ultra-dex 3.1.0 → 3.2.0

package/lib/templates/code/prisma-schema.prisma

@@ -0,0 +1,224 @@
+// Ultra-Dex Production Pattern: Full Prisma Schema
+// Copy to prisma/schema.prisma
+
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+// =============================================================================
+// CORE MODELS
+// =============================================================================
+
+model User {
+  id        String   @id @default(cuid())
+  clerkId   String   @unique
+  email     String   @unique
+  name      String?
+  imageUrl  String?
+  role      UserRole @default(USER)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relations
+  organizationMemberships OrganizationMember[]
+  createdOrganizations    Organization[]       @relation("OrganizationCreator")
+  projects                Project[]
+  comments                Comment[]
+  activityLogs            ActivityLog[]
+
+  @@index([clerkId])
+  @@index([email])
+  @@map("users")
+}
+
+enum UserRole {
+  USER
+  ADMIN
+  SUPER_ADMIN
+}
+
+// =============================================================================
+// MULTI-TENANCY MODELS
+// =============================================================================
+
+model Organization {
+  id        String   @id @default(cuid())
+  name      String
+  slug      String   @unique
+  logo      String?
+  plan      Plan     @default(FREE)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relations
+  creatorId String
+  creator   User                 @relation("OrganizationCreator", fields: [creatorId], references: [id])
+  members   OrganizationMember[]
+  projects  Project[]
+  invoices  Invoice[]
+
+  @@index([slug])
+  @@map("organizations")
+}
+
+model OrganizationMember {
+  id             String         @id @default(cuid())
+  role           MemberRole     @default(MEMBER)
+  joinedAt       DateTime       @default(now())
+  organizationId String
+  organization   Organization   @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  userId         String
+  user           User           @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([organizationId, userId])
+  @@map("organization_members")
+}
+
+enum MemberRole {
+  OWNER
+  ADMIN
+  MEMBER
+  VIEWER
+}
+
+enum Plan {
+  FREE
+  PRO
+  ENTERPRISE
+}
+
+// =============================================================================
+// PROJECT MODELS
+// =============================================================================
+
+model Project {
+  id             String       @id @default(cuid())
+  name           String
+  description    String?
+  status         ProjectStatus @default(ACTIVE)
+  createdAt      DateTime     @default(now())
+  updatedAt      DateTime     @updatedAt
+
+  // Relations
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  ownerId        String
+  owner          User         @relation(fields: [ownerId], references: [id])
+  tasks          Task[]
+  comments       Comment[]
+
+  @@index([organizationId])
+  @@map("projects")
+}
+
+enum ProjectStatus {
+  ACTIVE
+  ARCHIVED
+  COMPLETED
+}
+
+model Task {
+  id          String     @id @default(cuid())
+  title       String
+  description String?
+  status      TaskStatus @default(TODO)
+  priority    Priority   @default(MEDIUM)
+  dueDate     DateTime?
+  createdAt   DateTime   @default(now())
+  updatedAt   DateTime   @updatedAt
+
+  // Relations
+  projectId String
+  project   Project   @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  comments  Comment[]
+
+  @@index([projectId])
+  @@index([status])
+  @@map("tasks")
+}
+
+enum TaskStatus {
+  TODO
+  IN_PROGRESS
+  IN_REVIEW
+  DONE
+}
+
+enum Priority {
+  LOW
+  MEDIUM
+  HIGH
+  URGENT
+}
+
+model Comment {
+  id        String   @id @default(cuid())
+  content   String
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relations
+  authorId  String
+  author    User     @relation(fields: [authorId], references: [id])
+  projectId String?
+  project   Project? @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  taskId    String?
+  task      Task?    @relation(fields: [taskId], references: [id], onDelete: Cascade)
+
+  @@map("comments")
+}
+
+// =============================================================================
+// BILLING MODELS
+// =============================================================================
+
+model Invoice {
+  id             String        @id @default(cuid())
+  stripeId       String        @unique
+  amount         Int
+  currency       String        @default("usd")
+  status         InvoiceStatus @default(PENDING)
+  paidAt         DateTime?
+  createdAt      DateTime      @default(now())
+
+  // Relations
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id])
+
+  @@index([organizationId])
+  @@map("invoices")
+}
+
+enum InvoiceStatus {
+  PENDING
+  PAID
+  FAILED
+  REFUNDED
+}
+
+// =============================================================================
+// AUDIT LOG
+// =============================================================================
+
+model ActivityLog {
+  id        String   @id @default(cuid())
+  action    String
+  entity    String
+  entityId  String
+  metadata  Json?
+  createdAt DateTime @default(now())
+
+  // Relations
+  userId String
+  user   User   @relation(fields: [userId], references: [id])
+
+  @@index([userId])
+  @@index([entity, entityId])
+  @@index([createdAt])
+  @@map("activity_logs")
+}

package/lib/templates/code/rls-policies.sql

@@ -0,0 +1,246 @@
+-- Ultra-Dex Production Pattern: Row-Level Security Policies
+-- Run after Prisma migrations to add RLS
+
+-- =============================================================================
+-- ENABLE RLS ON TABLES
+-- =============================================================================
+
+ALTER TABLE users ENABLE ROW LEVEL SECURITY;
+ALTER TABLE organizations ENABLE ROW LEVEL SECURITY;
+ALTER TABLE organization_members ENABLE ROW LEVEL SECURITY;
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;
+ALTER TABLE comments ENABLE ROW LEVEL SECURITY;
+ALTER TABLE invoices ENABLE ROW LEVEL SECURITY;
+ALTER TABLE activity_logs ENABLE ROW LEVEL SECURITY;
+
+-- =============================================================================
+-- HELPER FUNCTIONS
+-- =============================================================================
+
+-- Get current user's clerk ID from session
+CREATE OR REPLACE FUNCTION auth.clerk_id()
+RETURNS TEXT AS $$
+  SELECT current_setting('app.clerk_id', true)::TEXT;
+$$ LANGUAGE SQL STABLE;
+
+-- Get current user's internal ID
+CREATE OR REPLACE FUNCTION auth.user_id()
+RETURNS TEXT AS $$
+  SELECT id FROM users WHERE clerk_id = auth.clerk_id();
+$$ LANGUAGE SQL STABLE;
+
+-- Check if user is member of organization
+CREATE OR REPLACE FUNCTION auth.is_org_member(org_id TEXT)
+RETURNS BOOLEAN AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM organization_members om
+    JOIN users u ON u.id = om.user_id
+    WHERE om.organization_id = org_id
+    AND u.clerk_id = auth.clerk_id()
+  );
+$$ LANGUAGE SQL STABLE;
+
+-- Check if user is admin of organization
+CREATE OR REPLACE FUNCTION auth.is_org_admin(org_id TEXT)
+RETURNS BOOLEAN AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM organization_members om
+    JOIN users u ON u.id = om.user_id
+    WHERE om.organization_id = org_id
+    AND u.clerk_id = auth.clerk_id()
+    AND om.role IN ('OWNER', 'ADMIN')
+  );
+$$ LANGUAGE SQL STABLE;
+
+-- =============================================================================
+-- USERS POLICIES
+-- =============================================================================
+
+-- Users can read their own data
+CREATE POLICY "users_select_own" ON users
+  FOR SELECT
+  USING (clerk_id = auth.clerk_id());
+
+-- Users can update their own data
+CREATE POLICY "users_update_own" ON users
+  FOR UPDATE
+  USING (clerk_id = auth.clerk_id());
+
+-- Admins can read all users
+CREATE POLICY "users_select_admin" ON users
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM users u
+      WHERE u.clerk_id = auth.clerk_id()
+      AND u.role IN ('ADMIN', 'SUPER_ADMIN')
+    )
+  );
+
+-- =============================================================================
+-- ORGANIZATIONS POLICIES
+-- =============================================================================
+
+-- Members can view their organizations
+CREATE POLICY "organizations_select_members" ON organizations
+  FOR SELECT
+  USING (auth.is_org_member(id));
+
+-- Only admins can update organizations
+CREATE POLICY "organizations_update_admin" ON organizations
+  FOR UPDATE
+  USING (auth.is_org_admin(id));
+
+-- Only owners can delete organizations
+CREATE POLICY "organizations_delete_owner" ON organizations
+  FOR DELETE
+  USING (
+    EXISTS (
+      SELECT 1 FROM organization_members om
+      JOIN users u ON u.id = om.user_id
+      WHERE om.organization_id = organizations.id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role = 'OWNER'
+    )
+  );
+
+-- =============================================================================
+-- ORGANIZATION MEMBERS POLICIES
+-- =============================================================================
+
+-- Members can view org membership
+CREATE POLICY "org_members_select" ON organization_members
+  FOR SELECT
+  USING (auth.is_org_member(organization_id));
+
+-- Only admins can add/remove members
+CREATE POLICY "org_members_insert" ON organization_members
+  FOR INSERT
+  WITH CHECK (auth.is_org_admin(organization_id));
+
+CREATE POLICY "org_members_delete" ON organization_members
+  FOR DELETE
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- PROJECTS POLICIES
+-- =============================================================================
+
+-- Members can view projects
+CREATE POLICY "projects_select" ON projects
+  FOR SELECT
+  USING (auth.is_org_member(organization_id));
+
+-- Members (non-viewers) can create projects
+CREATE POLICY "projects_insert" ON projects
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM organization_members om
+      JOIN users u ON u.id = om.user_id
+      WHERE om.organization_id = projects.organization_id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role IN ('OWNER', 'ADMIN', 'MEMBER')
+    )
+  );
+
+-- Members can update projects they own, admins can update any
+CREATE POLICY "projects_update" ON projects
+  FOR UPDATE
+  USING (
+    (owner_id = auth.user_id()) OR auth.is_org_admin(organization_id)
+  );
+
+-- Only admins can delete projects
+CREATE POLICY "projects_delete" ON projects
+  FOR DELETE
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- TASKS POLICIES
+-- =============================================================================
+
+-- Inherit from project access
+CREATE POLICY "tasks_select" ON tasks
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_member(p.organization_id)
+    )
+  );
+
+CREATE POLICY "tasks_insert" ON tasks
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM projects p
+      JOIN organization_members om ON om.organization_id = p.organization_id
+      JOIN users u ON u.id = om.user_id
+      WHERE p.id = tasks.project_id
+      AND u.clerk_id = auth.clerk_id()
+      AND om.role IN ('OWNER', 'ADMIN', 'MEMBER')
+    )
+  );
+
+CREATE POLICY "tasks_update" ON tasks
+  FOR UPDATE
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_member(p.organization_id)
+    )
+  );
+
+CREATE POLICY "tasks_delete" ON tasks
+  FOR DELETE
+  USING (
+    EXISTS (
+      SELECT 1 FROM projects p
+      WHERE p.id = tasks.project_id
+      AND auth.is_org_admin(p.organization_id)
+    )
+  );
+
+-- =============================================================================
+-- INVOICES POLICIES
+-- =============================================================================
+
+-- Only org admins can view invoices
+CREATE POLICY "invoices_select" ON invoices
+  FOR SELECT
+  USING (auth.is_org_admin(organization_id));
+
+-- =============================================================================
+-- ACTIVITY LOGS POLICIES
+-- =============================================================================
+
+-- Users can view their own activity
+CREATE POLICY "activity_logs_select_own" ON activity_logs
+  FOR SELECT
+  USING (user_id = auth.user_id());
+
+-- Admins can view all activity in their orgs
+-- (would need to add org_id to activity_logs for this)
+
+-- =============================================================================
+-- USAGE: Set session context before queries
+-- =============================================================================
+
+/*
+-- In your API routes or middleware, set the clerk_id:
+
+-- For Prisma with raw queries:
+await prisma.$executeRaw`SELECT set_config('app.clerk_id', ${clerkId}, true)`;
+
+-- Then all subsequent queries will respect RLS policies
+
+-- For Supabase:
+const { data } = await supabase
+  .from('projects')
+  .select('*')
+  // RLS automatically applied based on auth.uid()
+*/

package/lib/templates/code/server-actions.ts

@@ -0,0 +1,191 @@
+// Ultra-Dex Production Pattern: Next.js 15 Server Actions
+// Copy this file to your app/actions/ directory
+
+'use server';
+
+import { z } from 'zod';
+import { revalidatePath } from 'next/cache';
+import { redirect } from 'next/navigation';
+import { auth } from '@clerk/nextjs/server';
+import { prisma } from '@/lib/prisma';
+
+// =============================================================================
+// SCHEMA DEFINITIONS
+// =============================================================================
+
+const CreateUserSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  name: z.string().min(2, 'Name must be at least 2 characters'),
+  role: z.enum(['USER', 'ADMIN']).default('USER'),
+});
+
+const UpdateUserSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string().min(2).optional(),
+  email: z.string().email().optional(),
+});
+
+// =============================================================================
+// ACTION RESPONSE TYPE
+// =============================================================================
+
+type ActionResponse<T = void> =
+  | { success: true; data: T }
+  | { success: false; error: string; fieldErrors?: Record<string, string[]> };
+
+// =============================================================================
+// USER ACTIONS
+// =============================================================================
+
+export async function createUser(
+  prevState: ActionResponse<{ id: string }> | null,
+  formData: FormData
+): Promise<ActionResponse<{ id: string }>> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  const rawData = {
+    email: formData.get('email'),
+    name: formData.get('name'),
+    role: formData.get('role') || 'USER',
+  };
+
+  const validated = CreateUserSchema.safeParse(rawData);
+
+  if (!validated.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      fieldErrors: validated.error.flatten().fieldErrors,
+    };
+  }
+
+  try {
+    const user = await prisma.user.create({
+      data: validated.data,
+    });
+
+    console.log(JSON.stringify({
+      level: 'info',
+      event: 'user_created',
+      userId: user.id,
+      createdBy: userId,
+    }));
+
+    revalidatePath('/users');
+    return { success: true, data: { id: user.id } };
+  } catch (error) {
+    console.error('Failed to create user:', error);
+    return { success: false, error: 'Failed to create user' };
+  }
+}
+
+export async function updateUser(
+  prevState: ActionResponse | null,
+  formData: FormData
+): Promise<ActionResponse> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  const rawData = {
+    id: formData.get('id'),
+    name: formData.get('name'),
+    email: formData.get('email'),
+  };
+
+  const validated = UpdateUserSchema.safeParse(rawData);
+
+  if (!validated.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      fieldErrors: validated.error.flatten().fieldErrors,
+    };
+  }
+
+  try {
+    await prisma.user.update({
+      where: { id: validated.data.id },
+      data: {
+        ...(validated.data.name && { name: validated.data.name }),
+        ...(validated.data.email && { email: validated.data.email }),
+      },
+    });
+
+    revalidatePath('/users');
+    revalidatePath(`/users/${validated.data.id}`);
+    return { success: true, data: undefined };
+  } catch (error) {
+    console.error('Failed to update user:', error);
+    return { success: false, error: 'Failed to update user' };
+  }
+}
+
+export async function deleteUser(id: string): Promise<ActionResponse> {
+  const { userId } = await auth();
+
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' };
+  }
+
+  try {
+    await prisma.user.delete({
+      where: { id },
+    });
+
+    console.log(JSON.stringify({
+      level: 'info',
+      event: 'user_deleted',
+      deletedUserId: id,
+      deletedBy: userId,
+    }));
+
+    revalidatePath('/users');
+    return { success: true, data: undefined };
+  } catch (error) {
+    console.error('Failed to delete user:', error);
+    return { success: false, error: 'Failed to delete user' };
+  }
+}
+
+// =============================================================================
+// USAGE IN COMPONENTS
+// =============================================================================
+
+/*
+// In a Client Component:
+
+'use client';
+
+import { useActionState } from 'react';
+import { createUser } from '@/app/actions/user';
+
+export function CreateUserForm() {
+  const [state, formAction, isPending] = useActionState(createUser, null);
+
+  return (
+    <form action={formAction}>
+      <input name="name" placeholder="Name" required />
+      <input name="email" type="email" placeholder="Email" required />
+
+      {state?.error && (
+        <p className="text-red-500">{state.error}</p>
+      )}
+
+      {state?.fieldErrors?.email && (
+        <p className="text-red-500">{state.fieldErrors.email[0]}</p>
+      )}
+
+      <button type="submit" disabled={isPending}>
+        {isPending ? 'Creating...' : 'Create User'}
+      </button>
+    </form>
+  );
+}
+*/