spaps-mcp 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/README.md +76 -0
- package/dist/chunk-GPBTYWDD.js +496 -0
- package/dist/cli.d.ts +1 -0
- package/dist/cli.js +9 -0
- package/dist/index.d.ts +103 -0
- package/dist/index.js +26 -0
- package/dist/resources/SPAPS_SURFACE_CONTRACT.md +125 -0
- package/dist/resources/glossary.md +36 -0
- package/dist/resources/llms.txt +15 -0
- package/dist/wizard/step-01-setup.md +149 -0
- package/dist/wizard/step-02-environment.md +291 -0
- package/dist/wizard/step-03-sdk-init.md +351 -0
- package/dist/wizard/step-04-email-auth.md +311 -0
- package/dist/wizard/step-05-wallet-auth.md +368 -0
- package/dist/wizard/step-06-magic-link.md +560 -0
- package/dist/wizard/step-07-payments.md +529 -0
- package/dist/wizard/step-08-whitelist.md +338 -0
- package/dist/wizard/step-09-admin.md +579 -0
- package/dist/wizard/step-10-errors.md +525 -0
- package/dist/wizard/step-11-ui-polish.md +640 -0
- package/dist/wizard/step-12-testing.md +588 -0
- package/dist/wizard/wizard.lock +67 -0
- package/package.json +66 -0
package/dist/index.js
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import {
|
|
2
|
+
SpapsHttpClient,
|
|
3
|
+
SpapsHttpError,
|
|
4
|
+
buildResourceDefinitions,
|
|
5
|
+
buildToolDefinitions,
|
|
6
|
+
createSpapsMcpServer,
|
|
7
|
+
docsPath,
|
|
8
|
+
docsPathWithCapturedLeadingSlash,
|
|
9
|
+
getWizardStep,
|
|
10
|
+
listWizardSteps,
|
|
11
|
+
resolveConfig,
|
|
12
|
+
resolveWizardDir
|
|
13
|
+
} from "./chunk-GPBTYWDD.js";
|
|
14
|
+
export {
|
|
15
|
+
SpapsHttpClient,
|
|
16
|
+
SpapsHttpError,
|
|
17
|
+
buildResourceDefinitions,
|
|
18
|
+
buildToolDefinitions,
|
|
19
|
+
createSpapsMcpServer,
|
|
20
|
+
docsPath,
|
|
21
|
+
docsPathWithCapturedLeadingSlash,
|
|
22
|
+
getWizardStep,
|
|
23
|
+
listWizardSteps,
|
|
24
|
+
resolveConfig,
|
|
25
|
+
resolveWizardDir
|
|
26
|
+
};
|
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
# SPAPS Surface Contract
|
|
2
|
+
|
|
3
|
+
This document defines the public surfaces around SPAPS, what each one owns, and how they are allowed to interact.
|
|
4
|
+
|
|
5
|
+
The goal is simple: one operator shell, clean integration packages, and no drift where agent skills quietly become a second product interface.
|
|
6
|
+
|
|
7
|
+
## Core Rule
|
|
8
|
+
|
|
9
|
+
`spaps` is the self-serve administrator shell.
|
|
10
|
+
|
|
11
|
+
Everything else either powers that shell, consumes what it provisions, or orchestrates around it.
|
|
12
|
+
|
|
13
|
+
## Surfaces
|
|
14
|
+
|
|
15
|
+
| Surface | Driven by | Owns | Must not own | Interface type | Canonical neighbor |
|
|
16
|
+
| --- | --- | --- | --- | --- | --- |
|
|
17
|
+
| `spaps` CLI (`packages/spaps`) | operator, agent, CI | account connect, app select/create, repo bootstrap/attach, local runtime orchestration, verification, machine-readable status | app business logic, framework SDK concerns, skillbox fleet ops, repo archaeology | product-facing shell | talks to `sweetpotato.dev`, local SPAPS runtimes, and repo-local config |
|
|
18
|
+
| `sweetpotato.dev` hosted service | platform | account identity, free tier, app registry, hosted provisioning APIs, billing for hosted surfaces | repo patching, local runtime orchestration, custom implementation workflow | product-facing backend | backs the `spaps` CLI |
|
|
19
|
+
| `spaps-sdk` (`packages/sdk`) | application code | frontend and Node integration against SPAPS auth, entitlements, issue reporting, and related APIs | account signup, app provisioning, repo bootstrap, operator workflows | product-facing library | consumes credentials and config created by `spaps` |
|
|
20
|
+
| Python `spaps` client (`packages/python-client`) | application code, services, scripts | Python access to SPAPS APIs | operator shell behavior, local runtime control, repo mutation | product-facing library | consumes credentials and config created by `spaps` |
|
|
21
|
+
| `spaps-server-quickstart` (`packages/python-server-quickstart`) | backend developers | FastAPI/Celery service scaffolding, auth middleware, endpoint contracts, local-mode behavior, backend templates | hosted account lifecycle, product onboarding shell, portfolio orchestration | product-facing backend scaffold | serves the runtime that `spaps` manages locally |
|
|
22
|
+
| skills (`skills/`, global skills, skillbox overlays) | agent | multi-repo reasoning, wiki/context synthesis, audits, migrations, managed ops, portfolio decisions, workflow composition | stable product contract, end-user onboarding surface, backend API truth | agent-only orchestration | call the CLI, read docs, and coordinate sibling repos |
|
|
23
|
+
|
|
24
|
+
## Interaction Rules
|
|
25
|
+
|
|
26
|
+
### 1. Skills decide and compose; CLIs execute and report
|
|
27
|
+
|
|
28
|
+
Skills may inspect repo state, overlays, plans, the wiki, and sibling repos. They can recommend or sequence work. They should call `spaps` when the task is a real operator action.
|
|
29
|
+
|
|
30
|
+
`spaps` should perform the action, emit stable human-readable output, and support JSON where agents need a machine contract.
|
|
31
|
+
|
|
32
|
+
### 2. Provisioning starts in the shell, not in the SDKs
|
|
33
|
+
|
|
34
|
+
Application packages should assume credentials, app identity, and policy defaults already exist. They consume provisioned state; they do not create it.
|
|
35
|
+
|
|
36
|
+
### 3. The backend scaffold is not the admin shell
|
|
37
|
+
|
|
38
|
+
`spaps-server-quickstart` defines runtime capability and local-mode semantics. It should not become the place where account connect, app selection, or repo bootstrap logic lives.
|
|
39
|
+
|
|
40
|
+
### 4. `sweetpotato.dev` is the hosted backing service, not the primary operator interface
|
|
41
|
+
|
|
42
|
+
The website and hosted APIs hold account and app state. The shell is still `spaps`.
|
|
43
|
+
|
|
44
|
+
### 5. Managed operations stay outside the shell
|
|
45
|
+
|
|
46
|
+
`skillbox` and its overlays own managed boxes, runtime distribution, and higher-trust fleet operations. `buildooor` owns custom implementation work. The `spaps` CLI can hand users toward those layers, but it must not absorb their responsibilities.
|
|
47
|
+
|
|
48
|
+
## OpenAPI Auth Metadata
|
|
49
|
+
|
|
50
|
+
Every operation in `docs/api-reference.yaml` must carry standard OpenAPI
|
|
51
|
+
`security` requirements and an `x-spaps-auth` object generated from the
|
|
52
|
+
FastAPI route dependencies.
|
|
53
|
+
|
|
54
|
+
Allowed `x-spaps-auth.auth_type` values:
|
|
55
|
+
|
|
56
|
+
| Value | Meaning |
|
|
57
|
+
| --- | --- |
|
|
58
|
+
| `public` | No SPAPS credential required. |
|
|
59
|
+
| `application` | Requires an application API key, with publishable or secret acceptance recorded in `api_key.accepted`. |
|
|
60
|
+
| `application_optional_user` | Requires an application API key and accepts, but does not require, a bearer user token. |
|
|
61
|
+
| `user` | Requires an application API key plus a bearer user token. |
|
|
62
|
+
| `admin` | Requires a secret application key plus a bearer token with the `admin` role. |
|
|
63
|
+
| `super_admin` | Requires a secret application key plus a bearer token with the `super_admin` role. |
|
|
64
|
+
| `stripe_webhook_signature` | Requires a Stripe provider signature instead of a SPAPS application key. |
|
|
65
|
+
| `mailgun_webhook_signature` | Requires a Mailgun provider signature instead of a SPAPS application key. |
|
|
66
|
+
|
|
67
|
+
The `x-spaps-auth` object is fail-closed: unknown `auth_type`, API key type,
|
|
68
|
+
security scheme, JWT shape, role, or provider-signature scheme values fail
|
|
69
|
+
`npm run docs:validate-openapi`. The canonical generator and validator live in
|
|
70
|
+
`spaps_server_quickstart.openapi_auth` and
|
|
71
|
+
`scripts/validate_openapi_auth_metadata.py`; new route dependencies must update
|
|
72
|
+
those files and the contract tests together.
|
|
73
|
+
|
|
74
|
+
## Manifest Route Metadata
|
|
75
|
+
|
|
76
|
+
`docs/manifest.json` version `1.4` is the machine-readable route contract for
|
|
77
|
+
agents, SDK docs, and CLI tooling. Every endpoint entry must carry:
|
|
78
|
+
|
|
79
|
+
| Field | Type | Source of truth |
|
|
80
|
+
| --- | --- | --- |
|
|
81
|
+
| `auth` | object | `spaps_server_quickstart.openapi_auth.route_auth_metadata()` |
|
|
82
|
+
| `rate_tier` | string | `spaps_server_quickstart.middleware.rate_limiting.get_tier_for_endpoint()` |
|
|
83
|
+
| `publishable_scope` | string array or `null` | `spaps_server_quickstart.middleware.key_scope.publishable_scopes_for_endpoint()` filtered to routes whose auth accepts publishable keys |
|
|
84
|
+
| `entitlement_key` | string or `null` | fixed route-level entitlement gates only |
|
|
85
|
+
|
|
86
|
+
`auth` uses the same shape and vocabulary as OpenAPI `x-spaps-auth`.
|
|
87
|
+
`publishable_scope` is `null` when a route is public, secret-only, provider
|
|
88
|
+
signed, or otherwise not callable with a publishable SPAPS key. It is an array
|
|
89
|
+
because more than one built-in application blueprint scope may admit the same
|
|
90
|
+
route over time. `entitlement_key` is intentionally `null` for dynamic
|
|
91
|
+
entitlement checks, x402 resource rules, usage policies, and request-provided
|
|
92
|
+
capability controls.
|
|
93
|
+
|
|
94
|
+
Regenerate the manifest with `npm run docs:generate-manifest`; CI checks the
|
|
95
|
+
checked-in file with `npm run docs:validate-manifest` and fails when route
|
|
96
|
+
coverage or projected metadata drifts from FastAPI and middleware code.
|
|
97
|
+
|
|
98
|
+
`npm run docs:validate-sdk-parity` also enforces inverse client coverage. For
|
|
99
|
+
each domain in `docs/client-domain-parity.md`, a `yes` cell means that surface
|
|
100
|
+
must claim at least one implemented route in the domain. A backend route may
|
|
101
|
+
temporarily ship before its client helper only with a row in the policy file's
|
|
102
|
+
`Pending Client Coverage Waivers` table, and that row must reference an open
|
|
103
|
+
Bead. Waivers are route-level and expire when the Bead closes.
|
|
104
|
+
|
|
105
|
+
## Administrator Journey
|
|
106
|
+
|
|
107
|
+
The intended administrator loop is:
|
|
108
|
+
|
|
109
|
+
1. `spaps connect`
|
|
110
|
+
2. `spaps bootstrap`
|
|
111
|
+
3. `spaps verify`
|
|
112
|
+
|
|
113
|
+
Those verbs define the shell:
|
|
114
|
+
|
|
115
|
+
- `connect`: establish operator identity, free-tier signup/login, and default app context
|
|
116
|
+
- `bootstrap`: attach SPAPS to the current repo or scaffold a new app against the right blueprint
|
|
117
|
+
- `verify`: prove the golden path end to end, including auth, entitlements, and local runtime hints
|
|
118
|
+
|
|
119
|
+
Other commands should support that loop, not compete with it.
|
|
120
|
+
|
|
121
|
+
## Present Naming Risk
|
|
122
|
+
|
|
123
|
+
Today the JavaScript CLI package and the Python client both publish as `spaps`. That is already enough to confuse internal audit tooling and weakens the surface boundary described here.
|
|
124
|
+
|
|
125
|
+
This document records the contract first. Package renaming, aliasing, or audit-tool disambiguation is a separate follow-on decision.
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
# SPAPS Glossary
|
|
2
|
+
|
|
3
|
+
Canonical terminology for the Sweet Potato Authentication & Payment Service.
|
|
4
|
+
Use these terms in code, API responses, docs, and SDK surface.
|
|
5
|
+
|
|
6
|
+
## Keys
|
|
7
|
+
|
|
8
|
+
| Term | Definition |
|
|
9
|
+
|------|-----------|
|
|
10
|
+
| **secret key** | Server-side application credential (`spaps_sec_` prefix). Authenticates backend API calls. Never expose to browsers. Formerly called "API key" — that term is deprecated. |
|
|
11
|
+
| **publishable key** | Client-side application credential (`spaps_pub_` prefix). Safe to embed in browser/mobile code. Scoped to a subset of endpoints configured by the application blueprint. |
|
|
12
|
+
|
|
13
|
+
## Identity
|
|
14
|
+
|
|
15
|
+
| Term | Definition |
|
|
16
|
+
|------|-----------|
|
|
17
|
+
| **user** | An authenticated identity within an application. Has an email, optional username, and optional wallet addresses. |
|
|
18
|
+
| **profile** | The public-facing projection of a user: id, email, username, wallets, tier, roles, permissions, and metadata. Returned by `/auth/user`. |
|
|
19
|
+
| **wallet** | A blockchain address linked to a user. Each wallet has a `wallet_address` and `chain_type`. |
|
|
20
|
+
| **wallet_address** | The on-chain address string (e.g. a Solana or Ethereum address). Always lowercase-normalized for EVM chains. |
|
|
21
|
+
|
|
22
|
+
## Access
|
|
23
|
+
|
|
24
|
+
| Term | Definition |
|
|
25
|
+
|------|-----------|
|
|
26
|
+
| **tier** | The subscription level of a user. Canonical values: `basic` (default), `premium`, `enterprise`. Drives policy evaluation and rate limiting. |
|
|
27
|
+
| **subscription** | A Stripe-managed billing relationship that determines a user's tier. |
|
|
28
|
+
| **application** | A registered SPAPS client. Owns a secret key, publishable key, settings, and a set of users via memberships. |
|
|
29
|
+
| **entitlement** | A granted capability or resource access. Projected per-user via policy evaluation. Types: `access`, `feature`, `quota`. |
|
|
30
|
+
|
|
31
|
+
## Deprecated Terms
|
|
32
|
+
|
|
33
|
+
| Deprecated | Replacement |
|
|
34
|
+
|-----------|------------|
|
|
35
|
+
| `api_key` (in API responses) | `secret_key` |
|
|
36
|
+
| `API key` (in docs/copy) | "secret key" or "publishable key" (be specific) |
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# Sweet Potato llms.txt
|
|
2
|
+
# Source file copied to docs.sweetpotato.dev by deploy/reverse-proxy/sync-docs.sh.
|
|
3
|
+
|
|
4
|
+
/index.md | Sweet Potato documentation index and source-of-truth pointer.
|
|
5
|
+
/docs/agents/AGENT_QUICKSTART.md | Agent quickstart for local mode, API keys, auth flows, verification, capability checks, and tool-spec generation.
|
|
6
|
+
/docs/manifest.json | Endpoint manifest with path, category, docs, tests, and consumer-facing tags.
|
|
7
|
+
/docs/api-reference.yaml | OpenAPI contract for SPAPS HTTP routes and schemas.
|
|
8
|
+
/docs/guides/authentication-methods.md | Canonical authentication method matrix, security caveats, rate tiers, key requirements, and TypeScript/Python examples.
|
|
9
|
+
/docs/guides/email-authentication.md | Password, OIDC, SMS, WebAuthn, magic-link, MFA, password reset, and email-delivery auth guide.
|
|
10
|
+
/docs/guides/magic-link-authentication.md | Magic-link request and verification behavior, including MFA challenge handling.
|
|
11
|
+
/packages/sdk/README.md | TypeScript SDK usage for auth, payments, sessions, entitlements, access, graph, and domain helpers.
|
|
12
|
+
/packages/python-client/README.md | Python SDK usage for sync and async auth, MFA, OIDC, WebAuthn, payments, sessions, and domain helpers.
|
|
13
|
+
/packages/spaps/AI_TOOLS.json | Generated OpenAI-style SPAPS tool spec for agent callers.
|
|
14
|
+
/docs/manifest.json tags | admin-stripe, affiliate-referrals, agent, agent-approvals, app-links, apply-log, attribution, audit, auth, authorization, authz, billing-accounts, capability-graph, cfo, controlled-reveal, crypto-payments, dayrate, dev, device-flow, discovery, docs, elevenlabs, email, entitlements, experiments, features, fixtures, governance, handoff, health, history, hosted-assets, idempotency, insights, invitations, issue-reporting, ledger, local, marketing-events, memberships, notifications, operator-control-plane, other, outbox, paid-resources, paid-review, payments, policies, privacy, project-grants, publishable-key, realtime, receipts, reporter-thread, results, reviews, rollups, screenshots, secret-key, secure-messages, security, self-service, service-admin, sessions, short-links, skill-evals, status, stripe, stripe-webhooks, support-triage, triage, usage, user-messaging, users, voice, webhooks, whitelist, x402.
|
|
15
|
+
/sweet-potato-logo.jpg | Sweet Potato brand image.
|
|
@@ -0,0 +1,149 @@
|
|
|
1
|
+
# SPAPS Integration Step 1/12: Project Setup & Dependencies
|
|
2
|
+
|
|
3
|
+
## Your Current Task
|
|
4
|
+
|
|
5
|
+
You are setting up a new Next.js application with SPAPS integration. This is the foundation - getting this right is critical.
|
|
6
|
+
|
|
7
|
+
## Required TodoWrite List
|
|
8
|
+
|
|
9
|
+
Create a TodoWrite with EXACTLY these items (copy this list):
|
|
10
|
+
|
|
11
|
+
```javascript
|
|
12
|
+
TodoWrite({
|
|
13
|
+
todos: [
|
|
14
|
+
{ content: "Create Next.js app with TypeScript and App Router", status: "pending", activeForm: "Creating Next.js app with TypeScript and App Router" },
|
|
15
|
+
{ content: "Initialize shadcn/ui with Default style and Slate base color", status: "pending", activeForm: "Initializing shadcn/ui with Default style and Slate base color" },
|
|
16
|
+
{ content: "Install spaps-sdk from npm (version 1.0.1)", status: "pending", activeForm: "Installing spaps-sdk from npm" },
|
|
17
|
+
{ content: "Install spaps CLI in devDependencies", status: "pending", activeForm: "Installing spaps CLI in devDependencies" },
|
|
18
|
+
{ content: "Install concurrently in devDependencies", status: "pending", activeForm: "Installing concurrently in devDependencies" },
|
|
19
|
+
{ content: "Update package.json dev script to run spaps local", status: "pending", activeForm: "Updating package.json dev script" },
|
|
20
|
+
{ content: "Verify all dependencies are correctly installed", status: "pending", activeForm: "Verifying dependencies" },
|
|
21
|
+
{ content: "Request step 2 of SPAPS integration wizard", status: "pending", activeForm: "Requesting next step" }
|
|
22
|
+
]
|
|
23
|
+
})
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
## Step-by-Step Instructions
|
|
27
|
+
|
|
28
|
+
### 1. Create Next.js Application
|
|
29
|
+
```bash
|
|
30
|
+
npx create-next-app@latest spaps-demo --typescript --tailwind --app --no-src-dir --import-alias "@/*"
|
|
31
|
+
cd spaps-demo
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
### 2. Setup shadcn/ui
|
|
35
|
+
```bash
|
|
36
|
+
npx shadcn@latest init
|
|
37
|
+
```
|
|
38
|
+
When prompted, choose:
|
|
39
|
+
- ✅ Style: **Default** (NOT New York)
|
|
40
|
+
- ✅ Base color: **Slate**
|
|
41
|
+
- ✅ CSS variables: **Yes**
|
|
42
|
+
|
|
43
|
+
### 3. Install SPAPS SDK
|
|
44
|
+
```bash
|
|
45
|
+
npm install spaps-sdk
|
|
46
|
+
```
|
|
47
|
+
⚠️ **CRITICAL**: The package is `spaps-sdk` NOT:
|
|
48
|
+
- ❌ @sweet-potato/sdk
|
|
49
|
+
- ❌ @sweetpotato/sdk
|
|
50
|
+
- ❌ sweet-potato-sdk
|
|
51
|
+
|
|
52
|
+
### 4. Install Development Dependencies
|
|
53
|
+
```bash
|
|
54
|
+
npm install -D spaps concurrently
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
### 5. Update package.json Scripts
|
|
58
|
+
Edit package.json and update the dev script:
|
|
59
|
+
```json
|
|
60
|
+
{
|
|
61
|
+
"scripts": {
|
|
62
|
+
"dev": "concurrently \"npx spaps local\" \"next dev\"",
|
|
63
|
+
"build": "next build",
|
|
64
|
+
"start": "next start",
|
|
65
|
+
"lint": "next lint"
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
## Validation Checklist
|
|
71
|
+
|
|
72
|
+
Before marking this step complete, verify:
|
|
73
|
+
|
|
74
|
+
✅ **package.json** contains:
|
|
75
|
+
```json
|
|
76
|
+
{
|
|
77
|
+
"dependencies": {
|
|
78
|
+
"spaps-sdk": "^1.0.1",
|
|
79
|
+
"next": "^15.0.0",
|
|
80
|
+
// ... other deps
|
|
81
|
+
},
|
|
82
|
+
"devDependencies": {
|
|
83
|
+
"spaps": "^0.3.2",
|
|
84
|
+
"concurrently": "^8.0.0",
|
|
85
|
+
// ... other dev deps
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
✅ **Dev script** includes both commands:
|
|
91
|
+
```json
|
|
92
|
+
"dev": "concurrently \"npx spaps local\" \"next dev\""
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
✅ **shadcn/ui** is configured with:
|
|
96
|
+
- components.json exists
|
|
97
|
+
- Uses Default style (not New York)
|
|
98
|
+
- Uses Slate as base color
|
|
99
|
+
|
|
100
|
+
✅ **Project structure** has:
|
|
101
|
+
- app/ directory (App Router)
|
|
102
|
+
- TypeScript configured
|
|
103
|
+
- Tailwind CSS working
|
|
104
|
+
|
|
105
|
+
## Common Mistakes to Avoid
|
|
106
|
+
|
|
107
|
+
❌ **Wrong package name**: Using @sweet-potato/sdk instead of spaps-sdk
|
|
108
|
+
❌ **Missing concurrently**: Not installing or using concurrently
|
|
109
|
+
❌ **Wrong dev script**: Not including spaps local command
|
|
110
|
+
❌ **Wrong shadcn style**: Choosing New York instead of Default
|
|
111
|
+
❌ **Missing TypeScript**: Creating JavaScript project instead
|
|
112
|
+
|
|
113
|
+
## Testing Your Setup
|
|
114
|
+
|
|
115
|
+
Run this command to test:
|
|
116
|
+
```bash
|
|
117
|
+
npm run dev
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
You should see:
|
|
121
|
+
- SPAPS starting on port **3301** (NOT 3000, 3300, or 3456)
|
|
122
|
+
- Next.js starting on port 3000
|
|
123
|
+
- No dependency errors
|
|
124
|
+
|
|
125
|
+
## Next Step
|
|
126
|
+
|
|
127
|
+
When ALL todos are ✅ complete and validation passes:
|
|
128
|
+
|
|
129
|
+
```javascript
|
|
130
|
+
mcp__product-manager__get_agent_instructions({
|
|
131
|
+
category: "spaps-integration",
|
|
132
|
+
project: "spaps-demo",
|
|
133
|
+
step: 2
|
|
134
|
+
})
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
## Need Help?
|
|
138
|
+
|
|
139
|
+
If you're stuck, create a detailed task describing the issue:
|
|
140
|
+
```javascript
|
|
141
|
+
mcp__product-manager__create_task({
|
|
142
|
+
project: "spaps-integration",
|
|
143
|
+
description: "Step 1 Blocker: [specific issue description]",
|
|
144
|
+
category: "bug",
|
|
145
|
+
priority: "high"
|
|
146
|
+
})
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Remember: **Get this foundation right!** All subsequent steps depend on correct setup.
|
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
# SPAPS Integration Step 2/12: Environment Configuration
|
|
2
|
+
|
|
3
|
+
## Prerequisites Check
|
|
4
|
+
|
|
5
|
+
Before starting, confirm you have completed:
|
|
6
|
+
- ✅ Step 1: Project setup with all dependencies installed
|
|
7
|
+
- ✅ Next.js app created with TypeScript
|
|
8
|
+
- ✅ shadcn/ui initialized
|
|
9
|
+
- ✅ spaps-sdk and spaps CLI installed
|
|
10
|
+
|
|
11
|
+
## Required TodoWrite List
|
|
12
|
+
|
|
13
|
+
Create a TodoWrite with EXACTLY these items:
|
|
14
|
+
|
|
15
|
+
```javascript
|
|
16
|
+
TodoWrite({
|
|
17
|
+
todos: [
|
|
18
|
+
{ content: "Create .env.local file in project root", status: "pending", activeForm: "Creating .env.local file" },
|
|
19
|
+
{ content: "Set NEXT_PUBLIC_SPAPS_API_URL to http://localhost:3301", status: "pending", activeForm: "Setting API URL to port 3301" },
|
|
20
|
+
{ content: "Add SPAPS_API_KEY configuration", status: "pending", activeForm: "Adding API key configuration" },
|
|
21
|
+
{ content: "Add admin credentials for later use", status: "pending", activeForm: "Adding admin credentials" },
|
|
22
|
+
{ content: "Create .env.local.example for documentation", status: "pending", activeForm: "Creating example env file" },
|
|
23
|
+
{ content: "Add .env.local to .gitignore", status: "pending", activeForm: "Adding to gitignore" },
|
|
24
|
+
{ content: "Verify environment variables are loaded", status: "pending", activeForm: "Verifying environment setup" },
|
|
25
|
+
{ content: "Request step 3 of SPAPS integration wizard", status: "pending", activeForm: "Requesting next step" }
|
|
26
|
+
]
|
|
27
|
+
})
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Environment Configuration
|
|
31
|
+
|
|
32
|
+
### 1. Create .env.local File
|
|
33
|
+
|
|
34
|
+
In your project root (same level as package.json), create `.env.local`:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
touch .env.local
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
### 2. Add Environment Variables
|
|
41
|
+
|
|
42
|
+
⚠️ **CRITICAL**: The port MUST be 3301, not 3000, 3300, or 3456!
|
|
43
|
+
|
|
44
|
+
```env
|
|
45
|
+
# .env.local
|
|
46
|
+
|
|
47
|
+
# SPAPS Configuration - Port 3301 is REQUIRED
|
|
48
|
+
NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3301
|
|
49
|
+
SPAPS_API_KEY=test_key_local_dev_only
|
|
50
|
+
|
|
51
|
+
# Admin Credentials (for whitelist/admin operations)
|
|
52
|
+
NEXT_PUBLIC_ADMIN_EMAIL=admin@example.com
|
|
53
|
+
NEXT_PUBLIC_ADMIN_PASSWORD=Admin123!
|
|
54
|
+
|
|
55
|
+
# App Configuration
|
|
56
|
+
NEXT_PUBLIC_APP_URL=http://localhost:3000
|
|
57
|
+
|
|
58
|
+
# Optional: For production (not available yet)
|
|
59
|
+
# NEXT_PUBLIC_SPAPS_API_URL=https://api.sweetpotato.dev
|
|
60
|
+
# SPAPS_API_KEY=your_production_api_key_here
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
### 3. Create .env.local.example
|
|
64
|
+
|
|
65
|
+
Create a template for other developers:
|
|
66
|
+
|
|
67
|
+
```env
|
|
68
|
+
# .env.local.example
|
|
69
|
+
|
|
70
|
+
# SPAPS Configuration (Port 3301 is standardized)
|
|
71
|
+
NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3301
|
|
72
|
+
SPAPS_API_KEY=test_key_local_dev_only
|
|
73
|
+
|
|
74
|
+
# Admin credentials for whitelist/admin operations
|
|
75
|
+
NEXT_PUBLIC_ADMIN_EMAIL=admin@example.com
|
|
76
|
+
NEXT_PUBLIC_ADMIN_PASSWORD=your_admin_password_here
|
|
77
|
+
|
|
78
|
+
# Next.js Configuration
|
|
79
|
+
NEXT_PUBLIC_APP_URL=http://localhost:3000
|
|
80
|
+
|
|
81
|
+
# Note: SPAPS runs on port 3301 in this repository
|
|
82
|
+
# Production API not yet available
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
### 4. Update .gitignore
|
|
86
|
+
|
|
87
|
+
Make sure `.env.local` is NOT committed:
|
|
88
|
+
|
|
89
|
+
```gitignore
|
|
90
|
+
# Environment variables
|
|
91
|
+
.env*.local
|
|
92
|
+
.env.local
|
|
93
|
+
|
|
94
|
+
# Keep the example file
|
|
95
|
+
!.env.local.example
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### 5. Verify Configuration
|
|
99
|
+
|
|
100
|
+
Create a test file to verify environment variables:
|
|
101
|
+
|
|
102
|
+
```typescript
|
|
103
|
+
// app/api/test-env/route.ts
|
|
104
|
+
import { NextResponse } from 'next/server'
|
|
105
|
+
|
|
106
|
+
export async function GET() {
|
|
107
|
+
return NextResponse.json({
|
|
108
|
+
apiUrl: process.env.NEXT_PUBLIC_SPAPS_API_URL,
|
|
109
|
+
hasApiKey: !!process.env.SPAPS_API_KEY,
|
|
110
|
+
hasAdminEmail: !!process.env.NEXT_PUBLIC_ADMIN_EMAIL,
|
|
111
|
+
nodeEnv: process.env.NODE_ENV
|
|
112
|
+
})
|
|
113
|
+
}
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
Test it:
|
|
117
|
+
```bash
|
|
118
|
+
curl http://localhost:3000/api/test-env
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
Should return:
|
|
122
|
+
```json
|
|
123
|
+
{
|
|
124
|
+
"apiUrl": "http://localhost:3301",
|
|
125
|
+
"hasApiKey": true,
|
|
126
|
+
"hasAdminEmail": true,
|
|
127
|
+
"nodeEnv": "development"
|
|
128
|
+
}
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
## Important Port Information
|
|
132
|
+
|
|
133
|
+
### Why Port 3301?
|
|
134
|
+
|
|
135
|
+
This repository's SPAPS server defaults to port 3301.
|
|
136
|
+
- ✅ 3301 - Correct SPAPS port here
|
|
137
|
+
- ❌ 3000 - This is your Next.js app
|
|
138
|
+
- ❌ 3300 - Old port (legacy)
|
|
139
|
+
- ❌ 3456 - Old port used in previous docs
|
|
140
|
+
- ❌ 8080 - Wrong, not SPAPS
|
|
141
|
+
|
|
142
|
+
### Running Both Servers
|
|
143
|
+
|
|
144
|
+
Your `package.json` dev script (from Step 1) runs both:
|
|
145
|
+
```json
|
|
146
|
+
"dev": "concurrently \"npx spaps local\" \"next dev\""
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
This starts:
|
|
150
|
+
- SPAPS on `http://localhost:3301`
|
|
151
|
+
- Next.js on `http://localhost:3000`
|
|
152
|
+
|
|
153
|
+
## Environment Variable Naming
|
|
154
|
+
|
|
155
|
+
### Public vs Private Variables
|
|
156
|
+
|
|
157
|
+
- `NEXT_PUBLIC_*` - Available in browser and server
|
|
158
|
+
- Without prefix - Server-side only
|
|
159
|
+
|
|
160
|
+
```typescript
|
|
161
|
+
// Browser accessible
|
|
162
|
+
process.env.NEXT_PUBLIC_SPAPS_API_URL ✅
|
|
163
|
+
|
|
164
|
+
// Server-only
|
|
165
|
+
process.env.SPAPS_API_KEY ✅ (backend only)
|
|
166
|
+
```
|
|
167
|
+
|
|
168
|
+
## Validation Checklist
|
|
169
|
+
|
|
170
|
+
✅ **File Structure**:
|
|
171
|
+
- `.env.local` exists in project root
|
|
172
|
+
- `.env.local.example` created for documentation
|
|
173
|
+
- `.gitignore` updated to exclude `.env.local`
|
|
174
|
+
|
|
175
|
+
✅ **Configuration Values**:
|
|
176
|
+
- `NEXT_PUBLIC_SPAPS_API_URL` = `http://localhost:3301`
|
|
177
|
+
- Port is 3301 (NOT 3000, 3300, or 3456)
|
|
178
|
+
- API key is set to `test_key_local_dev_only`
|
|
179
|
+
- Admin credentials are configured
|
|
180
|
+
|
|
181
|
+
✅ **Testing**:
|
|
182
|
+
- Environment variables load correctly
|
|
183
|
+
- Test endpoint returns expected values
|
|
184
|
+
- No errors in console
|
|
185
|
+
|
|
186
|
+
## Common Mistakes to Avoid
|
|
187
|
+
|
|
188
|
+
❌ **Wrong port**:
|
|
189
|
+
```env
|
|
190
|
+
# WRONG
|
|
191
|
+
NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3000 # This is Next.js
|
|
192
|
+
NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3300 # Old port
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
❌ **Missing NEXT_PUBLIC prefix**:
|
|
196
|
+
```env
|
|
197
|
+
# WRONG - Won't be available in browser
|
|
198
|
+
SPAPS_API_URL=http://localhost:3301
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
❌ **Committing secrets**:
|
|
202
|
+
```gitignore
|
|
203
|
+
# WRONG - Forgot to add to .gitignore
|
|
204
|
+
# .env.local will be committed!
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
❌ **Using production URL**:
|
|
208
|
+
```env
|
|
209
|
+
# WRONG - Production not available yet
|
|
210
|
+
NEXT_PUBLIC_SPAPS_API_URL=https://api.sweetpotato.dev
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
## Testing Your Setup
|
|
214
|
+
|
|
215
|
+
Run this command to verify SPAPS is accessible:
|
|
216
|
+
|
|
217
|
+
```bash
|
|
218
|
+
# Start your dev server first
|
|
219
|
+
npm run dev
|
|
220
|
+
|
|
221
|
+
# In another terminal, test SPAPS
|
|
222
|
+
curl http://localhost:3301/health
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
Should return:
|
|
226
|
+
```json
|
|
227
|
+
{
|
|
228
|
+
"status": "ok",
|
|
229
|
+
"mode": "local",
|
|
230
|
+
"version": "0.3.2"
|
|
231
|
+
}
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
## Troubleshooting
|
|
235
|
+
|
|
236
|
+
### Port Already in Use
|
|
237
|
+
|
|
238
|
+
If port 3301 is already in use:
|
|
239
|
+
```bash
|
|
240
|
+
# Find what's using port 3301
|
|
241
|
+
lsof -i :3301
|
|
242
|
+
|
|
243
|
+
# Kill the process
|
|
244
|
+
kill -9 <PID>
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
### Environment Variables Not Loading
|
|
248
|
+
|
|
249
|
+
1. Restart your dev server
|
|
250
|
+
2. Check file is named exactly `.env.local`
|
|
251
|
+
3. Verify you're in the project root
|
|
252
|
+
4. Try clearing Next.js cache:
|
|
253
|
+
```bash
|
|
254
|
+
rm -rf .next
|
|
255
|
+
npm run dev
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
### SPAPS Not Starting
|
|
259
|
+
|
|
260
|
+
Check your package.json dev script:
|
|
261
|
+
```json
|
|
262
|
+
"dev": "concurrently \"npx spaps local\" \"next dev\""
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
## Security Notes
|
|
266
|
+
|
|
267
|
+
⚠️ **Never commit real credentials**:
|
|
268
|
+
- Use `.env.local` for local development
|
|
269
|
+
- Use environment variables in production
|
|
270
|
+
- Never hardcode API keys in code
|
|
271
|
+
- Admin passwords should be strong
|
|
272
|
+
|
|
273
|
+
## Next Step
|
|
274
|
+
|
|
275
|
+
When ALL todos are ✅ complete and environment is configured:
|
|
276
|
+
|
|
277
|
+
```javascript
|
|
278
|
+
mcp__product-manager__get_agent_instructions({
|
|
279
|
+
category: "spaps-integration",
|
|
280
|
+
project: "spaps-demo",
|
|
281
|
+
step: 3
|
|
282
|
+
})
|
|
283
|
+
```
|
|
284
|
+
|
|
285
|
+
## Summary
|
|
286
|
+
|
|
287
|
+
Environment configuration is critical for SPAPS integration:
|
|
288
|
+
- **Port 3301** is the standard in this repository
|
|
289
|
+
- **NEXT_PUBLIC_** prefix for browser-accessible variables
|
|
290
|
+
- **Never commit** `.env.local` file
|
|
291
|
+
- **Always test** your configuration before proceeding
|