">$1</span>');
+      code = code.replace(/(\\/\\*[\\s\\S]*?\\*\\/)/g, '<span class="comment">$1</span>');
+
+      // Strings (double, single, and template)
+      code = code.replace(/("(?:[^"\\\\]|\\\\.)*")/g, '<span class="string">$1</span>');
+      code = code.replace(/('(?:[^'\\\\]|\\\\.)*')/g, '<span class="string">$1</span>');
+      code = code.replace(/(\`(?:[^\`\\\\]|\\\\.)*\`)/g, '<span class="string">$1</span>');
+
+      // Keywords
+      const keywords = ['import', 'export', 'from', 'const', 'let', 'var', 'function', 'return', 'if', 'else', 'for', 'while', 'class', 'extends', 'new', 'this', 'true', 'false', 'null', 'undefined', 'typeof', 'instanceof', 'async', 'await', 'default', 'as', 'type', 'interface'];
+      keywords.forEach(kw => {
+        code = code.replace(new RegExp('\\\\b(' + kw + ')\\\\b', 'g'), '<span class="keyword">$1</span>');
+      });
+
+      // Numbers
+      code = code.replace(/\\b(\\d+\\.?\\d*)\\b/g, '<span class="number">$1</span>');
+
+      // Function calls
+      code = code.replace(/\\b([a-zA-Z_][a-zA-Z0-9_]*)\\s*\\(/g, '<span class="function">$1</span>(');
+
+      return code;
+    }
+
+    // Copy source button
+    document.getElementById('copySourceBtn').addEventListener('click', async () => {
+      const btn = document.getElementById('copySourceBtn');
+      try {
+        await navigator.clipboard.writeText(sourceContent);
+        btn.classList.add('copied');
+        btn.innerHTML = '<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="20 6 9 17 4 12"/></svg> Copied!';
+        setTimeout(() => {
+          btn.classList.remove('copied');
+          btn.innerHTML = '<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="9" y="9" width="13" height="13" rx="2" ry="2"/><path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"/></svg> Copy';
+        }, 2000);
+      } catch (err) {
+        console.error('Failed to copy:', err);
+      }
+    });
+
     function renderTableSection(title, items, type) {
       const changedCount = items.filter(n => n.changeStatus !== 'unchanged').length;
 
@@ -13679,7 +13907,7 @@ var reviewCommand = defineCommand({
         process.exit(0);
       }
       consola.info("Loading ontology config...");
-      const { config, configDir } = await loadConfig();
+      const { config, configDir, configPath } = await loadConfig();
       const { ontology: newOntology, hash: newHash } = computeOntologyHash(config);
       const lockfile = await readLockfile(configDir);
       const oldOntology = lockfile?.ontology || null;
@@ -13727,7 +13955,8 @@ var reviewCommand = defineCommand({
       const result = await startBrowserServer({
         config,
         diff: diff.hasChanges ? diff : null,
-        configDir
+        configDir,
+        configPath
       });
       if (diff.hasChanges) {
         if (result.approved) {
@@ -13744,13 +13973,77 @@ var reviewCommand = defineCommand({
     }
   }
 });
+// package.json
+var package_default = {
+  name: "ont-run",
+  version: "0.0.5",
+  description: "Ontology-enforced API framework for AI coding agents",
+  type: "module",
+  bin: {
+    "ont-run": "./dist/bin/ont.js"
+  },
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      bun: "./src/index.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist",
+    "src",
+    "bin"
+  ],
+  scripts: {
+    dev: "bun run bin/ont.ts",
+    build: "bun build ./src/index.ts --outdir ./dist --target node",
+    "build:cli": "bun build ./bin/ont.ts --outfile ./dist/bin/ont.js --target node --external @modelcontextprotocol/sdk",
+    "build:types": "tsc --declaration --emitDeclarationOnly",
+    prepublishOnly: "bun run build && bun run build:cli && bun run build:types",
+    docs: "cd docs && bun run dev",
+    "docs:build": "cd docs && bun run build",
+    "docs:preview": "cd docs && bun run preview"
+  },
+  dependencies: {
+    "@hono/node-server": "^1.19.8",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    citty: "^0.1.6",
+    consola: "^3.2.0",
+    hono: "^4.6.0",
+    open: "^10.0.0",
+    zod: "^3.24.0",
+    "zod-to-json-schema": "^3.23.0"
+  },
+  devDependencies: {
+    "@types/bun": "latest",
+    typescript: "^5.5.0"
+  },
+  peerDependencies: {
+    bun: ">=1.0.0"
+  },
+  peerDependenciesMeta: {
+    bun: {
+      optional: true
+    }
+  },
+  keywords: [
+    "api",
+    "framework",
+    "access-control",
+    "ai-agents",
+    "hono",
+    "zod",
+    "typescript"
+  ],
+  license: "MIT"
+};
 
 // src/cli/index.ts
 var main = defineCommand({
   meta: {
     name: "ont",
     description: "Ontology - Ontology-first backends with human-approved AI access & edits",
-    version: "0.1.0"
+    version: package_default.version
   },
   subCommands: {
     init: initCommand,