ultra-dex 3.1.0 → 3.2.0

package/assets/code-patterns/rls-policies.sql

@@ -0,0 +1,246 @@
+-- Ultra-Dex Production Pattern: Row-Level Security Policies
+-- Run after Prisma migrations to add RLS
+
+-- =============================================================================
+-- ENABLE RLS ON TABLES
+-- =============================================================================
+
+ALTER TABLE users ENABLE ROW LEVEL SECURITY;
+ALTER TABLE organizations ENABLE ROW LEVEL SECURITY;
+ALTER TABLE organization_members ENABLE ROW LEVEL SECURITY;
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;
+ALTER TABLE comments ENABLE ROW LEVEL SECURITY;
+ALTER TABLE invoices ENABLE ROW LEVEL SECURITY;
+ALTER TABLE activity_logs ENABLE ROW LEVEL SECURITY;
+
+-- =============================================================================
+-- HELPER FUNCTIONS
+-- =============================================================================
+
+-- Get current user's clerk ID from session
+CREATE OR REPLACE FUNCTION auth.clerk_id()
+RETURNS TEXT AS $$
+  SELECT current_setting('app.clerk_id', true)::TEXT;
+$$ LANGUAGE SQL STABLE;
+
+-- Get current user's internal ID
+CREATE OR REPLACE FUNCTION auth.user_id()
+RETURNS TEXT AS $$
+  SELECT id FROM users WHERE clerk_id = auth.clerk_id();
+$$ LANGUAGE SQL STABLE;
+
+-- Check if user is member of organization
+CREATE OR REPLACE FUNCTION auth.is_org_member(org_id TEXT)
+RETURNS BOOLEAN AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM organization_members om
+    JOIN users u ON u.id = om.user_id
+    WHERE om.organization_id = org_id
+    AND u.clerk_id = auth.clerk_id()
+  );
+$$ LANGUAGE SQL STABLE;
+
+-- Check if user is admin of organization
+CREATE OR REPLACE FUNCTION auth.is_org_admin(org_id TEXT)
+RETURNS BOOLEAN AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM organization_members om
+    JOIN users u ON u.id = om.user_id
+    WHERE om.organization_id = org_id
+    AND u.clerk_id = auth.clerk_id()
+    AND om.role IN ('OWNER', 'ADMIN')
+  );
+$$ LANGUAGE SQL STABLE;
+
+-- =============================================================================
+-- USERS POLICIES
+-- =============================================================================
+
+-- Users can read their own data
+CREATE POLICY "users_select_own" ON users
+  FOR SELECT
+  USING (clerk_id = auth.clerk_id());
+
+-- Users can update their own data
+CREATE POLICY "users_update_own" ON users
+  FOR UPDATE
+  USING (clerk_id = auth.clerk_id());
+
+-- Admins can read all users
+CREATE POLICY "users_select_admin" ON users
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM users u
+      WHERE u.clerk_id = auth.clerk_id()
+      AND u.role IN ('ADMIN', 'SUPER_ADMIN')
+    )
+  );
+
+-- =============================================================================
+-- ORGANIZATIONS POLICIES
+-- =============================================================================
+
+-- Members can view their organizations
+CREATE POLICY "organizations_select_members" ON organizations
+  FOR SELECT
+  USING (auth.is_org_member(id));
+
+-- Only admins can update organizations
+CREATE POLICY "organizations_update_admin" ON organizations
+  FOR UPDATE
+  USING (auth.is_org_admin(id));
+
+-- Only owners can delete organizations
+CREATE POLICY "organizations_delete_owner" ON organizations
+  FOR DELETE
+  USING (
+    EXISTS (
+      SELECT 1 FROM organization_members om
+      JOIN users u ON u.id = om.user_id
+      WHERE om.organization_id = organizations.id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role = 'OWNER'
+    )
+  );
+
+-- =============================================================================
+-- ORGANIZATION MEMBERS POLICIES
+-- =============================================================================
+
+-- Members can view org membership
+CREATE POLICY "org_members_select" ON organization_members
+  FOR SELECT
+  USING (auth.is_org_member(organization_id));
+
+-- Only admins can add/remove members
+CREATE POLICY "org_members_insert" ON organization_members
+  FOR INSERT
+  WITH CHECK (auth.is_org_admin(organization_id));
+
+CREATE POLICY "org_members_delete" ON organization_members
+  FOR DELETE
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- PROJECTS POLICIES
+-- =============================================================================
+
+-- Members can view projects
+CREATE POLICY "projects_select" ON projects
+  FOR SELECT
+  USING (auth.is_org_member(organization_id));
+
+-- Members (non-viewers) can create projects
+CREATE POLICY "projects_insert" ON projects
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM organization_members om
+      JOIN users u ON u.id = om.user_id
+      WHERE om.organization_id = projects.organization_id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role IN ('OWNER', 'ADMIN', 'MEMBER')
+    )
+  );
+
+-- Members can update projects they own, admins can update any
+CREATE POLICY "projects_update" ON projects
+  FOR UPDATE
+  USING (
+    (owner_id = auth.user_id()) OR auth.is_org_admin(organization_id)
+  );
+
+-- Only admins can delete projects
+CREATE POLICY "projects_delete" ON projects
+  FOR DELETE
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- TASKS POLICIES
+-- =============================================================================
+
+-- Inherit from project access
+CREATE POLICY "tasks_select" ON tasks
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_member(p.organization_id)
+    )
+  );
+
+CREATE POLICY "tasks_insert" ON tasks
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM projects p
+      JOIN organization_members om ON om.organization_id = p.organization_id
+      JOIN users u ON u.id = om.user_id
+      WHERE p.id = tasks.project_id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role IN ('OWNER', 'ADMIN', 'MEMBER')
+    )
+  );
+
+CREATE POLICY "tasks_update" ON tasks
+  FOR UPDATE
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_member(p.organization_id)
+    )
+  );
+
+CREATE POLICY "tasks_delete" ON tasks
+  FOR DELETE
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_admin(p.organization_id)
+    )
+  );
+
+-- =============================================================================
+-- INVOICES POLICIES
+-- =============================================================================
+
+-- Only org admins can view invoices
+CREATE POLICY "invoices_select" ON invoices
+  FOR SELECT
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- ACTIVITY LOGS POLICIES
+-- =============================================================================
+
+-- Users can view their own activity
+CREATE POLICY "activity_logs_select_own" ON activity_logs
+  FOR SELECT
+  USING (user_id = auth.user_id());
+
+-- Admins can view all activity in their orgs
+-- (would need to add org_id to activity_logs for this)
+
+-- =============================================================================
+-- USAGE: Set session context before queries
+-- =============================================================================
+
+/*
+-- In your API routes or middleware, set the clerk_id:
+
+-- For Prisma with raw queries:
+await prisma.$executeRaw`SELECT set_config('app.clerk_id', ${clerkId}, true)`;
+
+-- Then all subsequent queries will respect RLS policies
+
+-- For Supabase:
+const { data } = await supabase
+  .from('projects')
+  .select('*')
+  // RLS automatically applied based on auth.uid()
+*/

package/assets/code-patterns/server-actions.ts

@@ -0,0 +1,191 @@
+// Ultra-Dex Production Pattern: Next.js 15 Server Actions
+// Copy this file to your app/actions/ directory
+
+'use server';
+
+import { z } from 'zod';
+import { revalidatePath } from 'next/cache';
+import { redirect } from 'next/navigation';
+import { auth } from '@clerk/nextjs/server';
+import { prisma } from '@/lib/prisma';
+
+// =============================================================================
+// SCHEMA DEFINITIONS
+// =============================================================================
+
+const CreateUserSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  name: z.string().min(2, 'Name must be at least 2 characters'),
+  role: z.enum(['USER', 'ADMIN']).default('USER'),
+});
+
+const UpdateUserSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string().min(2).optional(),
+  email: z.string().email().optional(),
+});
+
+// =============================================================================
+// ACTION RESPONSE TYPE
+// =============================================================================
+
+type ActionResponse<T = void> =
+  | { success: true; data: T }
+  | { success: false; error: string; fieldErrors?: Record<string, string[]> };
+
+// =============================================================================
+// USER ACTIONS
+// =============================================================================
+
+export async function createUser(
+  prevState: ActionResponse<{ id: string }> | null,
+  formData: FormData
+): Promise<ActionResponse<{ id: string }>> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  const rawData = {
+    email: formData.get('email'),
+    name: formData.get('name'),
+    role: formData.get('role') || 'USER',
+  };
+
+  const validated = CreateUserSchema.safeParse(rawData);
+
+  if (!validated.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      fieldErrors: validated.error.flatten().fieldErrors,
+    };
+  }
+
+  try {
+    const user = await prisma.user.create({
+      data: validated.data,
+    });
+
+    console.log(JSON.stringify({
+      level: 'info',
+      event: 'user_created',
+      userId: user.id,
+      createdBy: userId,
+    }));
+
+    revalidatePath('/users');
+    return { success: true, data: { id: user.id } };
+  } catch (error) {
+    console.error('Failed to create user:', error);
+    return { success: false, error: 'Failed to create user' };
+  }
+}
+
+export async function updateUser(
+  prevState: ActionResponse | null,
+  formData: FormData
+): Promise<ActionResponse> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  const rawData = {
+    id: formData.get('id'),
+    name: formData.get('name'),
+    email: formData.get('email'),
+  };
+
+  const validated = UpdateUserSchema.safeParse(rawData);
+
+  if (!validated.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      fieldErrors: validated.error.flatten().fieldErrors,
+    };
+  }
+
+  try {
+    await prisma.user.update({
+      where: { id: validated.data.id },
+      data: {
+        ...(validated.data.name && { name: validated.data.name }),
+        ...(validated.data.email && { email: validated.data.email }),
+      },
+    });
+
+    revalidatePath('/users');
+    revalidatePath(`/users/${validated.data.id}`);
+    return { success: true, data: undefined };
+  } catch (error) {
+    console.error('Failed to update user:', error);
+    return { success: false, error: 'Failed to update user' };
+  }
+}
+
+export async function deleteUser(id: string): Promise<ActionResponse> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  try {
+    await prisma.user.delete({
+      where: { id },
+    });
+
+    console.log(JSON.stringify({
+      level: 'info',
+      event: 'user_deleted',
+      deletedUserId: id,
+      deletedBy: userId,
+    }));
+
+    revalidatePath('/users');
+    return { success: true, data: undefined };
+  } catch (error) {
+    console.error('Failed to delete user:', error);
+    return { success: false, error: 'Failed to delete user' };
+  }
+}
+
+// =============================================================================
+// USAGE IN COMPONENTS
+// =============================================================================
+
+/*
+// In a Client Component:
+
+'use client';
+
+import { useActionState } from 'react';
+import { createUser } from '@/app/actions/user';
+
+export function CreateUserForm() {
+  const [state, formAction, isPending] = useActionState(createUser, null);
+
+  return (
+    <form action={formAction}>
+      <input name="name" placeholder="Name" required />
+      <input name="email" type="email" placeholder="Email" required />
+
+      {state?.error && (
+        <p className="text-red-500">{state.error}</p>
+      )}
+
+      {state?.fieldErrors?.email && (
+        <p className="text-red-500">{state.fieldErrors.email[0]}</p>
+      )}
+
+      <button type="submit" disabled={isPending}>
+        {isPending ? 'Creating...' : 'Create User'}
+      </button>
+    </form>
+  );
+}
+*/

package/assets/code-patterns/trpc-router.ts

@@ -0,0 +1,258 @@
+// Ultra-Dex Production Pattern: tRPC Router
+// Copy to server/routers/ directory
+
+import { z } from 'zod';
+import { TRPCError } from '@trpc/server';
+import { router, publicProcedure, protectedProcedure, adminProcedure } from '../trpc';
+import { prisma } from '@/lib/prisma';
+
+// =============================================================================
+// USER ROUTER
+// =============================================================================
+
+export const userRouter = router({
+  // Get current user profile
+  me: protectedProcedure.query(async ({ ctx }) => {
+    const user = await prisma.user.findUnique({
+      where: { clerkId: ctx.userId },
+      include: {
+        organizationMemberships: {
+          include: { organization: true },
+        },
+      },
+    });
+
+    if (!user) {
+      throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
+    }
+
+    return user;
+  }),
+
+  // Update current user profile
+  update: protectedProcedure
+    .input(
+      z.object({
+        name: z.string().min(2).optional(),
+        imageUrl: z.string().url().optional(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      return prisma.user.update({
+        where: { clerkId: ctx.userId },
+        data: input,
+      });
+    }),
+
+  // List all users (admin only)
+  list: adminProcedure
+    .input(
+      z.object({
+        limit: z.number().min(1).max(100).default(50),
+        cursor: z.string().optional(),
+      })
+    )
+    .query(async ({ input }) => {
+      const users = await prisma.user.findMany({
+        take: input.limit + 1,
+        cursor: input.cursor ? { id: input.cursor } : undefined,
+        orderBy: { createdAt: 'desc' },
+      });
+
+      let nextCursor: string | undefined;
+      if (users.length > input.limit) {
+        const nextItem = users.pop();
+        nextCursor = nextItem!.id;
+      }
+
+      return { users, nextCursor };
+    }),
+});
+
+// =============================================================================
+// PROJECT ROUTER
+// =============================================================================
+
+export const projectRouter = router({
+  // List projects for current organization
+  list: protectedProcedure
+    .input(
+      z.object({
+        organizationId: z.string(),
+        status: z.enum(['ACTIVE', 'ARCHIVED', 'COMPLETED']).optional(),
+      })
+    )
+    .query(async ({ ctx, input }) => {
+      // Verify user has access to organization
+      const membership = await prisma.organizationMember.findFirst({
+        where: {
+          organizationId: input.organizationId,
+          user: { clerkId: ctx.userId },
+        },
+      });
+
+      if (!membership) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Access denied' });
+      }
+
+      return prisma.project.findMany({
+        where: {
+          organizationId: input.organizationId,
+          ...(input.status && { status: input.status }),
+        },
+        include: {
+          owner: { select: { name: true, imageUrl: true } },
+          _count: { select: { tasks: true } },
+        },
+        orderBy: { updatedAt: 'desc' },
+      });
+    }),
+
+  // Get single project
+  get: protectedProcedure
+    .input(z.object({ id: z.string() }))
+    .query(async ({ ctx, input }) => {
+      const project = await prisma.project.findUnique({
+        where: { id: input.id },
+        include: {
+          owner: true,
+          tasks: { orderBy: { createdAt: 'desc' } },
+          organization: true,
+        },
+      });
+
+      if (!project) {
+        throw new TRPCError({ code: 'NOT_FOUND' });
+      }
+
+      // Verify access
+      const membership = await prisma.organizationMember.findFirst({
+        where: {
+          organizationId: project.organizationId,
+          user: { clerkId: ctx.userId },
+        },
+      });
+
+      if (!membership) {
+        throw new TRPCError({ code: 'FORBIDDEN' });
+      }
+
+      return project;
+    }),
+
+  // Create project
+  create: protectedProcedure
+    .input(
+      z.object({
+        name: z.string().min(1).max(100),
+        description: z.string().max(500).optional(),
+        organizationId: z.string(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      // Verify user has write access to organization
+      const membership = await prisma.organizationMember.findFirst({
+        where: {
+          organizationId: input.organizationId,
+          user: { clerkId: ctx.userId },
+          role: { in: ['OWNER', 'ADMIN', 'MEMBER'] },
+        },
+      });
+
+      if (!membership) {
+        throw new TRPCError({ code: 'FORBIDDEN' });
+      }
+
+      const user = await prisma.user.findUnique({
+        where: { clerkId: ctx.userId },
+      });
+
+      return prisma.project.create({
+        data: {
+          name: input.name,
+          description: input.description,
+          organizationId: input.organizationId,
+          ownerId: user!.id,
+        },
+      });
+    }),
+
+  // Update project
+  update: protectedProcedure
+    .input(
+      z.object({
+        id: z.string(),
+        name: z.string().min(1).max(100).optional(),
+        description: z.string().max(500).optional(),
+        status: z.enum(['ACTIVE', 'ARCHIVED', 'COMPLETED']).optional(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const { id, ...data } = input;
+
+      const project = await prisma.project.findUnique({
+        where: { id },
+      });
+
+      if (!project) {
+        throw new TRPCError({ code: 'NOT_FOUND' });
+      }
+
+      // Verify write access
+      const membership = await prisma.organizationMember.findFirst({
+        where: {
+          organizationId: project.organizationId,
+          user: { clerkId: ctx.userId },
+          role: { in: ['OWNER', 'ADMIN', 'MEMBER'] },
+        },
+      });
+
+      if (!membership) {
+        throw new TRPCError({ code: 'FORBIDDEN' });
+      }
+
+      return prisma.project.update({
+        where: { id },
+        data,
+      });
+    }),
+
+  // Delete project
+  delete: protectedProcedure
+    .input(z.object({ id: z.string() }))
+    .mutation(async ({ ctx, input }) => {
+      const project = await prisma.project.findUnique({
+        where: { id: input.id },
+      });
+
+      if (!project) {
+        throw new TRPCError({ code: 'NOT_FOUND' });
+      }
+
+      // Only owner/admin can delete
+      const membership = await prisma.organizationMember.findFirst({
+        where: {
+          organizationId: project.organizationId,
+          user: { clerkId: ctx.userId },
+          role: { in: ['OWNER', 'ADMIN'] },
+        },
+      });
+
+      if (!membership) {
+        throw new TRPCError({ code: 'FORBIDDEN' });
+      }
+
+      return prisma.project.delete({ where: { id: input.id } });
+    }),
+});
+
+// =============================================================================
+// ROOT ROUTER
+// =============================================================================
+
+export const appRouter = router({
+  user: userRouter,
+  project: projectRouter,
+});
+
+export type AppRouter = typeof appRouter;