diff --git a/.agents/skills/convex-create-component/SKILL.md b/.agents/skills/convex-create-component/SKILL.md new file mode 100644 index 0000000..22af601 --- /dev/null +++ b/.agents/skills/convex-create-component/SKILL.md @@ -0,0 +1,288 @@ +--- +name: convex-create-component +description: Designs and builds Convex components with isolated tables, clear boundaries, and app-facing wrappers. Use this skill when creating a new Convex component, extracting reusable backend logic into a component, building a third-party integration that owns its own tables, packaging Convex functionality for reuse, or when the user mentions defineComponent, app.use, ComponentApi, ctx.runQuery/runMutation across component boundaries, or wants to separate concerns into isolated Convex modules. +--- + +# Convex Create Component + +Create reusable Convex components with clear boundaries and a small app-facing API. + +## When to Use + +- Creating a new Convex component in an existing app +- Extracting reusable backend logic into a component +- Building a third-party integration that should own its own tables and workflows +- Packaging Convex functionality for reuse across multiple apps + +## When Not to Use + +- One-off business logic that belongs in the main app +- Thin utilities that do not need Convex tables or functions +- App-level orchestration that should stay in `convex/` +- Cases where a normal TypeScript library is enough + +## Workflow + +1. Ask the user what they are building and what the end goal is. If the repo already makes the answer obvious, say so and confirm before proceeding. +2. Choose the shape using the decision tree below and read the matching reference file. +3. Decide whether a component is justified. Prefer normal app code or a regular library if the feature does not need isolated tables, backend functions, or reusable persistent state. +4. Make a short plan for: + - what tables the component owns + - what public functions it exposes + - what data must be passed in from the app (auth, env vars, parent IDs) + - what stays in the app as wrappers or HTTP mounts +5. Create the component structure with `convex.config.ts`, `schema.ts`, and function files. +6. Implement functions using the component's own `./_generated/server` imports, not the app's generated files. +7. Wire the component into the app with `app.use(...)`. If the app does not already have `convex/convex.config.ts`, create it. +8. Call the component from the app through `components.` using `ctx.runQuery`, `ctx.runMutation`, or `ctx.runAction`. +9. If React clients, HTTP callers, or public APIs need access, create wrapper functions in the app instead of exposing component functions directly. +10. Run `npx convex dev` and fix codegen, type, or boundary issues before finishing. + +## Choose the Shape + +Ask the user, then pick one path: + +| Goal | Shape | Reference | +| ------------------------------------------------- | ---------------- | ----------------------------------- | +| Component for this app only | Local | `references/local-components.md` | +| Publish or share across apps | Packaged | `references/packaged-components.md` | +| User explicitly needs local + shared library code | Hybrid | `references/hybrid-components.md` | +| Not sure | Default to local | `references/local-components.md` | + +Read exactly one reference file before proceeding. + +## Default Approach + +Unless the user explicitly wants an npm package, default to a local component: + +- Put it under `convex/components//` +- Define it with `defineComponent(...)` in its own `convex.config.ts` +- Install it from the app's `convex/convex.config.ts` with `app.use(...)` +- Let `npx convex dev` generate the component's own `_generated/` files + +## Component Skeleton + +A minimal local component with a table and two functions, plus the app wiring. + +```ts +// convex/components/notifications/convex.config.ts +import { defineComponent } from "convex/server"; + +export default defineComponent("notifications"); +``` + +```ts +// convex/components/notifications/schema.ts +import { defineSchema, defineTable } from "convex/server"; +import { v } from "convex/values"; + +export default defineSchema({ + notifications: defineTable({ + userId: v.string(), + message: v.string(), + read: v.boolean(), + }).index("by_user", ["userId"]), +}); +``` + +```ts +// convex/components/notifications/lib.ts +import { v } from "convex/values"; +import { mutation, query } from "./_generated/server.js"; + +export const send = mutation({ + args: { userId: v.string(), message: v.string() }, + returns: v.id("notifications"), + handler: async (ctx, args) => { + return await ctx.db.insert("notifications", { + userId: args.userId, + message: args.message, + read: false, + }); + }, +}); + +export const listUnread = query({ + args: { userId: v.string() }, + returns: v.array( + v.object({ + _id: v.id("notifications"), + _creationTime: v.number(), + userId: v.string(), + message: v.string(), + read: v.boolean(), + }), + ), + handler: async (ctx, args) => { + return await ctx.db + .query("notifications") + .withIndex("by_user", (q) => q.eq("userId", args.userId)) + .filter((q) => q.eq(q.field("read"), false)) + .collect(); + }, +}); +``` + +```ts +// convex/convex.config.ts +import { defineApp } from "convex/server"; +import notifications from "./components/notifications/convex.config.js"; + +const app = defineApp(); +app.use(notifications); + +export default app; +``` + +```ts +// convex/notifications.ts (app-side wrapper) +import { v } from "convex/values"; +import { mutation, query } from "./_generated/server"; +import { components } from "./_generated/api"; +import { getAuthUserId } from "@convex-dev/auth/server"; + +export const sendNotification = mutation({ + args: { message: v.string() }, + returns: v.null(), + handler: async (ctx, args) => { + const userId = await getAuthUserId(ctx); + if (!userId) throw new Error("Not authenticated"); + + await ctx.runMutation(components.notifications.lib.send, { + userId, + message: args.message, + }); + return null; + }, +}); + +export const myUnread = query({ + args: {}, + handler: async (ctx) => { + const userId = await getAuthUserId(ctx); + if (!userId) throw new Error("Not authenticated"); + + return await ctx.runQuery(components.notifications.lib.listUnread, { + userId, + }); + }, +}); +``` + +Note the reference path shape: a function in `convex/components/notifications/lib.ts` is called as `components.notifications.lib.send` from the app. + +## Critical Rules + +- Keep authentication in the app, because `ctx.auth` is not available inside components. +- Keep environment access in the app, because component functions cannot read `process.env`. +- Pass parent app IDs across the boundary as strings, because `Id` types become plain strings in the app-facing `ComponentApi`. +- Do not use `v.id("parentTable")` for app-owned tables inside component args or schema, because the component has no access to the app's table namespace. +- Import `query`, `mutation`, and `action` from the component's own `./_generated/server`, not the app's generated files. +- Do not expose component functions directly to clients. Create app wrappers when client access is needed, because components are internal and need auth/env wiring the app provides. +- If the component defines HTTP handlers, mount the routes in the app's `convex/http.ts`, because components cannot register their own HTTP routes. +- If the component needs pagination, use `paginator` from `convex-helpers` instead of built-in `.paginate()`, because `.paginate()` does not work across the component boundary. +- Add `args` and `returns` validators to all public component functions, because the component boundary requires explicit type contracts. + +## Patterns + +### Authentication and environment access + +```ts +// Bad: component code cannot rely on app auth or env +const identity = await ctx.auth.getUserIdentity(); +const apiKey = process.env.OPENAI_API_KEY; +``` + +```ts +// Good: the app resolves auth and env, then passes explicit values +const userId = await getAuthUserId(ctx); +if (!userId) throw new Error("Not authenticated"); + +await ctx.runAction(components.translator.translate, { + userId, + apiKey: process.env.OPENAI_API_KEY, + text: args.text, +}); +``` + +### Client-facing API + +```ts +// Bad: assuming a component function is directly callable by clients +export const send = components.notifications.send; +``` + +```ts +// Good: re-export through an app mutation or query +export const sendNotification = mutation({ + args: { message: v.string() }, + returns: v.null(), + handler: async (ctx, args) => { + const userId = await getAuthUserId(ctx); + if (!userId) throw new Error("Not authenticated"); + + await ctx.runMutation(components.notifications.lib.send, { + userId, + message: args.message, + }); + return null; + }, +}); +``` + +### IDs across the boundary + +```ts +// Bad: parent app table IDs are not valid component validators +args: { + userId: v.id("users"); +} +``` + +```ts +// Good: treat parent-owned IDs as strings at the boundary +args: { + userId: v.string(); +} +``` + +### Advanced Patterns + +For additional patterns including function handles for callbacks, deriving validators from schema, static configuration with a globals table, and class-based client wrappers, see `references/advanced-patterns.md`. + +## Validation + +Try validation in this order: + +1. `npx convex codegen --component-dir convex/components/` +2. `npx convex codegen` +3. `npx convex dev` + +Important: + +- Fresh repos may fail these commands until `CONVEX_DEPLOYMENT` is configured. +- Until codegen runs, component-local `./_generated/*` imports and app-side `components....` references will not typecheck. +- If validation blocks on Convex login or deployment setup, stop and ask the user for that exact step instead of guessing. + +## Reference Files + +Read exactly one of these after the user confirms the goal: + +- `references/local-components.md` +- `references/packaged-components.md` +- `references/hybrid-components.md` + +Official docs: [Authoring Components](https://docs.convex.dev/components/authoring) + +## Checklist + +- [ ] Asked the user what they want to build and confirmed the shape +- [ ] Read the matching reference file +- [ ] Confirmed a component is the right abstraction +- [ ] Planned tables, public API, boundaries, and app wrappers +- [ ] Component lives under `convex/components//` (or package layout if publishing) +- [ ] Component imports from its own `./_generated/server` +- [ ] Auth, env access, and HTTP routes stay in the app +- [ ] Parent app IDs cross the boundary as `v.string()` +- [ ] Public functions have `args` and `returns` validators +- [ ] Ran `npx convex dev` and fixed codegen or type issues diff --git a/.agents/skills/convex-create-component/agents/openai.yaml b/.agents/skills/convex-create-component/agents/openai.yaml new file mode 100644 index 0000000..ba9287e --- /dev/null +++ b/.agents/skills/convex-create-component/agents/openai.yaml @@ -0,0 +1,10 @@ +interface: + display_name: "Convex Create Component" + short_description: "Design and build reusable Convex components with clear boundaries." + icon_small: "./assets/icon.svg" + icon_large: "./assets/icon.svg" + brand_color: "#14B8A6" + default_prompt: "Help me create a Convex component for this feature. First check that a component is actually justified, then design the tables, API surface, and app-facing wrappers before implementing it." + +policy: + allow_implicit_invocation: true diff --git a/.agents/skills/convex-create-component/assets/icon.svg b/.agents/skills/convex-create-component/assets/icon.svg new file mode 100644 index 0000000..10f4c2c --- /dev/null +++ b/.agents/skills/convex-create-component/assets/icon.svg @@ -0,0 +1,3 @@ + diff --git a/.agents/skills/convex-create-component/references/advanced-patterns.md b/.agents/skills/convex-create-component/references/advanced-patterns.md new file mode 100644 index 0000000..3deb684 --- /dev/null +++ b/.agents/skills/convex-create-component/references/advanced-patterns.md @@ -0,0 +1,134 @@ +# Advanced Component Patterns + +Additional patterns for Convex components that go beyond the basics covered in the main skill file. + +## Function Handles for callbacks + +When the app needs to pass a callback function to the component, use function handles. This is common for components that run app-defined logic on a schedule or in a workflow. + +```ts +// App side: create a handle and pass it to the component +import { createFunctionHandle } from "convex/server"; + +export const startJob = mutation({ + handler: async (ctx) => { + const handle = await createFunctionHandle(internal.myModule.processItem); + await ctx.runMutation(components.workpool.enqueue, { + callback: handle, + }); + }, +}); +``` + +```ts +// Component side: accept and invoke the handle +import { v } from "convex/values"; +import type { FunctionHandle } from "convex/server"; +import { mutation } from "./_generated/server.js"; + +export const enqueue = mutation({ + args: { callback: v.string() }, + handler: async (ctx, args) => { + const handle = args.callback as FunctionHandle<"mutation">; + await ctx.scheduler.runAfter(0, handle, {}); + }, +}); +``` + +## Deriving validators from schema + +Instead of manually repeating field types in return validators, extend the schema validator: + +```ts +import { v } from "convex/values"; +import schema from "./schema.js"; + +const notificationDoc = schema.tables.notifications.validator.extend({ + _id: v.id("notifications"), + _creationTime: v.number(), +}); + +export const getLatest = query({ + args: {}, + returns: v.nullable(notificationDoc), + handler: async (ctx) => { + return await ctx.db.query("notifications").order("desc").first(); + }, +}); +``` + +## Static configuration with a globals table + +A common pattern for component configuration is a single-document "globals" table: + +```ts +// schema.ts +export default defineSchema({ + globals: defineTable({ + maxRetries: v.number(), + webhookUrl: v.optional(v.string()), + }), + // ... other tables +}); +``` + +```ts +// lib.ts +export const configure = mutation({ + args: { maxRetries: v.number(), webhookUrl: v.optional(v.string()) }, + returns: v.null(), + handler: async (ctx, args) => { + const existing = await ctx.db.query("globals").first(); + if (existing) { + await ctx.db.patch(existing._id, args); + } else { + await ctx.db.insert("globals", args); + } + return null; + }, +}); +``` + +## Class-based client wrappers + +For components with many functions or configuration options, a class-based client provides a cleaner API. This pattern is common in published components. + +```ts +// src/client/index.ts +import type { GenericMutationCtx, GenericDataModel } from "convex/server"; +import type { ComponentApi } from "../component/_generated/component.js"; + +type MutationCtx = Pick, "runMutation">; + +export class Notifications { + constructor( + private component: ComponentApi, + private options?: { defaultChannel?: string }, + ) {} + + async send(ctx: MutationCtx, args: { userId: string; message: string }) { + return await ctx.runMutation(this.component.lib.send, { + ...args, + channel: this.options?.defaultChannel ?? "default", + }); + } +} +``` + +```ts +// App usage +import { Notifications } from "@convex-dev/notifications"; +import { components } from "./_generated/api"; + +const notifications = new Notifications(components.notifications, { + defaultChannel: "alerts", +}); + +export const send = mutation({ + args: { message: v.string() }, + handler: async (ctx, args) => { + const userId = await getAuthUserId(ctx); + await notifications.send(ctx, { userId, message: args.message }); + }, +}); +``` diff --git a/.agents/skills/convex-create-component/references/hybrid-components.md b/.agents/skills/convex-create-component/references/hybrid-components.md new file mode 100644 index 0000000..d2bb351 --- /dev/null +++ b/.agents/skills/convex-create-component/references/hybrid-components.md @@ -0,0 +1,37 @@ +# Hybrid Convex Components + +Read this file only when the user explicitly wants a hybrid setup. + +## What This Means + +A hybrid component combines a local Convex component with shared library code. + +This can help when: + +- the user wants a local install but also shared package logic +- the component needs extension points or override hooks +- some logic should live in normal TypeScript code outside the component boundary + +## Default Advice + +Treat hybrid as an advanced option, not the default. + +Before choosing it, ask: + +- Why is a plain local component not enough? +- Why is a packaged component not enough? +- What exactly needs to stay overridable or shared? + +If the answer is vague, fall back to local or packaged. + +## Risks + +- More moving parts +- Harder upgrades and backwards compatibility +- Easier to blur the component boundary + +## Checklist + +- [ ] User explicitly needs hybrid behavior +- [ ] Local-only and packaged-only options were considered first +- [ ] The extension points are clearly defined before coding diff --git a/.agents/skills/convex-create-component/references/local-components.md b/.agents/skills/convex-create-component/references/local-components.md new file mode 100644 index 0000000..7fbfe21 --- /dev/null +++ b/.agents/skills/convex-create-component/references/local-components.md @@ -0,0 +1,38 @@ +# Local Convex Components + +Read this file when the component should live inside the current app and does not need to be published as an npm package. + +## When to Choose This + +- The user wants the simplest path +- The component only needs to work in this repo +- The goal is extracting app logic into a cleaner boundary + +## Default Layout + +Use this structure unless the repo already has a clear alternative pattern: + +```text +convex/ + convex.config.ts + components/ + / + convex.config.ts + schema.ts + .ts +``` + +## Workflow Notes + +- Define the component with `defineComponent("")` +- Install it from the app with `defineApp()` and `app.use(...)` +- Keep auth, env access, public API wrappers, and HTTP route mounting in the app +- Let the component own isolated tables and reusable backend workflows +- Add app wrappers if clients need to call into the component + +## Checklist + +- [ ] Component is inside `convex/components//` +- [ ] App installs it with `app.use(...)` +- [ ] Component owns only its own tables +- [ ] App wrappers handle client-facing calls when needed diff --git a/.agents/skills/convex-create-component/references/packaged-components.md b/.agents/skills/convex-create-component/references/packaged-components.md new file mode 100644 index 0000000..5668e7e --- /dev/null +++ b/.agents/skills/convex-create-component/references/packaged-components.md @@ -0,0 +1,51 @@ +# Packaged Convex Components + +Read this file when the user wants a reusable npm package or a component shared across multiple apps. + +## When to Choose This + +- The user wants to publish the component +- The user wants a stable reusable package boundary +- The component will be shared across multiple apps or teams + +## Default Approach + +- Prefer starting from `npx create-convex@latest --component` when possible +- Keep the official authoring docs as the source of truth for package layout and exports +- Validate the bundled package through an example app, not just the source files + +## Build Flow + +When building a packaged component, make sure the bundled output exists before the example app tries to consume it. + +Recommended order: + +1. `npx convex codegen --component-dir ./path/to/component` +2. Run the package build command +3. Run `npx convex dev --typecheck-components` in the example app + +Do not assume normal app codegen is enough for packaged component workflows. + +## Package Exports + +If publishing to npm, make sure the package exposes the entry points apps need: + +- package root for client helpers, types, or classes +- `./convex.config.js` for installing the component +- `./_generated/component.js` for the app-facing `ComponentApi` type +- `./test` for testing helpers when applicable + +## Testing + +- Use `convex-test` for component logic +- Register the component schema and modules with the test instance +- Test app-side wrapper code from an example app that installs the package +- Export a small helper from `./test` if consumers need easy test registration + +## Checklist + +- [ ] Packaging is actually required +- [ ] Build order avoids bundle and codegen races +- [ ] Package exports include install and typing entry points +- [ ] Example app exercises the packaged component +- [ ] Core behavior is covered by tests diff --git a/.agents/skills/convex-migration-helper/SKILL.md b/.agents/skills/convex-migration-helper/SKILL.md new file mode 100644 index 0000000..db36c62 --- /dev/null +++ b/.agents/skills/convex-migration-helper/SKILL.md @@ -0,0 +1,149 @@ +--- +name: convex-migration-helper +description: Plans and executes safe Convex schema and data migrations using the widen-migrate-narrow workflow and the @convex-dev/migrations component. Use this skill when a deployment fails schema validation, existing documents need backfilling, fields need adding or removing or changing type, tables need splitting or merging, or a zero-downtime migration strategy is needed. Also use when the user mentions breaking schema changes, multi-deploy rollouts, or data transformations on existing Convex tables. +--- + +# Convex Migration Helper + +Safely migrate Convex schemas and data when making breaking changes. + +## When to Use + +- Adding new required fields to existing tables +- Changing field types or structure +- Splitting or merging tables +- Renaming or deleting fields +- Migrating from nested to relational data + +## When Not to Use + +- Greenfield schema with no existing data in production or dev +- Adding optional fields that do not need backfilling +- Adding new tables with no existing data to migrate +- Adding or removing indexes with no correctness concern +- Questions about Convex schema design without a migration need + +## Key Concepts + +### Schema Validation Drives the Workflow + +Convex will not let you deploy a schema that does not match the data at rest. This is the fundamental constraint that shapes every migration: + +- You cannot add a required field if existing documents don't have it +- You cannot change a field's type if existing documents have the old type +- You cannot remove a field from the schema if existing documents still have it + +This means migrations follow a predictable pattern: **widen the schema, migrate the data, narrow the schema**. + +### Online Migrations + +Convex migrations run online, meaning the app continues serving requests while data is updated asynchronously in batches. During the migration window, your code must handle both old and new data formats. + +### Prefer New Fields Over Changing Types + +When changing the shape of data, create a new field rather than modifying an existing one. This makes the transition safer and easier to roll back. + +### Don't Delete Data + +Unless you are certain, prefer deprecating fields over deleting them. Mark the field as `v.optional` and add a code comment explaining it is deprecated and why it existed. + +## Safe Changes (No Migration Needed) + +### Adding Optional Field + +```typescript +// Before +users: defineTable({ + name: v.string(), +}); + +// After - safe, new field is optional +users: defineTable({ + name: v.string(), + bio: v.optional(v.string()), +}); +``` + +### Adding New Table + +```typescript +posts: defineTable({ + userId: v.id("users"), + title: v.string(), +}).index("by_user", ["userId"]); +``` + +### Adding Index + +```typescript +users: defineTable({ + name: v.string(), + email: v.string(), +}).index("by_email", ["email"]); +``` + +## Breaking Changes: The Deployment Workflow + +Every breaking migration follows the same multi-deploy pattern: + +**Deploy 1 - Widen the schema:** + +1. Update schema to allow both old and new formats (e.g., add optional new field) +2. Update code to handle both formats when reading +3. Update code to write the new format for new documents +4. Deploy + +**Between deploys - Migrate data:** + +5. Run migration to backfill existing documents +6. Verify all documents are migrated + +**Deploy 2 - Narrow the schema:** + +7. Update schema to require the new format only +8. Remove code that handles the old format +9. Deploy + +## Using the Migrations Component + +For any non-trivial migration, use the [`@convex-dev/migrations`](https://www.convex.dev/components/migrations) component. It handles batching, cursor-based pagination, state tracking, resume from failure, dry runs, and progress monitoring. + +See `references/migrations-component.md` for installation, setup, defining and running migrations, dry runs, status monitoring, and configuration options. + +## Common Migration Patterns + +See `references/migration-patterns.md` for complete patterns with code examples covering: + +- Adding a required field +- Deleting a field +- Changing a field type +- Splitting nested data into a separate table +- Cleaning up orphaned documents +- Zero-downtime strategies (dual write, dual read) +- Small table shortcut (single internalMutation without the component) +- Verifying a migration is complete + +## Common Pitfalls + +1. **Making a field required before migrating data**: Convex rejects the deploy because existing documents lack the field. Always widen the schema first. +2. **Using `.collect()` on large tables**: Hits transaction limits or causes timeouts. Use the migrations component for proper batched pagination. `.collect()` is only safe for tables you know are small. +3. **Not writing the new format before migrating**: Documents created during the migration window will be missed, leaving unmigrated data after the migration "completes." +4. **Skipping the dry run**: Use `dryRun: true` to validate migration logic before committing changes to production data. Catches bugs before they touch real documents. +5. **Deleting fields prematurely**: Prefer deprecating with `v.optional` and a comment. Only delete after you are confident the data is no longer needed and no code references it. +6. **Using crons for migration batches**: The migrations component handles batching via recursive scheduling internally. Crons require manual cleanup and an extra deploy to remove. + +## Migration Checklist + +- [ ] Identify the breaking change and plan the multi-deploy workflow +- [ ] Update schema to allow both old and new formats +- [ ] Update code to handle both formats when reading +- [ ] Update code to write the new format for new documents +- [ ] Deploy widened schema and updated code +- [ ] Define migration using the `@convex-dev/migrations` component +- [ ] Test with `dryRun: true` +- [ ] Run migration and monitor status +- [ ] Verify all documents are migrated +- [ ] Update schema to require new format only +- [ ] Clean up code that handled old format +- [ ] Deploy final schema and code +- [ ] Remove migration code once confirmed stable diff --git a/.agents/skills/convex-migration-helper/agents/openai.yaml b/.agents/skills/convex-migration-helper/agents/openai.yaml new file mode 100644 index 0000000..c2a7fcc --- /dev/null +++ b/.agents/skills/convex-migration-helper/agents/openai.yaml @@ -0,0 +1,10 @@ +interface: + display_name: "Convex Migration Helper" + short_description: "Plan and run safe Convex schema and data migrations." + icon_small: "./assets/icon.svg" + icon_large: "./assets/icon.svg" + brand_color: "#8B5CF6" + default_prompt: "Help me plan and execute this Convex migration safely. Start by identifying the schema change, the existing data shape, and the widen-migrate-narrow path before making edits." + +policy: + allow_implicit_invocation: true diff --git a/.agents/skills/convex-migration-helper/assets/icon.svg b/.agents/skills/convex-migration-helper/assets/icon.svg new file mode 100644 index 0000000..fba7241 --- /dev/null +++ b/.agents/skills/convex-migration-helper/assets/icon.svg @@ -0,0 +1,3 @@ + diff --git a/.agents/skills/convex-migration-helper/references/migration-patterns.md b/.agents/skills/convex-migration-helper/references/migration-patterns.md new file mode 100644 index 0000000..53b4946 --- /dev/null +++ b/.agents/skills/convex-migration-helper/references/migration-patterns.md @@ -0,0 +1,231 @@ +# Migration Patterns Reference + +Common migration patterns, zero-downtime strategies, and verification techniques for Convex schema and data migrations. + +## Adding a Required Field + +```typescript +// Deploy 1: Schema allows both states +users: defineTable({ + name: v.string(), + role: v.optional(v.union(v.literal("user"), v.literal("admin"))), +}); + +// Migration: backfill the field +export const addDefaultRole = migrations.define({ + table: "users", + migrateOne: async (ctx, user) => { + if (user.role === undefined) { + await ctx.db.patch(user._id, { role: "user" }); + } + }, +}); + +// Deploy 2: After migration completes, make it required +users: defineTable({ + name: v.string(), + role: v.union(v.literal("user"), v.literal("admin")), +}); +``` + +## Deleting a Field + +Mark the field optional first, migrate data to remove it, then remove from schema: + +```typescript +// Deploy 1: Make optional +// isPro: v.boolean() --> isPro: v.optional(v.boolean()) + +// Migration +export const removeIsPro = migrations.define({ + table: "teams", + migrateOne: async (ctx, team) => { + if (team.isPro !== undefined) { + await ctx.db.patch(team._id, { isPro: undefined }); + } + }, +}); + +// Deploy 2: Remove isPro from schema entirely +``` + +## Changing a Field Type + +Prefer creating a new field. You can combine adding and deleting in one migration: + +```typescript +// Deploy 1: Add new field, keep old field optional +// isPro: v.boolean() --> isPro: v.optional(v.boolean()), plan: v.optional(...) + +// Migration: convert old field to new field +export const convertToEnum = migrations.define({ + table: "teams", + migrateOne: async (ctx, team) => { + if (team.plan === undefined) { + await ctx.db.patch(team._id, { + plan: team.isPro ? "pro" : "basic", + isPro: undefined, + }); + } + }, +}); + +// Deploy 2: Remove isPro from schema, make plan required +``` + +## Splitting Nested Data Into a Separate Table + +```typescript +export const extractPreferences = migrations.define({ + table: "users", + migrateOne: async (ctx, user) => { + if (user.preferences === undefined) return; + + const existing = await ctx.db + .query("userPreferences") + .withIndex("by_user", (q) => q.eq("userId", user._id)) + .first(); + + if (!existing) { + await ctx.db.insert("userPreferences", { + userId: user._id, + ...user.preferences, + }); + } + + await ctx.db.patch(user._id, { preferences: undefined }); + }, +}); +``` + +Make sure your code is already writing to the new `userPreferences` table for new users before running this migration, so you don't miss documents created during the migration window. + +## Cleaning Up Orphaned Documents + +```typescript +export const deleteOrphanedEmbeddings = migrations.define({ + table: "embeddings", + migrateOne: async (ctx, doc) => { + const chunk = await ctx.db + .query("chunks") + .withIndex("by_embedding", (q) => q.eq("embeddingId", doc._id)) + .first(); + + if (!chunk) { + await ctx.db.delete(doc._id); + } + }, +}); +``` + +## Zero-Downtime Strategies + +During the migration window, your app must handle both old and new data formats. There are two main strategies. + +### Dual Write (Preferred) + +Write to both old and new structures. Read from the old structure until migration is complete. + +1. Deploy code that writes both formats, reads old format +2. Run migration on existing data +3. Deploy code that reads new format, still writes both +4. Deploy code that only reads and writes new format + +This is preferred because you can safely roll back at any point, the old format is always up to date. + +```typescript +// Bad: only writing to new structure before migration is done +export const createTeam = mutation({ + args: { name: v.string(), isPro: v.boolean() }, + handler: async (ctx, args) => { + await ctx.db.insert("teams", { + name: args.name, + plan: args.isPro ? "pro" : "basic", + }); + }, +}); + +// Good: writing to both structures during migration +export const createTeam = mutation({ + args: { name: v.string(), isPro: v.boolean() }, + handler: async (ctx, args) => { + const plan = args.isPro ? "pro" : "basic"; + await ctx.db.insert("teams", { + name: args.name, + isPro: args.isPro, + plan, + }); + }, +}); +``` + +### Dual Read + +Read both formats. Write only the new format. + +1. Deploy code that reads both formats (preferring new), writes only new format +2. Run migration on existing data +3. Deploy code that reads and writes only new format + +This avoids duplicating writes, which is useful when having two copies of data could cause inconsistencies. The downside is that rolling back to before step 1 is harder, since new documents only have the new format. + +```typescript +// Good: reading both formats, preferring new +function getTeamPlan(team: Doc<"teams">): "basic" | "pro" { + if (team.plan !== undefined) return team.plan; + return team.isPro ? "pro" : "basic"; +} +``` + +## Small Table Shortcut + +For small tables (a few thousand documents at most), you can migrate in a single `internalMutation` without the component: + +```typescript +import { internalMutation } from "./_generated/server"; + +export const backfillSmallTable = internalMutation({ + handler: async (ctx) => { + const docs = await ctx.db.query("smallConfig").collect(); + for (const doc of docs) { + if (doc.newField === undefined) { + await ctx.db.patch(doc._id, { newField: "default" }); + } + } + }, +}); +``` + +```bash +npx convex run migrations:backfillSmallTable +``` + +Only use `.collect()` when you are certain the table is small. For anything larger, use the migrations component. + +## Verifying a Migration + +Query to check remaining unmigrated documents: + +```typescript +import { query } from "./_generated/server"; + +export const verifyMigration = query({ + handler: async (ctx) => { + const remaining = await ctx.db + .query("users") + .filter((q) => q.eq(q.field("role"), undefined)) + .take(10); + + return { + complete: remaining.length === 0, + sampleRemaining: remaining.map((u) => u._id), + }; + }, +}); +``` + +Or use the component's built-in status monitoring: + +```bash +npx convex run --component migrations lib:getStatus --watch +``` diff --git a/.agents/skills/convex-migration-helper/references/migrations-component.md b/.agents/skills/convex-migration-helper/references/migrations-component.md new file mode 100644 index 0000000..95ec292 --- /dev/null +++ b/.agents/skills/convex-migration-helper/references/migrations-component.md @@ -0,0 +1,169 @@ +# Migrations Component Reference + +Complete guide to the [`@convex-dev/migrations`](https://www.convex.dev/components/migrations) component for batched, resumable Convex data migrations. + +## Installation + +```bash +npm install @convex-dev/migrations +``` + +## Setup + +```typescript +// convex/convex.config.ts +import { defineApp } from "convex/server"; +import migrations from "@convex-dev/migrations/convex.config.js"; + +const app = defineApp(); +app.use(migrations); +export default app; +``` + +```typescript +// convex/migrations.ts +import { Migrations } from "@convex-dev/migrations"; +import { components } from "./_generated/api.js"; +import { DataModel } from "./_generated/dataModel.js"; + +export const migrations = new Migrations(components.migrations); +export const run = migrations.runner(); +``` + +The `DataModel` type parameter is optional but provides type safety for migration definitions. + +## Define a Migration + +The `migrateOne` function processes a single document. The component handles batching and pagination automatically. + +```typescript +// convex/migrations.ts +export const addDefaultRole = migrations.define({ + table: "users", + migrateOne: async (ctx, user) => { + if (user.role === undefined) { + await ctx.db.patch(user._id, { role: "user" }); + } + }, +}); +``` + +Shorthand: if you return an object, it is applied as a patch automatically. + +```typescript +export const clearDeprecatedField = migrations.define({ + table: "users", + migrateOne: () => ({ legacyField: undefined }), +}); +``` + +## Run a Migration + +From the CLI: + +```bash +# Define a one-off runner in convex/migrations.ts: +# export const runIt = migrations.runner(internal.migrations.addDefaultRole); +npx convex run migrations:runIt + +# Or use the general-purpose runner +npx convex run migrations:run '{"fn": "migrations:addDefaultRole"}' +``` + +Programmatically from another Convex function: + +```typescript +await migrations.runOne(ctx, internal.migrations.addDefaultRole); +``` + +## Run Multiple Migrations in Order + +```typescript +export const runAll = migrations.runner([ + internal.migrations.addDefaultRole, + internal.migrations.clearDeprecatedField, + internal.migrations.normalizeEmails, +]); +``` + +```bash +npx convex run migrations:runAll +``` + +If one fails, it stops and will not continue to the next. Call it again to retry from where it left off. Completed migrations are skipped automatically. + +## Dry Run + +Test a migration before committing changes: + +```bash +npx convex run migrations:runIt '{"dryRun": true}' +``` + +This runs one batch and then rolls back, so you can see what it would do without changing any data. + +## Check Migration Status + +```bash +npx convex run --component migrations lib:getStatus --watch +``` + +## Cancel a Running Migration + +```bash +npx convex run --component migrations lib:cancel '{"name": "migrations:addDefaultRole"}' +``` + +Or programmatically: + +```typescript +await migrations.cancel(ctx, internal.migrations.addDefaultRole); +``` + +## Run Migrations on Deploy + +Chain migration execution after deploying: + +```bash +npx convex deploy --cmd 'npm run build' && npx convex run migrations:runAll --prod +``` + +## Configuration Options + +### Custom Batch Size + +If documents are large or the table has heavy write traffic, reduce the batch size to avoid transaction limits or OCC conflicts: + +```typescript +export const migrateHeavyTable = migrations.define({ + table: "largeDocuments", + batchSize: 10, + migrateOne: async (ctx, doc) => { + // migration logic + }, +}); +``` + +### Migrate a Subset Using an Index + +Process only matching documents instead of the full table: + +```typescript +export const fixEmptyNames = migrations.define({ + table: "users", + customRange: (query) => query.withIndex("by_name", (q) => q.eq("name", "")), + migrateOne: () => ({ name: "" }), +}); +``` + +### Parallelize Within a Batch + +By default each document in a batch is processed serially. Enable parallel processing if your migration logic does not depend on ordering: + +```typescript +export const clearField = migrations.define({ + table: "myTable", + parallelize: true, + migrateOne: () => ({ optionalField: undefined }), +}); +``` diff --git a/.agents/skills/convex-performance-audit/SKILL.md b/.agents/skills/convex-performance-audit/SKILL.md new file mode 100644 index 0000000..382951c --- /dev/null +++ b/.agents/skills/convex-performance-audit/SKILL.md @@ -0,0 +1,143 @@ +--- +name: convex-performance-audit +description: Audits and optimizes Convex application performance across hot-path reads, write contention, subscription cost, and function limits. Use this skill when a Convex feature is slow or expensive, npx convex insights shows high bytes or documents read, OCC conflict errors or mutation retries appear, subscriptions or UI updates are costly, functions hit execution or transaction limits, or the user mentions performance, latency, read amplification, or invalidation problems in a Convex app. +--- + +# Convex Performance Audit + +Diagnose and fix performance problems in Convex applications, one problem class at a time. + +## When to Use + +- A Convex page or feature feels slow or expensive +- `npx convex insights --details` reports high bytes read, documents read, or OCC conflicts +- Low-freshness read paths are using reactivity where point-in-time reads would do +- OCC conflict errors or excessive mutation retries +- High subscription count or slow UI updates +- Functions approaching execution or transaction limits +- The same performance pattern needs fixing across sibling functions + +## When Not to Use + +- Initial Convex setup, auth setup, or component extraction +- Pure schema migrations with no performance goal +- One-off micro-optimizations without a user-visible or deployment-visible problem + +## Guardrails + +- Prefer simpler code when scale is small, traffic is modest, or the available signals are weak +- Do not recommend digest tables, document splitting, fetch-strategy changes, or migration-heavy rollouts unless there is a measured signal, a clearly unbounded path, or a known hot read/write path +- In Convex, a simple scan on a small table is often acceptable. Do not invent structural work just because a pattern is not ideal at large scale + +## First Step: Gather Signals + +Start with the strongest signal available: + +1. If deployment Health insights are already available from the user or the current context, treat them as a first-class source of performance signals. +2. If CLI insights are available, run `npx convex insights --details`. Use `--prod`, `--preview-name`, or `--deployment-name` when needed. + - If the local repo's Convex CLI is too old to support `insights`, try `npx -y convex@latest insights --details` before giving up. +3. If the repo already uses `convex-doctor`, you may treat its findings as hints. Do not require it, and do not treat it as the source of truth. +4. If runtime signals are unavailable, audit from code anyway, but keep the guardrails above in mind. Lack of insights is not proof of health, but it is also not proof that a large refactor is warranted. + +## Signal Routing + +After gathering signals, identify the problem class and read the matching reference file. + +| Signal | Reference | +| -------------------------------------------------------------- | ----------------------------------------- | +| High bytes or documents read, JS filtering, unnecessary joins | `references/hot-path-rules.md` | +| OCC conflict errors, write contention, mutation retries | `references/occ-conflicts.md` | +| High subscription count, slow UI updates, excessive re-renders | `references/subscription-cost.md` | +| Function timeouts, transaction size errors, large payloads | `references/function-budget.md` | +| General "it's slow" with no specific signal | Start with `references/hot-path-rules.md` | + +Multiple problem classes can overlap. Read the most relevant reference first, then check the others if symptoms remain. + +## Escalate Larger Fixes + +If the likely fix is invasive, cross-cutting, or migration-heavy, stop and present options before editing. + +Examples: + +- introducing digest or summary tables across multiple flows +- splitting documents to isolate frequently-updated fields +- reworking pagination or fetch strategy across several screens +- switching to a new index or denormalized field that needs migration-safe rollout + +When correctness depends on handling old and new states during a rollout, consult `skills/convex-migration-helper/SKILL.md` for the migration workflow. + +## Workflow + +### 1. Scope the problem + +Pick one concrete user flow from the actual project. Look at the codebase, client pages, and API surface to find the flow that matches the symptom. + +Write down: + +- entrypoint functions +- client callsites using `useQuery`, `usePaginatedQuery`, or `useMutation` +- tables read +- tables written +- whether the path is high-read, high-write, or both + +### 2. Trace the full read and write set + +For each function in the path: + +1. Trace every `ctx.db.get()` and `ctx.db.query()` +2. Trace every `ctx.db.patch()`, `ctx.db.replace()`, and `ctx.db.insert()` +3. Note foreign-key lookups, JS-side filtering, and full-document reads +4. Identify all sibling functions touching the same tables +5. Identify reactive stats, aggregates, or widgets rendered on the same page + +In Convex, every extra read increases transaction work, and every write can invalidate reactive subscribers. Treat read amplification and invalidation amplification as first-class problems. + +### 3. Apply fixes from the relevant reference + +Read the reference file matching your problem class. Each reference includes specific patterns, code examples, and a recommended fix order. + +Do not stop at the single function named by an insight. Trace sibling readers and writers touching the same tables. + +### 4. Fix sibling functions together + +When one function touching a table has a performance bug, audit sibling functions for the same pattern. + +After finding one problem, inspect both sibling readers and sibling writers for the same table family, including companion digest or summary tables. + +Examples: + +- If one list query switches from full docs to a digest table, inspect the other list queries for that table +- If one mutation isolates a frequently-updated field or splits a hot document, inspect the other writers to the same table +- If one read path needs a migration-safe rollout for an unbackfilled field, inspect sibling reads for the same rollout risk + +Do not leave one path fixed and another path on the old pattern unless there is a clear product reason. + +### 5. Verify before finishing + +Confirm all of these: + +1. Results are the same as before, no dropped records +2. Eliminated reads or writes are no longer in the path where expected +3. Fallback behavior works when denormalized or indexed fields are missing +4. Frequently-updated fields are isolated from widely-read documents where needed +5. Every relevant sibling reader and writer was inspected, not just the original function + +## Reference Files + +- `references/hot-path-rules.md` - Read amplification, invalidation, denormalization, indexes, digest tables +- `references/occ-conflicts.md` - Write contention, OCC resolution, hot document splitting +- `references/subscription-cost.md` - Reactive query cost, subscription granularity, point-in-time reads +- `references/function-budget.md` - Execution limits, transaction size, large documents, payload size + +Also check the official [Convex Best Practices](https://docs.convex.dev/understanding/best-practices/) page for additional patterns covering argument validation, access control, and code organization that may surface during the audit. + +## Checklist + +- [ ] Gathered signals from insights, dashboard, or code audit +- [ ] Identified the problem class and read the matching reference +- [ ] Scoped one concrete user flow or function path +- [ ] Traced every read and write in that path +- [ ] Identified sibling functions touching the same tables +- [ ] Applied fixes from the reference, following the recommended fix order +- [ ] Fixed sibling functions consistently +- [ ] Verified behavior and confirmed no regressions diff --git a/.agents/skills/convex-performance-audit/agents/openai.yaml b/.agents/skills/convex-performance-audit/agents/openai.yaml new file mode 100644 index 0000000..9a21f38 --- /dev/null +++ b/.agents/skills/convex-performance-audit/agents/openai.yaml @@ -0,0 +1,10 @@ +interface: + display_name: "Convex Performance Audit" + short_description: "Audit slow Convex reads, subscriptions, OCC conflicts, and limits." + icon_small: "./assets/icon.svg" + icon_large: "./assets/icon.svg" + brand_color: "#EF4444" + default_prompt: "Audit this Convex app for performance issues. Start with the strongest signal available, identify the problem class, and suggest the smallest high-impact fix before proposing bigger structural changes." + +policy: + allow_implicit_invocation: true diff --git a/.agents/skills/convex-performance-audit/assets/icon.svg b/.agents/skills/convex-performance-audit/assets/icon.svg new file mode 100644 index 0000000..7ab9e09 --- /dev/null +++ b/.agents/skills/convex-performance-audit/assets/icon.svg @@ -0,0 +1,3 @@ + diff --git a/.agents/skills/convex-performance-audit/references/function-budget.md b/.agents/skills/convex-performance-audit/references/function-budget.md new file mode 100644 index 0000000..d4d4aa5 --- /dev/null +++ b/.agents/skills/convex-performance-audit/references/function-budget.md @@ -0,0 +1,232 @@ +# Function Budget + +Use these rules when functions are hitting execution limits, transaction size errors, or returning excessively large payloads to the client. + +## Core Principle + +Convex functions run inside transactions with budgets for time, reads, and writes. Staying well within these limits is not just about avoiding errors, it reduces latency and contention. + +## Limits to Know + +These are the current values from the [Convex limits docs](https://docs.convex.dev/production/state/limits). Check that page for the latest numbers. + +| Resource | Limit | +| --------------------------------- | ----------------------------------------------------- | +| Query/mutation execution time | 1 second (user code only, excludes DB operations) | +| Action execution time | 10 minutes | +| Data read per transaction | 16 MiB | +| Data written per transaction | 16 MiB | +| Documents scanned per transaction | 32,000 (includes documents filtered out by `.filter`) | +| Index ranges read per transaction | 4,096 (each `db.get` and `db.query` call) | +| Documents written per transaction | 16,000 | +| Individual document size | 1 MiB | +| Function return value size | 16 MiB | + +## Symptoms + +- "Function execution took too long" errors +- "Transaction too large" or read/write set size errors +- Slow queries that read many documents +- Client receiving large payloads that slow down page load +- `npx convex insights --details` showing high bytes read + +## Common Causes + +### Unbounded collection + +A query that calls `.collect()` on a table without a reasonable limit. As the table grows, the query reads more and more documents. + +### Large document reads on hot paths + +Reading documents with large fields (rich text, embedded media references, long arrays) when only a small subset of the data is needed for the current view. + +### Mutation doing too much work + +A single mutation that updates hundreds of documents, backfills data, or rebuilds derived state in one transaction. + +### Returning too much data to the client + +A query returning full documents when the client only needs a few fields. + +## Fix Order + +### 1. Bound your reads + +Never `.collect()` without a limit on a table that can grow unbounded. + +```ts +// Bad: unbounded read, breaks as the table grows +const messages = await ctx.db.query("messages").collect(); +``` + +```ts +// Good: paginate or limit +const messages = await ctx.db + .query("messages") + .withIndex("by_channel", (q) => q.eq("channelId", channelId)) + .order("desc") + .take(50); +``` + +### 2. Read smaller shapes + +If the list page only needs title, author, and date, do not read full documents with rich content fields. + +Use digest or summary tables for hot list pages. See `hot-path-rules.md` for the digest table pattern. + +### 3. Break large mutations into batches + +If a mutation needs to update hundreds of documents, split it into a self-scheduling chain. + +```ts +// Bad: one mutation updating every row +export const backfillAll = internalMutation({ + handler: async (ctx) => { + const docs = await ctx.db.query("items").collect(); + for (const doc of docs) { + await ctx.db.patch(doc._id, { newField: computeValue(doc) }); + } + }, +}); +``` + +```ts +// Good: cursor-based batch processing +export const backfillBatch = internalMutation({ + args: { cursor: v.optional(v.string()), batchSize: v.optional(v.number()) }, + handler: async (ctx, args) => { + const batchSize = args.batchSize ?? 100; + const result = await ctx.db + .query("items") + .paginate({ cursor: args.cursor ?? null, numItems: batchSize }); + + for (const doc of result.page) { + if (doc.newField === undefined) { + await ctx.db.patch(doc._id, { newField: computeValue(doc) }); + } + } + + if (!result.isDone) { + await ctx.scheduler.runAfter(0, internal.items.backfillBatch, { + cursor: result.continueCursor, + batchSize, + }); + } + }, +}); +``` + +### 4. Move heavy work to actions + +Queries and mutations run inside Convex's transactional runtime with strict budgets. If you need to do CPU-intensive computation, call external APIs, or process large files, use an action instead. + +Actions run outside the transaction and can call mutations to write results back. + +```ts +// Bad: heavy computation inside a mutation +export const processUpload = mutation({ + handler: async (ctx, args) => { + const result = expensiveComputation(args.data); + await ctx.db.insert("results", result); + }, +}); +``` + +```ts +// Good: action for heavy work, mutation for the write +export const processUpload = action({ + handler: async (ctx, args) => { + const result = expensiveComputation(args.data); + await ctx.runMutation(internal.results.store, { result }); + }, +}); +``` + +### 5. Trim return values + +Only return what the client needs. If a query fetches full documents but the component only renders a few fields, map the results before returning. + +```ts +// Bad: returns full documents including large content fields +export const list = query({ + handler: async (ctx) => { + return await ctx.db.query("articles").take(20); + }, +}); +``` + +```ts +// Good: project to only the fields the client needs +export const list = query({ + handler: async (ctx) => { + const articles = await ctx.db.query("articles").take(20); + return articles.map((a) => ({ + _id: a._id, + title: a.title, + author: a.author, + createdAt: a._creationTime, + })); + }, +}); +``` + +### 6. Replace `ctx.runQuery` and `ctx.runMutation` with helper functions + +Inside queries and mutations, `ctx.runQuery` and `ctx.runMutation` have overhead compared to calling a plain TypeScript helper function. They run in the same transaction but pay extra per-call cost. + +```ts +// Bad: unnecessary overhead from ctx.runQuery inside a mutation +export const createProject = mutation({ + handler: async (ctx, args) => { + const user = await ctx.runQuery(api.users.getCurrentUser); + await ctx.db.insert("projects", { ...args, ownerId: user._id }); + }, +}); +``` + +```ts +// Good: plain helper function, no extra overhead +export const createProject = mutation({ + handler: async (ctx, args) => { + const user = await getCurrentUser(ctx); + await ctx.db.insert("projects", { ...args, ownerId: user._id }); + }, +}); +``` + +Exception: components require `ctx.runQuery`/`ctx.runMutation`. Use them there, but prefer helpers everywhere else. + +### 7. Avoid unnecessary `runAction` calls + +`runAction` from within an action creates a separate function invocation with its own memory and CPU budget. The parent action just sits idle waiting. Replace with a plain TypeScript function call unless you need a different runtime (e.g. calling Node.js code from the Convex runtime). + +```ts +// Bad: runAction overhead for no reason +export const processItems = action({ + handler: async (ctx, args) => { + for (const item of args.items) { + await ctx.runAction(internal.items.processOne, { item }); + } + }, +}); +``` + +```ts +// Good: plain function call +export const processItems = action({ + handler: async (ctx, args) => { + for (const item of args.items) { + await processOneItem(ctx, { item }); + } + }, +}); +``` + +## Verification + +1. No function execution or transaction size errors +2. `npx convex insights --details` shows reduced bytes read +3. Large mutations are batched and self-scheduling +4. Client payloads are reasonably sized for the UI they serve +5. `ctx.runQuery`/`ctx.runMutation` in queries and mutations replaced with helpers where possible +6. Sibling functions with similar patterns were checked diff --git a/.agents/skills/convex-performance-audit/references/hot-path-rules.md b/.agents/skills/convex-performance-audit/references/hot-path-rules.md new file mode 100644 index 0000000..e003e05 --- /dev/null +++ b/.agents/skills/convex-performance-audit/references/hot-path-rules.md @@ -0,0 +1,369 @@ +# Hot Path Rules + +Use these rules when the top-level workflow points to read amplification, denormalization, index rollout, reactive query cost, or invalidation-heavy writes. + +## Contents + +- Core Principle +- Consistency Rule +- 1. Push Filters To Storage (indexes, migration rule, redundant indexes) +- 2. Minimize Data Sources (denormalization, fallback rule) +- 3. Minimize Row Size (digest tables) +- 4. Skip No-Op Writes +- 5. Match Consistency To Read Patterns (high-read/low-write, high-read/high-write) +- Convex-Specific Notes (reactive queries, point-in-time reads, triggers, aggregates, backfills) +- Verification + +## Core Principle + +Every byte read or written multiplies with concurrency. + +Think: + +`cost x calls_per_second x 86400` + +In Convex, every write can also fan out into reactive invalidation, replication work, and downstream sync. + +## Consistency Rule + +If you fix a hot-path pattern for one function, audit sibling functions touching the same tables for the same pattern. + +Do this especially for: + +- multiple list queries over the same table +- multiple writers to the same table +- public browse and search queries over the same records +- helper functions reused by more than one endpoint + +## 1. Push Filters To Storage + +Both JavaScript `.filter()` and the Convex query `.filter()` method after a DB scan mean you already paid for the read. The Convex `.filter()` method has the same performance as filtering in JS, it does not push the predicate to the storage layer. Only `.withIndex()` and `.withSearchIndex()` actually reduce the documents scanned. + +Prefer: + +- `withIndex(...)` +- `.withSearchIndex(...)` for text search +- narrower tables +- summary tables + +before accepting a scan-plus-filter pattern. + +```ts +// Bad: scans then filters in JavaScript +export const listOpen = query({ + args: {}, + handler: async (ctx) => { + const tasks = await ctx.db.query("tasks").collect(); + return tasks.filter((task) => task.status === "open"); + }, +}); +``` + +```ts +// Also bad: Convex .filter() does not push to storage either +export const listOpen = query({ + args: {}, + handler: async (ctx) => { + return await ctx.db + .query("tasks") + .filter((q) => q.eq(q.field("status"), "open")) + .collect(); + }, +}); +``` + +```ts +// Good: use an index so storage does the filtering +export const listOpen = query({ + args: {}, + handler: async (ctx) => { + return await ctx.db + .query("tasks") + .withIndex("by_status", (q) => q.eq("status", "open")) + .collect(); + }, +}); +``` + +### Migration rule for indexes + +New indexes on partially backfilled fields can create correctness bugs during rollout. + +Important Convex detail: + +`undefined !== false` + +If an older document is missing a field entirely, it will not match a compound index entry that expects `false`. + +Do not trust old comments saying a field is "not backfilled" or "already backfilled". Verify. + +If correctness depends on handling old and new states during rollout, do not improvise a partial-backfill workaround in the hot path. Use a migration-safe rollout and consult `skills/convex-migration-helper/SKILL.md`. + +```ts +// Bad: optional booleans can miss older rows where the field is undefined +const projects = await ctx.db + .query("projects") + .withIndex("by_archived_and_updated", (q) => q.eq("isArchived", false)) + .order("desc") + .take(20); +``` + +```ts +// Good: switch hot-path reads only after the rollout is migration-safe +// See the migration helper skill for dual-read / backfill / cutover patterns. +``` + +### Check for redundant indexes + +Indexes like `by_foo` and `by_foo_and_bar` are usually redundant. You only need `by_foo_and_bar`, since you can query it with just the `foo` condition and omit `bar`. Extra indexes add storage cost and write overhead on every insert, patch, and delete. + +```ts +// Bad: two indexes where one would do +defineTable({ team: v.id("teams"), user: v.id("users") }) + .index("by_team", ["team"]) + .index("by_team_and_user", ["team", "user"]); +``` + +```ts +// Good: single compound index serves both query patterns +defineTable({ team: v.id("teams"), user: v.id("users") }).index( + "by_team_and_user", + ["team", "user"], +); +``` + +Exception: `.index("by_foo", ["foo"])` is really an index on `foo` + `_creationTime`, while `.index("by_foo_and_bar", ["foo", "bar"])` is on `foo` + `bar` + `_creationTime`. If you need results sorted by `foo` then `_creationTime`, you need the single-field index because the compound one would sort by `bar` first. + +## 2. Minimize Data Sources + +Trace every read. + +If a function resolves a foreign key for a tiny display field and a denormalized copy already exists, prefer the denormalized field on the hot path. + +### When to denormalize + +Denormalize when all of these are true: + +- the path is hot +- the joined document is much larger than the field you need +- many readers are paying that join cost repeatedly + +Useful mental model: + +`join_cost = rows_per_page x foreign_doc_size x pages_per_second` + +Small-table joins are often fine. Large-document joins for tiny fields on hot list pages are usually not. + +### Fallback rule + +Denormalized data is an optimization. Live data is the correctness path. + +Rules: + +- If the denormalized field is missing or null, fall back to the live read +- Do not show placeholders instead of falling back +- In lookup maps, only include fully populated entries + +```ts +// Bad: missing denormalized data becomes a placeholder and blocks correctness +const ownerName = project.ownerName ?? "Unknown owner"; +``` + +```ts +// Good: denormalized data is an optimization, not the only source of truth +const ownerName = + project.ownerName ?? (await ctx.db.get(project.ownerId))?.name ?? null; +``` + +Bad lookup map pattern: + +```ts +const ownersById = { + [project.ownerId]: { ownerName: null }, +}; +``` + +That blocks fallback because the map says "I have data" when it does not. + +Good lookup map pattern: + +```ts +const ownersById = + project.ownerName !== undefined && project.ownerName !== null + ? { [project.ownerId]: { ownerName: project.ownerName } } + : {}; +``` + +### No denormalized copy yet + +Prefer adding fields to an existing summary, companion, or digest table instead of bloating the primary hot-path table. + +If introducing the new field or table requires a staged rollout, backfill, or old/new-shape handling, use the migration helper skill for the rollout plan. + +Rollout order: + +1. Update schema +2. Update write path +3. Backfill +4. Switch read path + +## 3. Minimize Row Size + +Hot list pages should read the smallest document shape that still answers the UI. + +Prefer summary or digest tables over full source tables when: + +- the list page only needs a subset of fields +- source documents are large +- the query is high volume + +An 800 byte summary row is materially cheaper than a 3 KB full document on a hot page. + +Digest tables are a tradeoff, not a default: + +- Worth it when the path is clearly hot, the source rows are much larger than the UI needs, or many readers are repeatedly paying the same join and payload cost +- Probably not worth it when an indexed read on the source table is already cheap enough, the table is still small, or the extra write and migration complexity would dominate the benefit + +```ts +// Bad: list page reads source docs, then joins owner data per row +const projects = await ctx.db + .query("projects") + .withIndex("by_public", (q) => q.eq("isPublic", true)) + .collect(); +``` + +```ts +// Good: list page reads the smaller digest shape first +const projects = await ctx.db + .query("projectDigests") + .withIndex("by_public_and_updated", (q) => q.eq("isPublic", true)) + .order("desc") + .take(20); +``` + +## 4. Isolate Frequently-Updated Fields + +Convex already no-ops unchanged writes. The invalidation problem here is real writes hitting documents that many queries subscribe to. + +Move high-churn fields like `lastSeen`, counters, presence, or ephemeral status off widely-read documents when most readers do not need them. + +Apply this across sibling writers too. Splitting one write path does not help much if three other mutations still update the same widely-read document. + +```ts +// Bad: every presence heartbeat invalidates subscribers to the whole profile +await ctx.db.patch(user._id, { + name: args.name, + avatarUrl: args.avatarUrl, + lastSeen: Date.now(), +}); +``` + +```ts +// Good: keep profile reads stable, move heartbeat updates to a separate document +await ctx.db.patch(user._id, { + name: args.name, + avatarUrl: args.avatarUrl, +}); + +await ctx.db.patch(presence._id, { + lastSeen: Date.now(), +}); +``` + +## 5. Match Consistency To Read Patterns + +Choose read strategy based on traffic shape. + +### High-read, low-write + +Examples: + +- public browse pages +- search results +- landing pages +- directory listings + +Prefer: + +- point-in-time reads where appropriate +- explicit refresh +- local state for pagination +- caching where appropriate + +Do not treat subscriptions as automatically wrong here. Prefer point-in-time reads only when the product does not need live freshness and the reactive cost is material. See `subscription-cost.md` for detailed patterns. + +### High-read, high-write + +Examples: + +- collaborative editors +- live dashboards +- presence-heavy views + +Reactive queries may be worth the ongoing cost. + +## Convex-Specific Notes + +### Reactive queries + +Every `ctx.db.get()` and `ctx.db.query()` contributes to the invalidation set for the query. + +On the client: + +- `useQuery` creates a live subscription +- `usePaginatedQuery` creates a live subscription per page + +For low-freshness flows, consider a point-in-time read instead of a live subscription only when the product does not need updates pushed automatically. + +### Point-in-time reads + +Framework helpers, server-rendered fetches, or one-shot client reads can avoid ongoing subscription cost when live updates are not useful. + +Use them for: + +- aggregate snapshots +- reports +- low-churn listings +- pages where explicit refresh is fine + +### Triggers and fan-out + +Triggers fire on every write, including writes that did not materially change the document. + +When a write exists only to keep derived state in sync: + +- diff before patching +- move expensive non-blocking work to `ctx.scheduler.runAfter` when appropriate + +### Aggregates + +Reactive global counts invalidate frequently on busy tables. + +Prefer: + +- one-shot aggregate fetches +- periodic recomputation +- precomputed summary rows + +for global stats that do not need live updates every second. + +### Backfills + +For larger backfills, use cursor-based, self-scheduling `internalMutation` jobs or the migrations component. + +Deploy code that can handle both states before running the backfill. + +During the gap: + +- writes should populate the new shape +- reads should fall back safely + +## Verification + +Before closing the audit, confirm: + +1. Same results as before, no dropped records +2. The removed table or lookup is no longer in the hot-path read set +3. Tests or validation cover fallback behavior +4. Migration safety is preserved while fields or indexes are unbackfilled +5. Sibling functions were fixed consistently diff --git a/.agents/skills/convex-performance-audit/references/occ-conflicts.md b/.agents/skills/convex-performance-audit/references/occ-conflicts.md new file mode 100644 index 0000000..1da4380 --- /dev/null +++ b/.agents/skills/convex-performance-audit/references/occ-conflicts.md @@ -0,0 +1,114 @@ +# OCC Conflict Resolution + +Use these rules when insights, logs, or dashboard health show OCC (Optimistic Concurrency Control) conflicts, mutation retries, or write contention on hot tables. + +## Core Principle + +Convex uses optimistic concurrency control. When two transactions read or write overlapping data, one succeeds and the other retries automatically. High contention means wasted work and increased latency. + +## Symptoms + +- OCC conflict errors in deployment logs or health page +- Mutations retrying multiple times before succeeding +- User-visible latency spikes on write-heavy pages +- `npx convex insights --details` showing high conflict rates + +## Common Causes + +### Hot documents + +Multiple mutations writing to the same document concurrently. Classic examples: a global counter, a shared settings row, or a "last updated" timestamp on a parent record. + +### Broad read sets causing false conflicts + +A query that scans a large table range creates a broad read set. If any write touches that range, the query's transaction conflicts even if the specific document the query cared about was not modified. + +### Fan-out from triggers or cascading writes + +A single user action triggers multiple mutations that all touch related documents. Each mutation competes with the others. + +Database triggers (e.g. from `convex-helpers`) run inside the same transaction as the mutation that caused them. If a trigger does heavy work, reads extra tables, or writes to many documents, it extends the transaction's read/write set and increases the window for conflicts. Keep trigger logic minimal, or move expensive derived work to a scheduled function. + +### Write-then-read chains + +A mutation writes a document, then a reactive query re-reads it, then another mutation writes it again. Under load, these chains stack up. + +## Fix Order + +### 1. Reduce read set size + +Narrower reads mean fewer false conflicts. + +```ts +// Bad: broad scan creates a wide conflict surface +const allTasks = await ctx.db.query("tasks").collect(); +const mine = allTasks.filter((t) => t.ownerId === userId); +``` + +```ts +// Good: indexed query touches only relevant documents +const mine = await ctx.db + .query("tasks") + .withIndex("by_owner", (q) => q.eq("ownerId", userId)) + .collect(); +``` + +### 2. Split hot documents + +When many writers target the same document, split the contention point. + +```ts +// Bad: every vote increments the same counter document +const counter = await ctx.db.get(pollCounterId); +await ctx.db.patch(pollCounterId, { count: counter!.count + 1 }); +``` + +```ts +// Good: shard the counter across multiple documents, aggregate on read +const shardIndex = Math.floor(Math.random() * SHARD_COUNT); +const shardId = shardIds[shardIndex]; +const shard = await ctx.db.get(shardId); +await ctx.db.patch(shardId, { count: shard!.count + 1 }); +``` + +Aggregate the shards in a query or scheduled job when you need the total. + +### 3. Move non-critical work to scheduled functions + +If a mutation does primary work plus secondary bookkeeping (analytics, non-critical notifications, cache warming), the bookkeeping extends the transaction's lifetime and read/write set. + +```ts +// Bad: canonical write and derived work happen in the same transaction +await ctx.db.patch(userId, { name: args.name }); +await ctx.db.insert("userUpdateAnalytics", { + userId, + kind: "name_changed", + name: args.name, +}); +``` + +```ts +// Good: keep the primary write small, defer the analytics work +await ctx.db.patch(userId, { name: args.name }); +await ctx.scheduler.runAfter(0, internal.users.recordNameChangeAnalytics, { + userId, + name: args.name, +}); +``` + +### 4. Combine competing writes + +If two mutations must update the same document atomically, consider whether they can be combined into a single mutation call from the client, reducing round trips and conflict windows. + +Do not introduce artificial locks or queues unless the above steps have been tried first. + +## Related: Invalidation Scope + +Splitting hot documents also reduces subscription invalidation, not just OCC contention. If a document is written frequently and read by many queries, those queries re-run on every write even when the fields they care about have not changed. See `subscription-cost.md` section 4 ("Isolate frequently-updated fields") for that pattern. + +## Verification + +1. OCC conflict rate has dropped in insights or dashboard +2. Mutation latency is lower and more consistent +3. No data correctness regressions from splitting or scheduling changes +4. Sibling writers to the same hot documents were fixed consistently diff --git a/.agents/skills/convex-performance-audit/references/subscription-cost.md b/.agents/skills/convex-performance-audit/references/subscription-cost.md new file mode 100644 index 0000000..ae7d1ad --- /dev/null +++ b/.agents/skills/convex-performance-audit/references/subscription-cost.md @@ -0,0 +1,252 @@ +# Subscription Cost + +Use these rules when the problem is too many reactive subscriptions, queries invalidating too frequently, or React components re-rendering excessively due to Convex state changes. + +## Core Principle + +Every `useQuery` and `usePaginatedQuery` call creates a live subscription. The server tracks the query's read set and re-executes the query whenever any document in that read set changes. Subscription cost scales with: + +`subscriptions x invalidation_frequency x query_cost` + +Subscriptions are not inherently bad. Convex reactivity is often the right default. The goal is to reduce unnecessary invalidation work, not to eliminate subscriptions on principle. + +## Symptoms + +- Dashboard shows high active subscription count +- UI feels sluggish or laggy despite fast individual queries +- React profiling shows frequent re-renders from Convex state +- Pages with many components each running their own `useQuery` +- Paginated lists where every loaded page stays subscribed + +## Common Causes + +### Reactive queries on low-freshness flows + +Some user flows are read-heavy and do not need live updates every time the underlying data changes. In those cases, ongoing subscriptions may cost more than they are worth. + +### Overly broad queries + +A query that returns a large result set invalidates whenever any document in that set changes. The broader the query, the more frequent the invalidation. + +### Too many subscriptions per page + +A page with 20 list items, each running its own `useQuery` to fetch related data, creates 20+ subscriptions per visitor. + +### Paginated queries keeping all pages live + +`usePaginatedQuery` with `loadMore` keeps every loaded page subscribed. On a page where a user has scrolled through 10 pages, all 10 stay reactive. + +### Frequently-updated fields on widely-read documents + +A document that many queries touch gets a frequently-updated field (like `lastSeen`, `lastActiveAt`, or a counter). Every write to that field invalidates every subscription that reads the document, even if those subscriptions never use the field. This is different from OCC conflicts (see `occ-conflicts.md`), which are write-vs-write contention. This is write-vs-subscription: the write succeeds fine, but it forces hundreds of queries to re-run for no reason. + +## Fix Order + +### 1. Use point-in-time reads when live updates are not valuable + +Keep `useQuery` and `usePaginatedQuery` by default when the product benefits from fresh live data. + +Consider a point-in-time read instead when all of these are true: + +- the flow is high-read +- the underlying data changes less often than users need to see +- explicit refresh, periodic refresh, or a fresh read on navigation is acceptable + +Possible implementations depend on environment: + +- a server-rendered fetch +- a framework helper like `fetchQuery` +- a point-in-time client read such as `ConvexHttpClient.query()` + +```ts +// Reactive by default when fresh live data matters +function TeamPresence() { + const presence = useQuery(api.teams.livePresence, { teamId }); + return ; +} +``` + +```ts +// Point-in-time read when explicit refresh is acceptable +import { ConvexHttpClient } from "convex/browser"; + +const client = new ConvexHttpClient(import.meta.env.VITE_CONVEX_URL); + +function SnapshotView() { + const [items, setItems] = useState([]); + + useEffect(() => { + client.query(api.items.snapshot).then(setItems); + }, []); + + return ; +} +``` + +Good candidates for point-in-time reads: + +- aggregate snapshots +- reports +- low-churn listings +- flows where explicit refresh is already acceptable + +Keep reactive for: + +- collaborative editing +- live dashboards +- presence-heavy views +- any surface where users expect fresh changes to appear automatically + +### 2. Batch related data into fewer queries + +Instead of N components each fetching their own related data, fetch it in a single query. + +```ts +// Bad: each card fetches its own author +function ProjectCard({ project }: { project: Project }) { + const author = useQuery(api.users.get, { id: project.authorId }); + return ; +} +``` + +```ts +// Good: parent query returns projects with author names included +function ProjectList() { + const projects = useQuery(api.projects.listWithAuthors); + return projects?.map((p) => ( + + )); +} +``` + +This can use denormalized fields or server-side joins in the query handler. Either way, it is one subscription instead of N. + +This is not automatically better. If the combined query becomes much broader and invalidates much more often, several narrower subscriptions may be the better tradeoff. Optimize for total invalidation cost, not raw subscription count. + +### 3. Use skip to avoid unnecessary subscriptions + +The `"skip"` value prevents a subscription from being created when the arguments are not ready. + +```ts +// Bad: subscribes with undefined args, wastes a subscription slot +const profile = useQuery(api.users.getProfile, { userId: selectedId! }); +``` + +```ts +// Good: skip when there is nothing to fetch +const profile = useQuery( + api.users.getProfile, + selectedId ? { userId: selectedId } : "skip", +); +``` + +### 4. Isolate frequently-updated fields into separate documents + +If a document is widely read but has a field that changes often, move that field to a separate document. Queries that do not need the field will no longer be invalidated by its writes. + +```ts +// Bad: lastSeen lives on the user doc, every heartbeat invalidates +// every query that reads this user +const users = defineTable({ + name: v.string(), + email: v.string(), + lastSeen: v.number(), +}); +``` + +```ts +// Good: lastSeen lives in a separate heartbeat doc +const users = defineTable({ + name: v.string(), + email: v.string(), + heartbeatId: v.id("heartbeats"), +}); + +const heartbeats = defineTable({ + lastSeen: v.number(), +}); +``` + +Queries that only need `name` and `email` no longer re-run on every heartbeat. Queries that actually need online status fetch the heartbeat document explicitly. + +For an even further optimization, if you only need a coarse online/offline boolean rather than the exact `lastSeen` timestamp, add a separate presence document with an `isOnline` flag. Update it immediately when a user comes online, and use a cron to batch-mark users offline when their heartbeat goes stale. This way the presence query only invalidates when online status actually changes, not on every heartbeat. + +### 5. Use the aggregate component for counts and sums + +Reactive global counts (`SELECT COUNT(*)` equivalent) invalidate on every insert or delete to the table. The [`@convex-dev/aggregate`](https://www.npmjs.com/package/@convex-dev/aggregate) component maintains denormalized COUNT, SUM, and MAX values efficiently so you do not need a reactive query scanning the full table. + +Use it for leaderboards, totals, "X items" badges, or any stat that would otherwise require scanning many rows reactively. + +If the aggregate component is not appropriate, prefer point-in-time reads for global stats, or precomputed summary rows updated by a cron or trigger, over reactive queries that scan large tables. + +### 6. Narrow query read sets + +Queries that return less data and touch fewer documents invalidate less often. + +```ts +// Bad: returns all fields, invalidates on any field change +export const list = query({ + handler: async (ctx) => { + return await ctx.db.query("projects").collect(); + }, +}); +``` + +```ts +// Good: use a digest table with only the fields the list needs +export const listDigests = query({ + handler: async (ctx) => { + return await ctx.db.query("projectDigests").collect(); + }, +}); +``` + +Writes to fields not in the digest table do not invalidate the digest query. + +### 7. Remove `Date.now()` from queries + +Using `Date.now()` inside a query defeats Convex's query cache. The cache is invalidated frequently to avoid showing stale time-dependent results, which increases database work even when the underlying data has not changed. + +```ts +// Bad: Date.now() defeats query caching and causes frequent re-evaluation +const releasedPosts = await ctx.db + .query("posts") + .withIndex("by_released_at", (q) => q.lte("releasedAt", Date.now())) + .take(100); +``` + +```ts +// Good: use a boolean field updated by a scheduled function +const releasedPosts = await ctx.db + .query("posts") + .withIndex("by_is_released", (q) => q.eq("isReleased", true)) + .take(100); +``` + +If the query must compare against a time value, pass it as an explicit argument from the client and round it to a coarse interval (e.g. the most recent minute) so requests within that window share the same cache entry. + +### 8. Consider pagination strategy + +For long lists where users scroll through many pages: + +- If the data does not need live updates, use point-in-time fetching with manual "load more" +- If it does need live updates, accept the subscription cost but limit the number of loaded pages +- Consider whether older pages can be unloaded as the user scrolls forward + +### 9. Separate backend cost from UI churn + +If the main problem is loading flash or UI churn when query arguments change, stabilizing the reactive UI behavior may be better than replacing reactivity altogether. + +Treat this as a UX problem first when: + +- the underlying query is already reasonably cheap +- the complaint is flicker, loading flashes, or re-render churn +- live updates are still desirable once fresh data arrives + +## Verification + +1. Subscription count in dashboard is lower for the affected pages +2. UI responsiveness has improved +3. React profiling shows fewer unnecessary re-renders +4. Surfaces that do not need live updates are not paying for persistent subscriptions unnecessarily +5. Sibling pages with similar patterns were updated consistently diff --git a/.agents/skills/convex-quickstart/SKILL.md b/.agents/skills/convex-quickstart/SKILL.md new file mode 100644 index 0000000..5bff17b --- /dev/null +++ b/.agents/skills/convex-quickstart/SKILL.md @@ -0,0 +1,347 @@ +--- +name: convex-quickstart +description: Initializes a new Convex project from scratch or adds Convex to an existing app. Use this skill when starting a new project with Convex, scaffolding with npm create convex@latest, adding Convex to an existing React, Next.js, Vue, Svelte, or other frontend, wiring up ConvexProvider, configuring environment variables for the deployment URL, or running npx convex dev for the first time, even if the user just says "set up Convex" or "add a backend." +--- + +# Convex Quickstart + +Set up a working Convex project as fast as possible. + +## When to Use + +- Starting a brand new project with Convex +- Adding Convex to an existing React, Next.js, Vue, Svelte, or other app +- Scaffolding a Convex app for prototyping + +## When Not to Use + +- The project already has Convex installed and `convex/` exists - just start building +- You only need to add auth to an existing Convex app - use the `convex-setup-auth` skill + +## Workflow + +1. Determine the starting point: new project or existing app +2. If new project, pick a template and scaffold with `npm create convex@latest` +3. If existing app, install `convex` and wire up the provider +4. Run `npx convex dev` to connect a deployment and start the dev loop +5. Verify the setup works + +## Path 1: New Project (Recommended) + +Use the official scaffolding tool. It creates a complete project with the frontend framework, Convex backend, and all config wired together. + +### Pick a template + +| Template | Stack | +| -------------------------- | ----------------------------------------- | +| `react-vite-shadcn` | React + Vite + Tailwind + shadcn/ui | +| `nextjs-shadcn` | Next.js App Router + Tailwind + shadcn/ui | +| `react-vite-clerk-shadcn` | React + Vite + Clerk auth + shadcn/ui | +| `nextjs-clerk` | Next.js + Clerk auth | +| `nextjs-convexauth-shadcn` | Next.js + Convex Auth + shadcn/ui | +| `nextjs-lucia-shadcn` | Next.js + Lucia auth + shadcn/ui | +| `bare` | Convex backend only, no frontend | + +If the user has not specified a preference, default to `react-vite-shadcn` for simple apps or `nextjs-shadcn` for apps that need SSR or API routes. + +You can also use any GitHub repo as a template: + +```bash +npm create convex@latest my-app -- -t owner/repo +npm create convex@latest my-app -- -t owner/repo#branch +``` + +### Scaffold the project + +Always pass the project name and template flag to avoid interactive prompts: + +```bash +npm create convex@latest my-app -- -t react-vite-shadcn +cd my-app +npm install +``` + +The scaffolding tool creates files but does not run `npm install`, so you must run it yourself. + +To scaffold in the current directory (if it is empty): + +```bash +npm create convex@latest . -- -t react-vite-shadcn +npm install +``` + +### Start the dev loop + +`npx convex dev` is a long-running watcher process that syncs backend code to a Convex deployment on every save. It also requires authentication on first run (browser-based OAuth). Both of these make it unsuitable for an agent to run directly. + +**Ask the user to run this themselves:** + +Tell the user to run `npx convex dev` in their terminal. On first run it will prompt them to log in or develop anonymously. Once running, it will: + +- Create a Convex project and dev deployment +- Write the deployment URL to `.env.local` +- Create the `convex/` directory with generated types +- Watch for changes and sync continuously + +The user should keep `npx convex dev` running in the background while you work on code. The watcher will automatically pick up any files you create or edit in `convex/`. + +**Exception - cloud or headless agents:** Environments that cannot open a browser for interactive login should use Agent Mode (see below) to run anonymously without user interaction. + +### Start the frontend + +The user should also run the frontend dev server in a separate terminal: + +```bash +npm run dev +``` + +Vite apps serve on `http://localhost:5173`, Next.js on `http://localhost:3000`. + +### What you get + +After scaffolding, the project structure looks like: + +``` +my-app/ + convex/ # Backend functions and schema + _generated/ # Auto-generated types (check this into git) + schema.ts # Database schema (if template includes one) + src/ # Frontend code (or app/ for Next.js) + package.json + .env.local # CONVEX_URL / VITE_CONVEX_URL / NEXT_PUBLIC_CONVEX_URL +``` + +The template already has: + +- `ConvexProvider` wired into the app root +- Correct env var names for the framework +- Tailwind and shadcn/ui ready (for shadcn templates) +- Auth provider configured (for auth templates) + +Proceed to adding schema, functions, and UI. + +## Path 2: Add Convex to an Existing App + +Use this when the user already has a frontend project and wants to add Convex as the backend. + +### Install + +```bash +npm install convex +``` + +### Initialize and start dev loop + +Ask the user to run `npx convex dev` in their terminal. This handles login, creates the `convex/` directory, writes the deployment URL to `.env.local`, and starts the file watcher. See the notes in Path 1 about why the agent should not run this directly. + +### Wire up the provider + +The Convex client must wrap the app at the root. The setup varies by framework. + +Create the `ConvexReactClient` at module scope, not inside a component: + +```tsx +// Bad: re-creates the client on every render +function App() { + const convex = new ConvexReactClient( + import.meta.env.VITE_CONVEX_URL as string, + ); + return ...; +} + +// Good: created once at module scope +const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL as string); +function App() { + return ...; +} +``` + +#### React (Vite) + +```tsx +// src/main.tsx +import { StrictMode } from "react"; +import { createRoot } from "react-dom/client"; +import { ConvexProvider, ConvexReactClient } from "convex/react"; +import App from "./App"; + +const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL as string); + +createRoot(document.getElementById("root")!).render( + + + + + , +); +``` + +#### Next.js (App Router) + +```tsx +// app/ConvexClientProvider.tsx +"use client"; + +import { ConvexProvider, ConvexReactClient } from "convex/react"; +import { ReactNode } from "react"; + +const convex = new ConvexReactClient(process.env.NEXT_PUBLIC_CONVEX_URL!); + +export function ConvexClientProvider({ children }: { children: ReactNode }) { + return {children}; +} +``` + +```tsx +// app/layout.tsx +import { ConvexClientProvider } from "./ConvexClientProvider"; + +export default function RootLayout({ + children, +}: { + children: React.ReactNode; +}) { + return ( + + + {children} + + + ); +} +``` + +#### Other frameworks + +For Vue, Svelte, React Native, TanStack Start, Remix, and others, follow the matching quickstart guide: + +- [Vue](https://docs.convex.dev/quickstart/vue) +- [Svelte](https://docs.convex.dev/quickstart/svelte) +- [React Native](https://docs.convex.dev/quickstart/react-native) +- [TanStack Start](https://docs.convex.dev/quickstart/tanstack-start) +- [Remix](https://docs.convex.dev/quickstart/remix) +- [Node.js (no frontend)](https://docs.convex.dev/quickstart/nodejs) + +### Environment variables + +The env var name depends on the framework: + +| Framework | Variable | +| ------------ | ------------------------ | +| Vite | `VITE_CONVEX_URL` | +| Next.js | `NEXT_PUBLIC_CONVEX_URL` | +| Remix | `CONVEX_URL` | +| React Native | `EXPO_PUBLIC_CONVEX_URL` | + +`npx convex dev` writes the correct variable to `.env.local` automatically. + +## Agent Mode (Cloud and Headless Agents) + +When running in a cloud or headless agent environment where interactive browser login is not possible, set `CONVEX_AGENT_MODE=anonymous` to use a local anonymous deployment. + +Add `CONVEX_AGENT_MODE=anonymous` to `.env.local`, or set it inline: + +```bash +CONVEX_AGENT_MODE=anonymous npx convex dev +``` + +This runs a local Convex backend on the VM without requiring authentication, and avoids conflicting with the user's personal dev deployment. + +## Verify the Setup + +After setup, confirm everything is working: + +1. The user confirms `npx convex dev` is running without errors +2. The `convex/_generated/` directory exists and has `api.ts` and `server.ts` +3. `.env.local` contains the deployment URL + +## Writing Your First Function + +Once the project is set up, create a schema and a query to verify the full loop works. + +`convex/schema.ts`: + +```ts +import { defineSchema, defineTable } from "convex/server"; +import { v } from "convex/values"; + +export default defineSchema({ + tasks: defineTable({ + text: v.string(), + completed: v.boolean(), + }), +}); +``` + +`convex/tasks.ts`: + +```ts +import { query, mutation } from "./_generated/server"; +import { v } from "convex/values"; + +export const list = query({ + args: {}, + handler: async (ctx) => { + return await ctx.db.query("tasks").collect(); + }, +}); + +export const create = mutation({ + args: { text: v.string() }, + handler: async (ctx, args) => { + await ctx.db.insert("tasks", { text: args.text, completed: false }); + }, +}); +``` + +Use in a React component (adjust the import path based on your file location relative to `convex/`): + +```tsx +import { useQuery, useMutation } from "convex/react"; +import { api } from "../convex/_generated/api"; + +function Tasks() { + const tasks = useQuery(api.tasks.list); + const create = useMutation(api.tasks.create); + + return ( +
+ + {tasks?.map((t) => ( +
{t.text}
+ ))} +
+ ); +} +``` + +## Development vs Production + +Always use `npx convex dev` during development. It runs against your personal dev deployment and syncs code on save. + +When ready to ship, deploy to production: + +```bash +npx convex deploy +``` + +This pushes to the production deployment, which is separate from dev. Do not use `deploy` during development. + +## Next Steps + +- Add authentication: use the `convex-setup-auth` skill +- Design your schema: see [Schema docs](https://docs.convex.dev/database/schemas) +- Build components: use the `convex-create-component` skill +- Plan a migration: use the `convex-migration-helper` skill +- Add file storage: see [File Storage docs](https://docs.convex.dev/file-storage) +- Set up cron jobs: see [Scheduling docs](https://docs.convex.dev/scheduling) + +## Checklist + +- [ ] Determined starting point: new project or existing app +- [ ] If new project: scaffolded with `npm create convex@latest` using appropriate template +- [ ] If existing app: installed `convex` and wired up the provider +- [ ] User has `npx convex dev` running and connected to a deployment +- [ ] `convex/_generated/` directory exists with types +- [ ] `.env.local` has the deployment URL +- [ ] Verified a basic query/mutation round-trip works diff --git a/.agents/skills/convex-quickstart/agents/openai.yaml b/.agents/skills/convex-quickstart/agents/openai.yaml new file mode 100644 index 0000000..a51a6d0 --- /dev/null +++ b/.agents/skills/convex-quickstart/agents/openai.yaml @@ -0,0 +1,10 @@ +interface: + display_name: "Convex Quickstart" + short_description: "Start a new Convex app or add Convex to an existing frontend." + icon_small: "./assets/icon.svg" + icon_large: "./assets/icon.svg" + brand_color: "#F97316" + default_prompt: "Set up Convex for this project as fast as possible. First decide whether this is a new app or an existing app, then scaffold or integrate Convex and verify the setup works." + +policy: + allow_implicit_invocation: true diff --git a/.agents/skills/convex-quickstart/assets/icon.svg b/.agents/skills/convex-quickstart/assets/icon.svg new file mode 100644 index 0000000..d83a73f --- /dev/null +++ b/.agents/skills/convex-quickstart/assets/icon.svg @@ -0,0 +1,4 @@ + diff --git a/.agents/skills/convex-setup-auth/SKILL.md b/.agents/skills/convex-setup-auth/SKILL.md new file mode 100644 index 0000000..0d1d9dd --- /dev/null +++ b/.agents/skills/convex-setup-auth/SKILL.md @@ -0,0 +1,150 @@ +--- +name: convex-setup-auth +description: Sets up Convex authentication with user management, identity mapping, and access control. Use this skill when adding login or signup to a Convex app, configuring Convex Auth, Clerk, WorkOS AuthKit, Auth0, or custom JWT providers, wiring auth.config.ts, protecting queries and mutations with ctx.auth.getUserIdentity(), creating a users table with identity mapping, or setting up role-based access control, even if the user just says "add auth" or "make it require login." +--- + +# Convex Authentication Setup + +Implement secure authentication in Convex with user management and access control. + +## When to Use + +- Setting up authentication for the first time +- Implementing user management (users table, identity mapping) +- Creating authentication helper functions +- Setting up auth providers (Convex Auth, Clerk, WorkOS AuthKit, Auth0, custom JWT) + +## When Not to Use + +- Auth for a non-Convex backend +- Pure OAuth/OIDC documentation without a Convex implementation +- Debugging unrelated bugs that happen to surface near auth code +- The auth provider is already fully configured and the user only needs a one-line fix + +## First Step: Choose the Auth Provider + +Convex supports multiple authentication approaches. Do not assume a provider. + +Before writing setup code: + +1. Ask the user which auth solution they want, unless the repository already makes it obvious +2. If the repo already uses a provider, continue with that provider unless the user wants to switch +3. If the user has not chosen a provider and the repo does not make it obvious, ask before proceeding + +Common options: + +- [Convex Auth](https://docs.convex.dev/auth/convex-auth) - good default when the user wants auth handled directly in Convex +- [Clerk](https://docs.convex.dev/auth/clerk) - use when the app already uses Clerk or the user wants Clerk's hosted auth features +- [WorkOS AuthKit](https://docs.convex.dev/auth/authkit/) - use when the app already uses WorkOS or the user wants AuthKit specifically +- [Auth0](https://docs.convex.dev/auth/auth0) - use when the app already uses Auth0 +- Custom JWT provider - use when integrating an existing auth system not covered above + +Look for signals in the repo before asking: + +- Dependencies such as `@clerk/*`, `@workos-inc/*`, `@auth0/*`, or Convex Auth packages +- Existing files such as `convex/auth.config.ts`, auth middleware, provider wrappers, or login components +- Environment variables that clearly point at a provider + +## After Choosing a Provider + +Read the provider's official guide and the matching local reference file: + +- Convex Auth: [official docs](https://docs.convex.dev/auth/convex-auth), then `references/convex-auth.md` +- Clerk: [official docs](https://docs.convex.dev/auth/clerk), then `references/clerk.md` +- WorkOS AuthKit: [official docs](https://docs.convex.dev/auth/authkit/), then `references/workos-authkit.md` +- Auth0: [official docs](https://docs.convex.dev/auth/auth0), then `references/auth0.md` + +The local reference files contain the concrete workflow, expected files and env vars, gotchas, and validation checks. + +Use those sources for: + +- package installation +- client provider wiring +- environment variables +- `convex/auth.config.ts` setup +- login and logout UI patterns +- framework-specific setup for React, Vite, or Next.js + +For shared auth behavior, use the official Convex docs as the source of truth: + +- [Auth in Functions](https://docs.convex.dev/auth/functions-auth) for `ctx.auth.getUserIdentity()` +- [Storing Users in the Convex Database](https://docs.convex.dev/auth/database-auth) for optional app-level user storage +- [Authentication](https://docs.convex.dev/auth) for general auth and authorization guidance +- [Convex Auth Authorization](https://labs.convex.dev/auth/authz) when the provider is Convex Auth + +Prefer official docs over recalled steps, because provider CLIs and Convex Auth internals change between versions. Inventing setup from memory risks outdated patterns. +For third-party providers, only add app-level user storage if the app actually needs user documents in Convex. Not every app needs a `users` table. +For Convex Auth, follow the Convex Auth docs and built-in auth tables rather than adding a parallel `users` table plus `storeUser` flow, because Convex Auth already manages user records internally. +After running provider initialization commands, verify generated files and complete the post-init wiring steps the provider reference calls out. Initialization commands rarely finish the entire integration. + +## Core Pattern: Protecting Backend Functions + +The most common auth task is checking identity in Convex functions. + +```ts +// Bad: trusting a client-provided userId +export const getMyProfile = query({ + args: { userId: v.id("users") }, + handler: async (ctx, args) => { + return await ctx.db.get(args.userId); + }, +}); +``` + +```ts +// Good: verifying identity server-side +export const getMyProfile = query({ + args: {}, + handler: async (ctx) => { + const identity = await ctx.auth.getUserIdentity(); + if (!identity) throw new Error("Not authenticated"); + + return await ctx.db + .query("users") + .withIndex("by_tokenIdentifier", (q) => + q.eq("tokenIdentifier", identity.tokenIdentifier), + ) + .unique(); + }, +}); +``` + +## Workflow + +1. Determine the provider, either by asking the user or inferring from the repo +2. Ask whether the user wants local-only setup or production-ready setup now +3. Read the matching provider reference file +4. Follow the official provider docs for current setup details +5. Follow the official Convex docs for shared backend auth behavior, user storage, and authorization patterns +6. Only add app-level user storage if the docs and app requirements call for it +7. Add authorization checks for ownership, roles, or team access only where the app needs them +8. Verify login state, protected queries, environment variables, and production configuration if requested + +If the flow blocks on interactive provider or deployment setup, ask the user explicitly for the exact human step needed, then continue after they complete it. +For UI-facing auth flows, offer to validate the real sign-up or sign-in flow after setup is done. +If the environment has browser automation tools, you can use them. +If it does not, give the user a short manual validation checklist instead. + +## Reference Files + +### Provider References + +- `references/convex-auth.md` +- `references/clerk.md` +- `references/workos-authkit.md` +- `references/auth0.md` + +## Checklist + +- [ ] Chosen the correct auth provider before writing setup code +- [ ] Read the relevant provider reference file +- [ ] Asked whether the user wants local-only setup or production-ready setup +- [ ] Used the official provider docs for provider-specific wiring +- [ ] Used the official Convex docs for shared auth behavior and authorization patterns +- [ ] Only added app-level user storage if the app actually needs it +- [ ] Did not invent a cross-provider `users` table or `storeUser` flow for Convex Auth +- [ ] Added authentication checks in protected backend functions +- [ ] Added authorization checks where the app actually needs them +- [ ] Clear error messages ("Not authenticated", "Unauthorized") +- [ ] Client auth provider configured for the chosen provider +- [ ] If requested, production auth setup is covered too diff --git a/.agents/skills/convex-setup-auth/agents/openai.yaml b/.agents/skills/convex-setup-auth/agents/openai.yaml new file mode 100644 index 0000000..d1c90a1 --- /dev/null +++ b/.agents/skills/convex-setup-auth/agents/openai.yaml @@ -0,0 +1,10 @@ +interface: + display_name: "Convex Setup Auth" + short_description: "Set up Convex auth, user identity mapping, and access control." + icon_small: "./assets/icon.svg" + icon_large: "./assets/icon.svg" + brand_color: "#2563EB" + default_prompt: "Set up authentication for this Convex app. Figure out the provider first, then wire up the user model, identity mapping, and access control with the smallest solid implementation." + +policy: + allow_implicit_invocation: true diff --git a/.agents/skills/convex-setup-auth/assets/icon.svg b/.agents/skills/convex-setup-auth/assets/icon.svg new file mode 100644 index 0000000..4917dbb --- /dev/null +++ b/.agents/skills/convex-setup-auth/assets/icon.svg @@ -0,0 +1,3 @@ + diff --git a/.agents/skills/convex-setup-auth/references/auth0.md b/.agents/skills/convex-setup-auth/references/auth0.md new file mode 100644 index 0000000..9c729c5 --- /dev/null +++ b/.agents/skills/convex-setup-auth/references/auth0.md @@ -0,0 +1,116 @@ +# Auth0 + +Official docs: + +- https://docs.convex.dev/auth/auth0 +- https://auth0.github.io/auth0-cli/ +- https://auth0.github.io/auth0-cli/auth0_apps_create.html + +Use this when the app already uses Auth0 or the user wants Auth0 specifically. + +## Workflow + +1. Confirm the user wants Auth0 +2. Determine the app framework and whether Auth0 is already partly set up +3. Ask whether the user wants local-only setup or production-ready setup now +4. Read the official Convex and Auth0 guides before making changes +5. Ask whether they want the fastest setup path by installing the Auth0 CLI +6. If they agree, install the Auth0 CLI and do as much of the Auth0 app setup as possible through the CLI +7. If they do not want the CLI path, use the Auth0 dashboard path instead +8. Complete the relevant Auth0 frontend quickstart if the app does not already have Auth0 wired up +9. Configure `convex/auth.config.ts` with the Auth0 domain and client ID +10. Set environment variables for local and production environments +11. Wrap the app with `Auth0Provider` and `ConvexProviderWithAuth0` +12. Gate Convex-backed UI with Convex auth state +13. Try to verify Convex reports the user as authenticated after Auth0 login +14. If the refresh-token path fails, stop improvising and send the user back to the official docs +15. If the user wants production-ready setup, make sure the production Auth0 tenant and env vars are also covered + +## What To Do + +- Read the official Convex and Auth0 guide before writing setup code +- Prefer the Auth0 CLI path for mechanical setup if the user is willing to install it, but do not present it as a fully validated end-to-end path yet +- Ask the user directly: "The fastest path is to install the Auth0 CLI so I can do more of this for you. If you want, I can install it and then only ask you to log in when needed. Would you like me to do that?" +- Make sure the app has already completed the relevant Auth0 quickstart for its frontend +- Use the official examples for `Auth0Provider` and `ConvexProviderWithAuth0` +- If the Auth0 login or refresh flow starts failing in a way that is not clearly explained by the docs, say that plainly and fall back to the official docs instead of pretending the flow is validated + +## Key Setup Areas + +- install the Auth0 SDK for the app's framework +- configure `convex/auth.config.ts` with the Auth0 domain and client ID +- set environment variables for local and production environments +- wrap the app with `Auth0Provider` and `ConvexProviderWithAuth0` +- use Convex auth state when gating Convex-backed UI + +## Files and Env Vars To Expect + +- `convex/auth.config.ts` +- frontend app entry or provider wrapper +- Auth0 CLI install docs: `https://auth0.github.io/auth0-cli/` +- Auth0 environment variables commonly include: + - `AUTH0_DOMAIN` + - `AUTH0_CLIENT_ID` + - `VITE_AUTH0_DOMAIN` + - `VITE_AUTH0_CLIENT_ID` + +## Concrete Steps + +1. Start by reading `https://docs.convex.dev/auth/auth0` and the relevant Auth0 quickstart for the app's framework +2. Ask whether the user wants the Auth0 CLI path +3. If yes, install Auth0 CLI and have the user authenticate it with `auth0 login` +4. Use `auth0 apps create` with SPA settings, callback URL, logout URL, and web origins if creating a new app +5. If not using the CLI path, complete the relevant Auth0 frontend quickstart and create the Auth0 app in the dashboard +6. Get the Auth0 domain and client ID from the CLI output or the Auth0 dashboard +7. Install the Auth0 SDK for the app's framework +8. Create or update `convex/auth.config.ts` with the Auth0 domain and client ID +9. Set frontend and backend environment variables +10. Wrap the app in `Auth0Provider` +11. Replace plain `ConvexProvider` wiring with `ConvexProviderWithAuth0` +12. Run the normal Convex dev or deploy flow after backend config changes +13. Try the official provider config shown in the Convex docs +14. If login works but Convex auth or token refresh fails in a way you cannot clearly resolve, stop and tell the user to follow the official docs manually for now +15. Only claim success if the user can sign in and Convex recognizes the authenticated session +16. If the user wants production-ready setup, configure the production Auth0 tenant values and production environment variables too + +## Gotchas + +- The Convex docs assume the Auth0 side is already set up, so do not skip the Auth0 quickstart if the app is starting from scratch +- The Auth0 CLI is often the fastest path for a fresh setup, but it still requires the user to authenticate the CLI to their Auth0 tenant +- If the user agrees to install the Auth0 CLI, do the mechanical setup yourself instead of bouncing them through the dashboard +- If login succeeds but Convex still reports unauthenticated, double-check `convex/auth.config.ts` and whether the backend config was synced +- We were able to automate Auth0 app creation and Convex config wiring, but we did not fully validate the refresh-token path end to end +- In validation, the documented `useRefreshTokens={true}` and `cacheLocation="localstorage"` setup hit refresh-token failures, so do not present that path as settled +- If you hit Auth0 errors like `Unknown or invalid refresh token`, do not keep inventing fixes indefinitely, send the user back to the official docs and explain that this path is still under investigation +- Keep dev and prod tenants separate if the project uses different Auth0 environments +- Do not confuse "Auth0 login works" with "Convex can validate the Auth0 token". Both need to work. +- If the repo already uses Auth0, preserve existing redirect and tenant configuration unless the user asked to change it. +- Do not assume the local Auth0 tenant settings match production. Verify the production domain, client ID, and callback URLs separately. +- For local dev, make sure the Auth0 app settings match the app's real local port for callback URLs, logout URLs, and web origins + +## Production + +- Ask whether the user wants dev-only setup or production-ready setup +- If the answer is production-ready, make sure the production Auth0 tenant values, callback URLs, and Convex deployment config are all covered +- Verify production environment variables and redirect settings before calling the task complete +- Do not silently write a notes file into the repo by default. If the user wants rollout or handoff docs, create one explicitly. + +## Validation + +- Verify the user can complete the Auth0 login flow +- Verify Convex-authenticated UI renders only after Convex auth state is ready +- Verify protected Convex queries succeed after login +- Verify `ctx.auth.getUserIdentity()` is non-null in protected backend functions +- Verify the Auth0 app settings match the real local callback and logout URLs during development +- If the Auth0 refresh-token path fails, mark the setup as not fully validated and direct the user to the official docs instead of claiming the skill completed successfully +- If production-ready setup was requested, verify the production Auth0 configuration is also covered + +## Checklist + +- [ ] Confirm the user wants Auth0 +- [ ] Ask whether the user wants local-only setup or production-ready setup +- [ ] Complete the relevant Auth0 frontend setup +- [ ] Configure `convex/auth.config.ts` +- [ ] Set environment variables +- [ ] Verify Convex authenticated state after login, or explicitly tell the user this path is still under investigation and send them to the official docs +- [ ] If requested, configure the production deployment too diff --git a/.agents/skills/convex-setup-auth/references/clerk.md b/.agents/skills/convex-setup-auth/references/clerk.md new file mode 100644 index 0000000..7dbde19 --- /dev/null +++ b/.agents/skills/convex-setup-auth/references/clerk.md @@ -0,0 +1,113 @@ +# Clerk + +Official docs: + +- https://docs.convex.dev/auth/clerk +- https://clerk.com/docs/guides/development/integrations/databases/convex + +Use this when the app already uses Clerk or the user wants Clerk's hosted auth features. + +## Workflow + +1. Confirm the user wants Clerk +2. Make sure the user has a Clerk account and a Clerk application +3. Determine the app framework: + - React + - Next.js + - TanStack Start +4. Ask whether the user wants local-only setup or production-ready setup now +5. Gather the Clerk keys and the Clerk Frontend API URL +6. Follow the correct framework section in the official docs +7. Complete the backend and client wiring +8. Verify Convex reports the user as authenticated after login +9. If the user wants production-ready setup, make sure the production Clerk config is also covered + +## What To Do + +- Read the official Convex and Clerk guide before writing setup code +- If the user does not already have Clerk set up, send them to `https://dashboard.clerk.com/sign-up` to create an account and `https://dashboard.clerk.com/apps/new` to create an application +- Send the user to `https://dashboard.clerk.com/apps/setup/convex` if the Convex integration is not already active +- Match the guide to the app's framework, usually React, Next.js, or TanStack Start +- Use the official examples for `ConvexProviderWithClerk`, `ClerkProvider`, and `useAuth` + +## Key Setup Areas + +- install the Clerk SDK for the framework in use +- configure `convex/auth.config.ts` with the Clerk issuer domain +- set the required Clerk environment variables +- wrap the app with `ClerkProvider` and `ConvexProviderWithClerk` +- use Convex auth-aware UI patterns such as `Authenticated`, `Unauthenticated`, and `AuthLoading` + +## Files and Env Vars To Expect + +- `convex/auth.config.ts` +- React or Vite client entry such as `src/main.tsx` +- Next.js client wrapper for Convex if using App Router +- Clerk account sign-up page: `https://dashboard.clerk.com/sign-up` +- Clerk app creation page: `https://dashboard.clerk.com/apps/new` +- Clerk Convex integration page: `https://dashboard.clerk.com/apps/setup/convex` +- Clerk API keys page: `https://dashboard.clerk.com/last-active?path=api-keys` +- Clerk environment variables: + - `CLERK_JWT_ISSUER_DOMAIN` for Convex backend validation in the Convex docs + - `CLERK_FRONTEND_API_URL` in the Clerk docs + - `VITE_CLERK_PUBLISHABLE_KEY` for Vite apps + - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` for Next.js apps + - `CLERK_SECRET_KEY` for Next.js server-side Clerk setup where required + +`CLERK_JWT_ISSUER_DOMAIN` and `CLERK_FRONTEND_API_URL` refer to the same Clerk Frontend API URL value. Do not treat them as two different URLs. + +## Concrete Steps + +1. If needed, create a Clerk account at `https://dashboard.clerk.com/sign-up` +2. If needed, create a Clerk application at `https://dashboard.clerk.com/apps/new` +3. Open `https://dashboard.clerk.com/last-active?path=api-keys` and copy the publishable key, plus the secret key for Next.js where needed +4. Open `https://dashboard.clerk.com/apps/setup/convex` +5. Activate the Convex integration in Clerk if it is not already active +6. Copy the Clerk Frontend API URL shown there +7. Install the Clerk package for the app's framework +8. Create or update `convex/auth.config.ts` so Convex validates Clerk tokens +9. Set the publishable key in the frontend environment +10. Set the issuer domain or Frontend API URL so Convex can validate the JWT +11. Replace plain `ConvexProvider` wiring with `ConvexProviderWithClerk` +12. Wrap the app in `ClerkProvider` +13. Use Convex auth helpers for authenticated rendering +14. Run the normal Convex dev or deploy flow after updating backend auth config +15. If the user wants production-ready setup, configure the production Clerk values and production issuer domain too + +## Gotchas + +- Prefer `useConvexAuth()` over raw Clerk auth state when deciding whether Convex-authenticated UI can render +- For Next.js, keep server and client boundaries in mind when creating the Convex provider wrapper +- After changing `convex/auth.config.ts`, run the normal Convex dev or deploy flow so the backend picks up the new config +- Do not stop at "Clerk login works". The important check is that Convex also sees the session and can authenticate requests. +- If the repo already uses Clerk, preserve its existing auth flow unless the user asked to change it. +- Do not assume the same Clerk values work for both dev and production. Check the production issuer domain and publishable key separately. +- The Convex setup page is where you get the Clerk Frontend API URL for Convex. Keep using the Clerk API keys page for the publishable key and the secret key. +- If Convex says no auth provider matched the token, first confirm the Clerk Convex integration was activated at `https://dashboard.clerk.com/apps/setup/convex` +- After activating the Clerk Convex integration, sign out completely and sign back in before retesting. An old Clerk session can keep using a token that Convex rejects. + +## Production + +- Ask whether the user wants dev-only setup or production-ready setup +- If the answer is production-ready, make sure production Clerk keys and issuer configuration are included +- Verify production redirect URLs and any production Clerk domain values before calling the task complete +- Do not silently write a notes file into the repo by default. If the user wants rollout or handoff docs, create one explicitly. + +## Validation + +- Verify the user can sign in with Clerk +- If the Clerk integration was just activated, verify after a full Clerk sign-out and fresh sign-in +- Verify `useConvexAuth()` reaches the authenticated state after Clerk login +- Verify protected Convex queries run successfully inside authenticated UI +- Verify `ctx.auth.getUserIdentity()` is non-null in protected backend functions +- If production-ready setup was requested, verify the production Clerk configuration is also covered + +## Checklist + +- [ ] Confirm the user wants Clerk +- [ ] Ask whether the user wants local-only setup or production-ready setup +- [ ] Follow the correct framework section in the official guide +- [ ] Set Clerk environment variables +- [ ] Configure `convex/auth.config.ts` +- [ ] Verify Convex authenticated state after login +- [ ] If requested, configure the production deployment too diff --git a/.agents/skills/convex-setup-auth/references/convex-auth.md b/.agents/skills/convex-setup-auth/references/convex-auth.md new file mode 100644 index 0000000..d4824d2 --- /dev/null +++ b/.agents/skills/convex-setup-auth/references/convex-auth.md @@ -0,0 +1,143 @@ +# Convex Auth + +Official docs: https://docs.convex.dev/auth/convex-auth +Setup guide: https://labs.convex.dev/auth/setup + +Use this when the user wants auth handled directly in Convex rather than through a third-party provider. + +## Workflow + +1. Confirm the user wants Convex Auth specifically +2. Determine which sign-in methods the app needs: + - magic links or OTPs + - OAuth providers + - passwords and password reset +3. Ask whether the user wants local-only setup or production-ready setup now +4. Read the Convex Auth setup guide before writing code +5. Make sure the project has a configured Convex deployment: + - run `npx convex dev` first if `CONVEX_DEPLOYMENT` is not set + - if CLI configuration requires interactive human input, stop and ask the user to complete that step before continuing +6. Install the auth packages: + - `npm install @convex-dev/auth @auth/core@0.37.0` +7. Run the initialization command: + - `npx @convex-dev/auth` +8. Confirm the initializer created: + - `convex/auth.config.ts` + - `convex/auth.ts` + - `convex/http.ts` +9. Add the required `authTables` to `convex/schema.ts` +10. Replace plain `ConvexProvider` wiring with `ConvexAuthProvider` +11. Configure at least one auth method in `convex/auth.ts` +12. Run `npx convex dev --once` or the normal dev flow to push the updated schema and generated code +13. Verify the client can sign in successfully +14. Verify Convex receives authenticated identity in backend functions +15. If the user wants production-ready setup, make sure the same auth setup is configured for the production deployment as well +16. Only add a `users` table and `storeUser` flow if the app needs app-level user records inside Convex + +## What This Reference Is For + +- choosing Convex Auth as the default provider for a new Convex app +- understanding whether the app wants magic links, OTPs, OAuth, or passwords +- keeping the setup provider-specific while using the official Convex Auth docs for identity and authorization behavior + +## What To Do + +- Read the Convex Auth setup guide before writing setup code +- Follow the setup flow from the docs rather than recreating it from memory +- If the app is new, consider starting from the official starter flow instead of hand-wiring everything +- Treat `npx @convex-dev/auth` as a required initialization step for existing apps, not an optional extra + +## Concrete Steps + +1. Install `@convex-dev/auth` and `@auth/core@0.37.0` +2. Run `npx convex dev` if the project does not already have a configured deployment +3. If `npx convex dev` blocks on interactive setup, ask the user explicitly to finish configuring the Convex deployment +4. Run `npx @convex-dev/auth` +5. Confirm the generated auth setup is present before continuing: + - `convex/auth.config.ts` + - `convex/auth.ts` + - `convex/http.ts` +6. Add `authTables` to `convex/schema.ts` +7. Replace `ConvexProvider` with `ConvexAuthProvider` in the app entry +8. Configure the selected auth methods in `convex/auth.ts` +9. Run `npx convex dev --once` or the normal dev flow so the updated schema and auth files are pushed +10. Verify login locally +11. If the user wants production-ready setup, repeat the required auth configuration against the production deployment + +## Expected Files and Decisions + +- `convex/schema.ts` +- frontend app entry such as `src/main.tsx` or the framework-equivalent provider file +- generated Convex Auth setup produced by `npx @convex-dev/auth` +- an existing configured Convex deployment, or the ability to create one with `npx convex dev` +- `convex/auth.ts` starts with `providers: []` until the app configures actual sign-in methods + +- Decide whether the user is creating a new app or adding auth to an existing app +- For a new app, prefer the official starter flow instead of rebuilding setup by hand +- Decide which auth methods the app needs: + - magic links or OTPs + - OAuth providers + - passwords +- Decide whether the user wants local-only setup or production-ready setup now +- Decide whether the app actually needs a `users` table inside Convex, or whether provider identity alone is enough + +## Gotchas + +- Do not assume a specific sign-in method. Ask which methods the app needs before wiring UI and backend behavior. +- `npx @convex-dev/auth` is important because it initializes the auth setup, including the key material. Do not skip it when adding Convex Auth to an existing project. +- `npx @convex-dev/auth` will fail if the project does not already have a configured `CONVEX_DEPLOYMENT`. +- `npx convex dev` may require interactive setup for deployment creation or project selection. If that happens, ask the user explicitly for that human step instead of guessing. +- `npx @convex-dev/auth` does not finish the whole integration by itself. You still need to add `authTables`, swap in `ConvexAuthProvider`, and configure at least one auth method. +- A project can still build even if `convex/auth.ts` still has `providers: []`, so do not treat a successful build as proof that sign-in is fully configured. +- Convex Auth does not mean every app needs a `users` table. If the app only needs authentication gates, `ctx.auth.getUserIdentity()` may be enough. +- If the app is greenfield, starting from the official starter flow is usually better than partially recreating it by hand. +- Do not stop at local dev setup if the user expects production-ready auth. The production deployment needs the auth setup too. +- Keep provider-specific setup and Convex Auth authorization behavior in the official docs instead of inventing shared patterns from memory. + +## Production + +- Ask whether the user wants dev-only setup or production-ready setup +- If the answer is production-ready, make sure the auth configuration is applied to the production deployment, not just the dev deployment +- Verify production-specific redirect URLs, auth method configuration, and deployment settings before calling the task complete +- Do not silently write a notes file into the repo by default. If the user wants rollout or handoff docs, create one explicitly. + +## Human Handoff + +If `npx convex dev` or deployment setup requires human input: + +- stop and explain exactly what the user needs to do +- say why that step is required +- resume the auth setup immediately after the user confirms it is done + +## Validation + +- Verify the user can complete a sign-in flow +- Offer to validate sign up, sign out, and sign back in with the configured auth method +- If browser automation is available in the environment, you can do this directly +- If browser automation is not available, give the user a short manual validation checklist instead +- Verify `ctx.auth.getUserIdentity()` returns an identity in protected backend functions +- Verify protected UI only renders after Convex-authenticated state is ready +- Verify environment variables and redirect settings match the current app environment +- Verify `convex/auth.ts` no longer has an empty `providers: []` configuration once the app is meant to support real sign-in +- Run `npx convex dev --once` or the normal dev flow after setup changes and confirm Convex codegen and push succeed +- If production-ready setup was requested, verify the production deployment is also configured correctly + +## Checklist + +- [ ] Confirm the user wants Convex Auth specifically +- [ ] Ask whether the user wants local-only setup or production-ready setup +- [ ] Ensure a Convex deployment is configured before running auth initialization +- [ ] Install `@convex-dev/auth` and `@auth/core@0.37.0` +- [ ] Run `npx convex dev` first if needed +- [ ] Run `npx @convex-dev/auth` +- [ ] Confirm `convex/auth.config.ts`, `convex/auth.ts`, and `convex/http.ts` were created +- [ ] Follow the setup guide for package install and wiring +- [ ] Add `authTables` to `convex/schema.ts` +- [ ] Replace `ConvexProvider` with `ConvexAuthProvider` +- [ ] Configure at least one auth method in `convex/auth.ts` +- [ ] Run `npx convex dev --once` or the normal dev flow after setup changes +- [ ] Confirm which sign-in methods the app needs +- [ ] Verify the client can sign in and the backend receives authenticated identity +- [ ] Offer end-to-end validation of sign up, sign out, and sign back in +- [ ] If requested, configure the production deployment too +- [ ] Only add extra `users` table sync if the app needs app-level user records diff --git a/.agents/skills/convex-setup-auth/references/workos-authkit.md b/.agents/skills/convex-setup-auth/references/workos-authkit.md new file mode 100644 index 0000000..038cb9f --- /dev/null +++ b/.agents/skills/convex-setup-auth/references/workos-authkit.md @@ -0,0 +1,114 @@ +# WorkOS AuthKit + +Official docs: + +- https://docs.convex.dev/auth/authkit/ +- https://docs.convex.dev/auth/authkit/add-to-app +- https://docs.convex.dev/auth/authkit/auto-provision + +Use this when the app already uses WorkOS or the user wants AuthKit specifically. + +## Workflow + +1. Confirm the user wants WorkOS AuthKit +2. Determine whether they want: + - a Convex-managed WorkOS team + - an existing WorkOS team +3. Ask whether the user wants local-only setup or production-ready setup now +4. Read the official Convex and WorkOS AuthKit guide +5. Create or update `convex.json` for the app's framework and real local port +6. Follow the correct branch of the setup flow based on that choice +7. Configure the required WorkOS environment variables +8. Configure `convex/auth.config.ts` for WorkOS-issued JWTs +9. Wire the client provider and callback flow +10. Verify authenticated requests reach Convex +11. If the user wants production-ready setup, make sure the production WorkOS configuration is covered too +12. Only add `storeUser` or a `users` table if the app needs first-class user rows inside Convex + +## What To Do + +- Read the official Convex and WorkOS AuthKit guide before writing setup code +- Determine whether the user wants a Convex-managed WorkOS team or an existing WorkOS team +- Treat `convex.json` as a first-class part of the AuthKit setup, not an optional extra +- Follow the current setup flow from the docs instead of relying on older examples + +## Key Setup Areas + +- package installation for the app's framework +- `convex.json` with the `authKit` section for dev, and preview or prod if needed +- environment variables such as `WORKOS_CLIENT_ID`, `WORKOS_API_KEY`, and redirect configuration +- `convex/auth.config.ts` wiring for WorkOS-issued JWTs +- client provider setup and token flow into Convex +- login callback and redirect configuration + +## Files and Env Vars To Expect + +- `convex.json` +- `convex/auth.config.ts` +- frontend auth provider wiring +- callback or redirect route setup where the framework requires it +- WorkOS environment variables commonly include: + - `WORKOS_CLIENT_ID` + - `WORKOS_API_KEY` + - `WORKOS_COOKIE_PASSWORD` + - `VITE_WORKOS_CLIENT_ID` + - `VITE_WORKOS_REDIRECT_URI` + - `NEXT_PUBLIC_WORKOS_REDIRECT_URI` + +For a managed WorkOS team, `convex dev` can provision the AuthKit environment and write local env vars such as `VITE_WORKOS_CLIENT_ID` and `VITE_WORKOS_REDIRECT_URI` into `.env.local` for Vite apps. + +## Concrete Steps + +1. Choose Convex-managed or existing WorkOS team +2. Create or update `convex.json` with the `authKit` section for the framework in use +3. Make sure the dev `redirectUris`, `appHomepageUrl`, `corsOrigins`, and local redirect env vars match the app's actual local port +4. For a managed WorkOS team, run `npx convex dev` and follow the interactive onboarding flow +5. For an existing WorkOS team, get `WORKOS_CLIENT_ID` and `WORKOS_API_KEY` from the WorkOS dashboard and set them with `npx convex env set` +6. Create or update `convex/auth.config.ts` for WorkOS JWT validation +7. Run the normal Convex dev or deploy flow so backend config is synced +8. Wire the WorkOS client provider in the app +9. Configure callback and redirect handling +10. Verify the user can sign in and return to the app +11. Verify Convex sees the authenticated user after login +12. If the user wants production-ready setup, configure the production client ID, API key, redirect URI, and deployment settings too + +## Gotchas + +- The docs split setup between Convex-managed and existing WorkOS teams, so ask which path the user wants if it is not obvious +- Keep dev and prod WorkOS configuration separate where the docs call for different client IDs or API keys +- Only add `storeUser` or a `users` table if the app needs first-class user rows inside Convex +- Do not mix dev and prod WorkOS credentials or redirect URIs +- If the repo already contains WorkOS setup, preserve the current tenant model unless the user wants to change it +- For managed WorkOS setup, `convex dev` is interactive the first time. In non-interactive terminals, stop and ask the user to complete the onboarding prompts. +- `convex.json` is not optional for the managed AuthKit flow. It drives redirect URI, homepage URL, CORS configuration, and local env var generation. +- If the frontend starts on a different port than the one in `convex.json`, the hosted WorkOS sign-in flow will point to the wrong callback URL. Update `convex.json`, update the local redirect env var, and run `npx convex dev` again. +- Vite can fall off `5173` if other apps are already running. Do not assume the default port still matches the generated AuthKit config. +- A successful WorkOS sign-in should redirect back to the local callback route and then reach a Convex-authenticated state. Do not stop at "the hosted WorkOS page loaded." + +## Production + +- Ask whether the user wants dev-only setup or production-ready setup +- If the answer is production-ready, make sure the production WorkOS client ID, API key, redirect URI, and Convex deployment config are all covered +- Verify the production redirect and callback settings before calling the task complete +- Do not silently write a notes file into the repo by default. If the user wants rollout or handoff docs, create one explicitly. + +## Validation + +- Verify the user can complete the login flow and return to the app +- Verify the callback URL matches the real frontend port in local dev +- Verify Convex receives authenticated requests after login +- Verify `convex.json` matches the framework and chosen WorkOS setup path +- Verify `convex/auth.config.ts` matches the chosen WorkOS setup path +- Verify environment variables differ correctly between local and production where needed +- If production-ready setup was requested, verify the production WorkOS configuration is also covered + +## Checklist + +- [ ] Confirm the user wants WorkOS AuthKit +- [ ] Ask whether the user wants local-only setup or production-ready setup +- [ ] Choose Convex-managed or existing WorkOS team +- [ ] Create or update `convex.json` +- [ ] Configure WorkOS environment variables +- [ ] Configure `convex/auth.config.ts` +- [ ] Verify authenticated requests reach Convex after login +- [ ] If requested, configure the production deployment too diff --git a/README.md b/README.md index 91cbd18..d476141 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,18 @@ Open-source customer messaging platform - an alternative to Intercom. +## Quick Start + +After cloning the repo, run one setup command: + +```bash +./scripts/setup.sh +``` + +It installs dependencies, creates or reuses a Convex dev deployment, configures Convex Auth, creates or reuses a workspace, and writes the local `.env.local` files for the web, widget, mobile, landing, and SDK example apps. + +Prerequisites: Node.js 18+, PNPM 9+, and a Convex account. + ## Documentation ### Quick Links @@ -100,14 +112,14 @@ For the canonical setup paths (quickstart, self-host, env vars, deployment profi ### Quick Start (Self-Hosters) -The fastest way to get Opencom running locally: +The fastest supported local setup path is the bootstrap script: ```bash # Clone the repository git clone https://github.com/opencom-org/opencom.git cd opencom -# Run the setup script +# Run the one-command setup ./scripts/setup.sh ``` @@ -115,11 +127,11 @@ The setup script will: 1. Check prerequisites (Node.js 18+, PNPM 9+) 2. Install dependencies -3. Create a Convex project and deploy -4. Prompt for your admin email and password -5. Create your workspace and admin account -6. Generate all `.env.local` files -7. Start the web dashboard and widget +3. Configure or reuse a Convex dev deployment with the current CLI flow +4. Validate the local password-auth bootstrap env contract +5. Sign up or sign in through the repo's real Convex Auth password flow +6. Generate/update all supported `.env.local` files without deleting unrelated keys +7. Optionally offer to start the web dashboard and widget **Prerequisites:** @@ -133,31 +145,38 @@ The setup script will: ./scripts/setup.sh --email admin@example.com --password yourpassword --non-interactive --skip-dev ``` +**Force a reconfigure or create a new workspace on rerun:** + +```bash +./scripts/setup.sh --reconfigure +./scripts/setup.sh --create-workspace --workspace "My New Workspace" +``` + **Update environment files:** ```bash ./scripts/update-env.sh --url https://your-project.convex.cloud --workspace your_workspace_id ``` -### Manual Setup +### Manual Setup (Escape Hatch) -If you prefer manual setup: +Prefer `./scripts/setup.sh`. Use this path only when you need to debug or control each setup step yourself: ```bash # Install dependencies pnpm install -# Navigate to convex package -cd packages/convex +# Configure the local Convex dev deployment +pnpm --filter @opencom/convex exec convex dev --once -# Login to Convex -npx convex login +# Configure Convex Auth JWT_PRIVATE_KEY/JWKS and SITE_URL +pnpm --filter @opencom/convex exec convex auth add -# Initialize and deploy -npx convex dev +# Propagate the backend URL and workspace into the local app env files +./scripts/update-env.sh --url https://your-project.convex.cloud --workspace your_workspace_id ``` -Then create `.env.local` files manually (see Environment Variables Reference below). +You still need to create or reuse an admin/workspace yourself before `update-env.sh` can wire a real workspace ID into the local app env files. ## Development @@ -225,15 +244,17 @@ npx convex login # Create and deploy your project npx convex dev --once + +# Configure Convex Auth +pnpm exec convex auth add ``` -**2. Configure environment variables in Convex Dashboard:** +**2. Configure optional integration environment variables in Convex Dashboard:** -Go to your Convex dashboard → Settings → Environment Variables and set: +`pnpm exec convex auth add` configures the required Convex Auth `JWT_PRIVATE_KEY` and `JWKS` values. For optional email features, go to your Convex dashboard → Settings → Environment Variables and set: | Variable | Required | Description | | ---------------- | --------- | ------------------------------------------------------------------------ | -| `AUTH_SECRET` | Yes | Random string for JWT signing (generate with `openssl rand -base64 32`) | | `RESEND_API_KEY` | For email | API key from [Resend](https://resend.com) for sending emails | | `EMAIL_FROM` | For email | Email address to send from (e.g., `YourCompany`) | @@ -390,7 +411,8 @@ Set these in your Convex Dashboard → Settings → Environment Variables: | Variable | Required | Description | | --------------------------------------------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| `AUTH_SECRET` | Yes | Secret for JWT signing | +| `JWT_PRIVATE_KEY` | Yes | Private key for Convex Auth JWT signing | +| `JWKS` | Yes | Public key set matching `JWT_PRIVATE_KEY` for Convex Auth JWT verification | | `AUTH_RESEND_KEY` | For email | Resend API key for OTP email sending | | `RESEND_API_KEY` | For email | Resend API key for transactional/campaign emails | | `EMAIL_FROM` | For email | Sender email address (e.g., `Opencom `) | @@ -489,11 +511,9 @@ Opencom uses a dedicated Convex test deployment to avoid polluting development o **Setting up the test deployment:** ```bash -# Navigate to convex package -cd packages/convex - -# Create and deploy to test project (first time only) -npx convex dev --project opencom-test --once +# Create or reuse a dedicated test deployment, then configure Convex Auth +pnpm --filter @opencom/convex exec convex dev --once --configure +pnpm --filter @opencom/convex exec convex auth add # Create a local test env file from template cp .env.test.example .env.test @@ -568,8 +588,9 @@ When self-hosting Opencom, consider these security best practices: | `EMAIL_WEBHOOK_INTERNAL_SECRET` | Restrict webhook-only email handlers to trusted internal callers | Convex Dashboard | | `ENFORCE_WEBHOOK_SIGNATURES` | Fail closed on webhook signature/internal-secret validation (`true` by default) | Convex Dashboard | | `WEBHOOK_MAX_AGE_SECONDS` | Replay-window bound for webhook signatures (default: 300s) | Convex Dashboard | -| `AUTH_SECRET` | Sign authentication/session tokens | Convex Dashboard | -| `CONVEX_SITE_URL` | Auth callback domain used by Convex Auth provider | Convex Dashboard | +| `JWT_PRIVATE_KEY` | Sign authentication/session tokens | Convex Dashboard | +| `JWKS` | Verify authentication/session tokens | Convex Dashboard | +| `CONVEX_SITE_URL` | Auth issuer and JWKS endpoint used by Convex Auth provider | Convex-managed | | `ALLOW_TEST_DATA` | Enable/disable test data mutations | Convex Dashboard | | `TEST_ADMIN_SECRET` | Secure test admin gateway for internal test mutations | Convex Dashboard (test deployments only) | @@ -673,8 +694,8 @@ try { **"Could not determine Convex deployment URL"** -- Ensure you're logged into Convex: `npx convex whoami` -- Try running `npx convex dev --once` manually in `packages/convex/` +- Rerun `./scripts/setup.sh --reconfigure` and complete the Convex CLI login/project-selection flow. +- If you are debugging manually, run `pnpm --filter @opencom/convex exec convex dev --once --configure`. **"npx convex login" hangs or fails** diff --git a/apps/landing/.env.example b/apps/landing/.env.example index 27c427b..22a7559 100644 --- a/apps/landing/.env.example +++ b/apps/landing/.env.example @@ -9,9 +9,11 @@ NEXT_PUBLIC_WIDGET_URL=https://cdn.opencom.dev/widget.js NEXT_PUBLIC_OPENCOM_WEB_APP_URL= # Your Convex deployment URL +# Tip: ./scripts/update-env.sh fills this in automatically for local setup NEXT_PUBLIC_CONVEX_URL= # Your Opencom workspace ID +# Tip: ./scripts/update-env.sh fills this in automatically for local setup NEXT_PUBLIC_WORKSPACE_ID= # ─── Demo Seed ─────────────────────────────────────────────── diff --git a/apps/landing/README.md b/apps/landing/README.md index a4231c5..11c63dc 100644 --- a/apps/landing/README.md +++ b/apps/landing/README.md @@ -10,6 +10,8 @@ cp .env.example .env.local pnpm dev:landing ``` +If you already ran the repo bootstrap, `./scripts/update-env.sh` writes these values for you. + ## Widget Embed Behavior `src/components/widget-script.tsx` uses a declarative script tag with `data-opencom-*` attributes. @@ -40,7 +42,7 @@ CONVEX_URL= WORKSPACE_ID= TEST_ADMIN_SECRET= | ------------------ | ---------------------------------------------------------------------------------------------------------- | | Product Tour | 5-step tour targeting current landing hooks (hero CTA, features section, product-tour showcase, final CTA) | | Checklist | "Explore Opencom" with 5 tasks | -| Knowledge Base | 6 collections, 24 published articles covering hosted, self-hosting, SDKs, security, and operations docs | +| Knowledge Base | 6 collections, 24 published articles covering hosted, self-hosting, SDKs, security, and operations docs | | Outbound Messages | Welcome post (click → new conversation) + docs banner (click → URL) | | Survey | NPS survey after 60s on page | | Tooltips | 3 contextual hints on hero CTA, product-tour showcase, and GitHub nav link | diff --git a/apps/mobile/.env.example b/apps/mobile/.env.example new file mode 100644 index 0000000..45cbf3c --- /dev/null +++ b/apps/mobile/.env.example @@ -0,0 +1,6 @@ +# Opencom mobile app local defaults +# Copy to .env.local for manual setup, or run ./scripts/update-env.sh + +EXPO_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=https://your-deployment.convex.cloud +EXPO_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud +EXPO_PUBLIC_WORKSPACE_ID=your-workspace-id diff --git a/apps/web/.env.example b/apps/web/.env.example new file mode 100644 index 0000000..bc545c3 --- /dev/null +++ b/apps/web/.env.example @@ -0,0 +1,14 @@ +# Opencom web dashboard local defaults +# Copy to .env.local for manual setup, or run ./scripts/update-env.sh + +# Backend URL used by the backend picker/discovery flow +NEXT_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=https://your-deployment.convex.cloud + +# Convex URL used by widget preview/demo and local helper flows +NEXT_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud + +# Optional: workspace used by the local widget demo page +NEXT_PUBLIC_TEST_WORKSPACE_ID=your-workspace-id + +# Optional: backend override used by Playwright helpers +E2E_BACKEND_URL=https://your-deployment.convex.cloud diff --git a/apps/widget/.env.example b/apps/widget/.env.example index 384c1ed..e371f0f 100644 --- a/apps/widget/.env.example +++ b/apps/widget/.env.example @@ -1,8 +1,8 @@ # Copy this file to .env.local and fill in your values # Convex deployment URL (required) +# Tip: ./scripts/update-env.sh fills this in automatically for local setup VITE_CONVEX_URL=https://your-deployment.convex.cloud -# Workspace ID from your mobile app Settings screen (required for dev mode) -# Go to Settings > Workspace > tap "Workspace ID" to copy +# Workspace ID from the local bootstrap or app settings screen (required for dev mode) VITE_WORKSPACE_ID=your_workspace_id_here diff --git a/docs/open-source/setup-self-host-and-deploy.md b/docs/open-source/setup-self-host-and-deploy.md index d6fc304..f5e493b 100644 --- a/docs/open-source/setup-self-host-and-deploy.md +++ b/docs/open-source/setup-self-host-and-deploy.md @@ -10,13 +10,21 @@ This guide is the canonical OSS setup and deployment reference for Opencom. ## Fastest Setup Path -Use the repo bootstrap script: +Use the repo bootstrap script. This is the preferred path for new users: ```bash ./scripts/setup.sh ``` -The script performs dependency install, Convex initialization, basic auth env setup, local `.env.local` generation, and optional dev server start. +The script now: + +- runs `pnpm install` +- configures or reuses the local Convex dev deployment with the current `convex dev --once` flow +- validates the local password-auth bootstrap env contract and generates `JWT_PRIVATE_KEY`/`JWKS` when needed +- signs up or signs in through the repo's real `auth:signIn` password flow +- resolves an existing workspace by default, with explicit opt-in workspace creation on reruns +- updates the supported local `.env.local` files non-destructively +- optionally offers to start the web/widget dev servers at the end Update generated env files later with: @@ -24,11 +32,24 @@ Update generated env files later with: ./scripts/update-env.sh --url https://.convex.cloud --workspace ``` +Helpful rerun flags: + +```bash +./scripts/setup.sh --reconfigure +./scripts/setup.sh --create-workspace --workspace "My New Workspace" +./scripts/setup.sh --non-interactive --email admin@example.com --password 'Opencom!123' --skip-dev +``` + ## Manual Setup (step-by-step) +Use this only when debugging or when you need to control each step yourself. +The one-command setup above also handles admin/workspace bootstrap; this manual path requires you to resolve a real workspace ID before running `update-env.sh`. + ```bash pnpm install -pnpm --filter @opencom/convex dev +pnpm --filter @opencom/convex exec convex dev --once +pnpm --filter @opencom/convex exec convex auth add +./scripts/update-env.sh --url https://.convex.cloud --workspace pnpm dev:web pnpm dev:widget ``` @@ -84,40 +105,44 @@ By default, each deploy publishes a unique immutable runtime key (`v/` | Admin email address | | `--password ` | Admin password | | `--name ` | Admin display name | -| `--workspace ` | Workspace name | -| `--skip-dev` | Skip starting dev server | +| `--workspace ` | Workspace name when creating a new workspace | +| `--reconfigure` | Force Convex CLI reconfiguration | +| `--create-workspace` | Create a new workspace on an existing deployment | +| `--skip-dev` | Skip the dev-server prompt entirely | +| `--start-dev` | Start web + widget dev servers automatically | | `--non-interactive` | Run without prompts (requires --email and --password) | **Non-interactive example (CI):** @@ -41,7 +45,7 @@ Interactive setup script for first-time Opencom installation. ### `update-env.sh` -Regenerates `.env.local` files after setup or configuration changes. +Refreshes the Opencom-managed local env keys after setup or configuration changes. ```bash ./scripts/update-env.sh --url https://your-project.convex.cloud --workspace your_workspace_id @@ -52,6 +56,8 @@ Regenerates `.env.local` files after setup or configuration changes. | `--url ` | Convex deployment URL | | `--workspace ` | Workspace ID | +`update-env.sh` preserves unrelated manual keys and comments in the target files instead of overwriting them wholesale. + ## Build & Deploy ### `build-widget-for-tests.sh` @@ -264,18 +270,18 @@ Files in `security/` configure CI gate behavior: ### Quality -| Command | Description | -| ------------------------ | ------------------------------------------------- | -| `pnpm web:lint` | Lint `@opencom/web` using ESLint CLI | +| Command | Description | +| ------------------------ | -------------------------------------------------------- | +| `pnpm web:lint` | Lint `@opencom/web` using ESLint CLI | | `pnpm convex:lint` | Lint `@opencom/convex` Help Center import/export modules | -| `pnpm quality:lint` | Run standardized lint gates for web + convex | -| `pnpm web:typecheck` | Typecheck `@opencom/web` | -| `pnpm convex:typecheck` | Typecheck `@opencom/convex` | -| `pnpm quality:typecheck` | Run standardized typecheck gates for web + convex | -| `pnpm lint` | Lint all packages (workspace-wide) | -| `pnpm format` | Format all files | -| `pnpm format:check` | Check formatting | -| `pnpm typecheck` | Typecheck all packages | +| `pnpm quality:lint` | Run standardized lint gates for web + convex | +| `pnpm web:typecheck` | Typecheck `@opencom/web` | +| `pnpm convex:typecheck` | Typecheck `@opencom/convex` | +| `pnpm quality:typecheck` | Run standardized typecheck gates for web + convex | +| `pnpm lint` | Lint all packages (workspace-wide) | +| `pnpm format` | Format all files | +| `pnpm format:check` | Check formatting | +| `pnpm typecheck` | Typecheck all packages | ### Testing diff --git a/docs/testing.md b/docs/testing.md index b17befe..0090e9e 100644 --- a/docs/testing.md +++ b/docs/testing.md @@ -19,13 +19,11 @@ To avoid polluting development or production data, tests run against a dedicated **Initial Setup:** ```bash -cd packages/convex +# Create or reuse a dedicated Convex test deployment +pnpm --filter @opencom/convex exec convex dev --once --configure -# Login to Convex (if not already) -npx convex login - -# Create test deployment -npx convex dev --project opencom-test --once +# Configure Convex Auth JWT_PRIVATE_KEY/JWKS and SITE_URL +pnpm --filter @opencom/convex exec convex auth add ``` **Configuration:** diff --git a/openspec/changes/foolproof-local-convex-setup/.openspec.yaml b/openspec/changes/foolproof-local-convex-setup/.openspec.yaml new file mode 100644 index 0000000..863bff1 --- /dev/null +++ b/openspec/changes/foolproof-local-convex-setup/.openspec.yaml @@ -0,0 +1,2 @@ +schema: spec-driven +created: 2026-04-17 diff --git a/openspec/changes/foolproof-local-convex-setup/design.md b/openspec/changes/foolproof-local-convex-setup/design.md new file mode 100644 index 0000000..78fd921 --- /dev/null +++ b/openspec/changes/foolproof-local-convex-setup/design.md @@ -0,0 +1,266 @@ +## Context + +The current setup flow has four structural problems: + +1. It depends on stale Convex CLI behavior. + - `npx convex whoami` is no longer a valid command in the current CLI. + - `--team`, `--project`, and `--dev-deployment` only work together with `convex dev --configure`, so the existing `convex dev --once --project ...` flow fails. +2. It uses the wrong auth bootstrap mechanism. + - This repo exposes auth through Convex Auth HTTP routes. + - Signup is performed via `auth:signIn` with `{ provider: "password", params: { flow: "signUp", ... } }`, not via `convex run auth:signup`. +3. It treats env files as disposable. + - `scripts/setup.sh` and `scripts/update-env.sh` overwrite `apps/*/.env.local` and `packages/convex/.env.local` wholesale. + - That risks deleting unrelated local values and makes reruns unsafe. +4. It does not model the setup contract explicitly. + - Some backend env keys are essential to bootstrap auth. + - Others are optional feature-specific values. + - The current scripts and docs do not clearly separate those two categories or validate them with actionable explanations. + +The result is a flow that works only for a narrow happy path and becomes harder to trust the moment a user has an existing project, existing envs, or a typo in one required value. + +## Goals / Non-Goals + +**Goals:** +- Make first-run local setup succeed for a contributor who starts with only Node, PNPM, and an existing Convex account. +- Let reruns reuse or reconfigure an existing Convex project instead of silently creating duplicates. +- Use the repo's real auth flow to create or reuse a bootstrap admin/workspace and derive a valid workspace ID automatically. +- Update all relevant local env files without deleting unrelated user-managed keys. +- Separate required core setup from optional feature add-ons and validate each with actionable messages. +- Add deterministic automated coverage for the setup orchestration in a clean environment. + +**Non-Goals:** +- Automating hosted production deploys for web, landing, widget CDN, or mobile build pipelines. +- Turning local setup into a fully headless CI-only bootstrap for real Convex cloud accounts. +- Enabling every optional third-party integration by default. +- Replacing the manual setup path entirely; manual setup should remain documented, but aligned with the same contract. + +## Decisions + +### 1) Keep the shell entrypoint, move orchestration into a standalone Node bootstrap + +Decision: +- Keep `./scripts/setup.sh` as the user-facing entrypoint for compatibility and simple prerequisite checks. +- Move the actual workflow into a Node script that uses built-in modules only, so it can run before dependency install finishes. +- Keep shared env merge/write logic in reusable setup modules so `setup` and `update-env` stop duplicating behavior. + +Rationale: +- Bash is a poor fit for JSON parsing, HTTP auth calls, stateful prompts, env merging, and deterministic tests. +- A standalone Node script can use `fetch`, `crypto`, `child_process`, and `readline/promises` without introducing extra bootstrap dependencies. +- Preserving the shell entrypoint avoids breaking docs and contributor muscle memory. + +Alternatives considered: +- Keep expanding the Bash script: rejected because the core failure modes are caused by Bash being hard to evolve safely here. +- Replace the entrypoint with a TypeScript/`tsx` script directly: rejected because it would depend on installed workspace packages before the script can even install them. + +### 2) Use `packages/convex/.env.local` plus authenticated workspace lookup as the canonical source of backend state + +Decision: +- Treat `packages/convex/.env.local` as the canonical local source for the configured deployment and backend URL after `convex dev --once`. +- Use authenticated backend queries, not manual free-form entry, to resolve the active workspace ID whenever possible. +- Fan out the resolved backend URL and workspace ID to app-specific env files through a shared mapping table. + +Rationale: +- The Convex CLI already writes the authoritative deployment metadata to `packages/convex/.env.local`. +- Deriving workspace state from authenticated backend queries is safer than asking users to copy IDs from dashboards. +- A central mapping table prevents web, widget, mobile, landing, and RN example envs from drifting. + +Alternatives considered: +- Make each app own its own setup independently: rejected because it repeats the same backend/workspace data in multiple places. +- Keep prompting users to paste workspace IDs manually: rejected because it is error-prone and does not help reruns against existing projects. + +### 3) Model setup as profiles: required core setup first, optional feature setup second + +Decision: +- Define a required core setup profile that blocks completion until the following are valid: + - Convex project/deployment configuration is present + - backend URL can be resolved from the configured deployment + - required auth bootstrap env keys are set on the deployment + - a valid workspace is resolved for local consumers + - the required local env mappings are written successfully +- Treat email, AI, and test/demo conveniences as optional add-on profiles with explicit warnings instead of hard blockers. + +Rationale: +- A contributor should be able to get a working local backend and app envs without already having Resend, AI provider keys, or production-origin settings. +- Optional features still need clear validation, but missing them should explain which features remain disabled rather than fail the entire bootstrap. + +Implementation note: +- Based on the current repo and the current Convex Auth manual setup docs, the setup flow MUST validate the auth bootstrap keys actually required for this repo's password auth path. At minimum, this includes the JWT key material required by Convex Auth. `SITE_URL` should be treated as conditional: required when enabling OTP/email redirect flows, not when the user is only bootstrapping password auth locally. + +Alternatives considered: +- Force every documented env key up front: rejected because it would make "minimal local setup" depend on unrelated integrations. +- Ignore optional features entirely: rejected because silent feature disablement is confusing and hard to debug later. + +### 4) Reruns must reuse by default, and create-new only on explicit choice + +Decision: +- On rerun, the setup flow should detect whether a Convex project is already configured locally and whether the target deployment already contains users/workspaces. +- The default path should be reuse: + - keep the current configured deployment unless the user explicitly asks to reconfigure + - if the deployment already has users, prompt the user to sign in as an existing admin and choose an existing workspace when possible + - only create a new bootstrap account/workspace if the user explicitly chooses that path + +Rationale: +- The current behavior risks duplicate projects and duplicate admin/workspace creation. +- Existing deployments are more common over time than pristine ones, so rerun safety must be a first-class path. + +Alternatives considered: +- Always create a new project and user: rejected because it is wasteful and makes local state harder to reason about. +- Never create anything automatically: rejected because a first-time user still needs a path that gets them to a usable workspace without dashboard spelunking. + +### 5) Manage env files with explicit Opencom-owned blocks instead of rewriting whole files + +Decision: +- Introduce managed env blocks or key-level merge logic for all Opencom-owned local env files. +- Preserve unrelated user-managed keys and comments outside the managed region. +- Never replace `packages/convex/.env.local` wholesale; update only the keys this bootstrap owns and leave existing secrets/config intact. + +Rationale: +- The current scripts can destroy user-managed values, which is especially dangerous in `packages/convex/.env.local`. +- Managed blocks make reruns predictable and keep the script idempotent. + +Alternatives considered: +- Continue overwriting whole files: rejected because it is unsafe. +- Refuse to touch files that already exist: rejected because reruns still need a reliable update path. + +### 6) Test the flow in layers: deterministic stubs first, disposable smoke second + +Decision: +- Add deterministic automated tests around the setup state machine using: + - temporary directories/home paths + - stubbed Convex CLI responses + - stubbed auth HTTP responses + - fixture env files for merge/update assertions +- Add a documented opt-in smoke harness for running the bootstrap in a disposable container or similarly isolated environment with a real Convex account. + +Rationale: +- A fully automated real-cloud test is not a good primary verification path because login and project selection are interactive and account-specific. +- The deterministic harness should own the branching logic, validation copy, and env merge behavior. +- A disposable-container/manual smoke pass is still useful to catch integration drift against the real CLI. + +Alternatives considered: +- Only test by hand in Docker: rejected because it is too slow and too account-dependent to be the main safety net. +- Only use unit tests with no process-level stubs: rejected because the setup logic is mainly orchestration and file/process behavior. + +## Proposed Flow + +### Phase 1: Preflight + +1. Validate `node` and `pnpm` presence/version. +2. Explain what the setup will do: + - install dependencies + - configure or reuse a Convex dev deployment + - validate required backend auth envs + - create or reuse a bootstrap admin/workspace + - write local envs across supported apps +3. Run `pnpm install` from repo root. + +### Phase 2: Convex project configuration + +1. Inspect `packages/convex/.env.local`. +2. If no usable Convex config exists: + - run `pnpm exec convex dev --once` in `packages/convex` with inherited stdio + - let the CLI drive login plus new/existing project selection interactively +3. If config exists: + - ask whether to keep it or reconfigure + - on reconfigure, run `pnpm exec convex dev --once --configure` +4. After the command completes, parse `packages/convex/.env.local` and require: + - `CONVEX_DEPLOYMENT` + - `CONVEX_URL` + - any other deployment metadata the downstream flow depends on + +### Phase 3: Backend env validation/bootstrap + +1. Build a setup manifest describing: + - required core deployment envs + - optional feature envs + - how each value is generated, prompted, defaulted, or skipped +2. Validate core auth bootstrap envs against the actual current repo contract. +3. If required envs are missing: + - generate values when appropriate, such as JWT key material + - prompt the user when the value must come from them + - set values on the Convex deployment via `convex env set` +4. Re-verify that the required envs are present before continuing. + +### Phase 4: Workspace resolution + +1. Query `setup:checkExistingSetup` on the configured deployment. +2. If the deployment is empty: + - collect bootstrap admin credentials + - call the Convex Auth HTTP action path for password signup + - authenticate with the returned token + - query the current user/workspace info and capture the workspace ID +3. If the deployment already has users: + - prompt to sign in with an existing admin account + - authenticate via the same HTTP auth surface + - query current user/workspaces + - let the user choose which existing workspace should populate local envs +4. Only offer "create a new bootstrap account/workspace" as an explicit opt-in when the deployment already has existing data. + +### Phase 5: Local env propagation + +1. Use a shared mapping table to write the required Opencom-owned keys into: + - `apps/web/.env.local` + - `apps/widget/.env.local` + - `apps/mobile/.env.local` + - `apps/landing/.env.local` + - `packages/react-native-sdk/example/.env.local` + - `packages/convex/.env.local` for the local keys this repo needs in shell scripts/tests +2. Use managed sections or key merge logic so unrelated keys survive reruns. +3. Re-read every file and confirm the expected values landed correctly. + +### Phase 6: Post-setup validation and next steps + +1. Print a summary of: + - configured deployment + - backend URL + - chosen workspace + - any optional features still disabled because their envs were skipped +2. Offer explicit next steps, such as: + - start local web/widget/mobile dev + - open the hosted app against the configured backend + - rerun the setup in "reconfigure" mode + +## Validation And Error Handling + +The bootstrap output should be optimized for self-correction: + +- Missing prerequisite: + - explain the exact command/version issue and how to fix it +- Convex CLI configuration failure: + - say whether the user needs to finish login, rerun with `--configure`, or inspect `packages/convex/.env.local` +- Missing required backend auth env: + - name the key, explain why it matters, and say whether the script can generate it automatically +- Auth signup/sign-in failure: + - preserve the backend error message + - add repo-specific guidance, e.g. missing JWT setup versus invalid credentials +- Workspace resolution failure: + - explain whether no workspace exists yet, auth failed, or the chosen workspace is no longer present +- Local env mismatch: + - show which file/key failed validation and whether the script preserved a conflicting manual value + +## Risks / Trade-offs + +- [Risk] Introducing a Node bootstrap adds more code than the current shell script. + - Mitigation: keep the flow modular, data-driven, and covered by deterministic orchestration tests. +- [Risk] The current docs may be materially wrong about required auth env keys. + - Mitigation: align the setup manifest and docs to the verified current repo/runtime contract during this change. +- [Risk] Real Convex CLI behavior can drift again. + - Mitigation: add a smoke harness plus targeted doc updates so CLI drift is easier to catch early. +- [Risk] Workspace reuse flows may be more interactive than the current script. + - Mitigation: prefer safe defaults and clearer prompts over silent duplicate creation. + +## Migration Plan + +1. Create a shared setup manifest and Node orchestration layer. +2. Convert `scripts/setup.sh` into a thin wrapper around the new bootstrap. +3. Refactor `scripts/update-env.sh` to reuse the shared env propagation logic instead of duplicating it. +4. Align the bootstrap with the real Convex Auth signup/sign-in flow and backend env requirements. +5. Update docs and env examples to match the new contract. +6. Add deterministic setup tests and the opt-in disposable smoke instructions. + +Rollback strategy: +- If the new bootstrap proves unstable, keep the shared env mapping/tests and temporarily fall back to a reduced shell entrypoint while retaining the non-destructive env merge behavior. + +## Open Questions + +- None. The core unknowns from the current flow are implementation details to verify during build-out, not product-level scope blockers. diff --git a/openspec/changes/foolproof-local-convex-setup/proposal.md b/openspec/changes/foolproof-local-convex-setup/proposal.md new file mode 100644 index 0000000..c9f54a5 --- /dev/null +++ b/openspec/changes/foolproof-local-convex-setup/proposal.md @@ -0,0 +1,41 @@ +## Why + +The current OSS setup path is brittle for first-time contributors. It assumes outdated Convex CLI commands, uses an auth bootstrap path that does not match the repo's actual Convex Auth surface, rewrites `.env.local` files destructively, and only configures a narrow subset of the backend and local environment contract. In practice, that means new users can get stuck before they ever reach a usable backend, and rerunning the script can create duplicate projects or wipe unrelated local configuration. + +The repo already contains the pieces needed for a smoother bootstrap, but they are disconnected: +- Convex CLI now expects project/team flags to be used with `--configure`, and no longer exposes the `whoami` command the script relies on. +- This repo's auth flow is powered by `auth:signIn` with `flow: "signUp"` over the Convex Auth HTTP surface, not `convex run auth:signup`. +- Local consumers read backend URL and workspace state from multiple app-specific `.env.local` files, but the current scripts overwrite those files instead of managing only the Opencom-owned keys. +- The documented backend env contract has drifted from the runtime reality, especially around Convex Auth bootstrap requirements such as JWT keys. + +We need one reliable setup experience that works for: +- a user who has a Convex account but is not logged in locally +- a repo with no local Convex project configured yet +- a rerun against an existing project where the user wants to reuse the deployment instead of creating duplicates +- a contributor who makes a typo or misses a required value and needs actionable, self-correctable output + +## What Changes + +- Replace the current happy-path-only setup orchestration with a stateful, rerun-safe local bootstrap flow that can guide project configuration, backend env setup, workspace resolution, and local env propagation. +- Preserve the `./scripts/setup.sh` entrypoint, but move the complex orchestration into a Node-based implementation that can parse JSON, call HTTP auth endpoints, merge env files safely, and emit structured validation errors. +- Define a canonical setup manifest for required core values, optional feature flags/secrets, and per-app local env mappings. +- Validate the actual Convex/Auth contract instead of stale assumptions, including required auth bootstrap keys and the current CLI behavior. +- Add automated coverage for fresh-environment and rerun scenarios using isolated temporary homes plus a fake/stubbed Convex CLI harness, and document an opt-in real smoke path for disposable-container/manual verification. +- Update setup docs and env examples so the documented manual path, automated path, and repo scripts all describe the same contract. + +## Capabilities + +### New Capabilities + +- `local-convex-setup-bootstrap`: The repository provides a rerun-safe local bootstrap flow that can configure or reuse a Convex project, validate backend auth requirements, resolve a workspace without duplicate creation by default, and write the required local env keys across supported app surfaces without destructive overwrite. + +### Modified Capabilities + +- None. + +## Impact + +- Setup scripts: `scripts/setup.sh`, `scripts/update-env.sh`, and new shared setup/bootstrap modules. +- Docs and templates: `docs/open-source/setup-self-host-and-deploy.md`, relevant `*.env.example` files, and any repo references that currently describe the stale setup contract. +- Verification: new focused tests for the setup flow and any fixtures/stubs needed to simulate Convex CLI/auth behavior in a clean environment. +- Contributor experience: first-run local setup, rerun/reconfigure behavior, and self-service debugging when setup validation fails. diff --git a/openspec/changes/foolproof-local-convex-setup/specs/local-convex-setup-bootstrap/spec.md b/openspec/changes/foolproof-local-convex-setup/specs/local-convex-setup-bootstrap/spec.md new file mode 100644 index 0000000..72cc006 --- /dev/null +++ b/openspec/changes/foolproof-local-convex-setup/specs/local-convex-setup-bootstrap/spec.md @@ -0,0 +1,70 @@ +## ADDED Requirements + +### Requirement: The repository MUST provide a rerun-safe local Convex setup bootstrap +The local setup entrypoint SHALL guide contributors through configuring or reusing a Convex development deployment without depending on stale CLI commands or silently creating duplicate projects by default. + +#### Scenario: First-time contributor configures a new Convex project +- **GIVEN** a contributor has no local Convex project configured for this repo +- **WHEN** they run the repository setup bootstrap +- **THEN** the flow SHALL guide them through the current Convex CLI login/project configuration path +- **AND** the bootstrap SHALL verify that the resulting deployment metadata is available before continuing + +#### Scenario: Contributor reruns setup with an existing local Convex configuration +- **GIVEN** the repo already has a usable local Convex deployment configured +- **WHEN** the contributor reruns the setup bootstrap +- **THEN** the flow SHALL offer to keep or reconfigure the existing deployment +- **AND** it SHALL default to reuse instead of silently creating a new project + +### Requirement: The setup bootstrap MUST validate the backend auth bootstrap contract before workspace provisioning +The setup flow SHALL validate the backend environment values required for the repo's local auth bootstrap path and stop with actionable guidance when required auth configuration is missing or invalid. + +#### Scenario: Required backend auth env is missing +- **WHEN** the setup bootstrap detects a required auth bootstrap env value is missing on the configured deployment +- **THEN** it SHALL name the missing key +- **AND** explain why that key is required for local auth/bootstrap +- **AND** either generate/set the value automatically or tell the contributor exactly how to provide it before retrying + +#### Scenario: Backend auth bootstrap is misconfigured +- **WHEN** the setup bootstrap attempts password signup or sign-in against the configured deployment and the backend returns an auth configuration error +- **THEN** the setup output SHALL preserve the backend error context +- **AND** add repo-specific guidance that helps the contributor self-correct the misconfiguration + +### Requirement: The setup bootstrap MUST resolve a valid workspace without duplicate creation by default +The setup flow SHALL derive the workspace used by local surfaces from authenticated backend state whenever possible, and SHALL prefer reuse of existing workspaces on rerun paths. + +#### Scenario: Empty deployment needs a bootstrap workspace +- **GIVEN** the configured deployment has no existing users or workspaces +- **WHEN** the contributor completes the required bootstrap credential prompts +- **THEN** the setup flow SHALL create the bootstrap account/workspace through the repo's supported auth path +- **AND** capture the resulting workspace identifier for local env propagation + +#### Scenario: Existing deployment already has users and workspaces +- **GIVEN** the configured deployment already contains users or workspaces +- **WHEN** the contributor reruns setup +- **THEN** the flow SHALL support signing in to an existing account and selecting an existing workspace for local env propagation +- **AND** it SHALL not create a new workspace unless the contributor explicitly asks for one + +### Requirement: The setup bootstrap MUST update local env files non-destructively +The repository setup tooling SHALL write the Opencom-owned local env keys needed by supported app surfaces while preserving unrelated user-managed keys and comments. + +#### Scenario: Setup writes app-specific backend envs +- **WHEN** the setup bootstrap has resolved a backend URL and workspace identifier +- **THEN** it SHALL write the required Opencom-owned keys to each supported local env file +- **AND** those keys SHALL be consistent across the web, widget, mobile, landing, RN example, and local shell/test surfaces that depend on them + +#### Scenario: Existing env files already contain unrelated values +- **GIVEN** one or more local env files already exist with unrelated user-managed entries +- **WHEN** the setup bootstrap updates the Opencom-managed keys +- **THEN** it SHALL preserve the unrelated entries instead of overwriting the whole file + +### Requirement: The repository MUST maintain automated verification for setup orchestration behavior +The setup tooling SHALL have deterministic automated coverage for its clean-environment, rerun, validation, and env-merge behavior, with a documented opt-in real smoke path for disposable-environment testing. + +#### Scenario: Clean-environment orchestration is exercised under automation +- **WHEN** the setup test harness runs against an isolated temporary environment with stubbed Convex/auth dependencies +- **THEN** it SHALL verify first-run configuration, required env validation, workspace resolution, and local env propagation behavior deterministically + +#### Scenario: Existing-env rerun behavior is exercised under automation +- **WHEN** the setup test harness runs against an environment that already has local env files and an existing configured deployment +- **THEN** it SHALL verify safe reuse/reconfigure branching and non-destructive env merging +- **AND** failures in those paths SHALL produce actionable diagnostic output diff --git a/openspec/changes/foolproof-local-convex-setup/tasks.md b/openspec/changes/foolproof-local-convex-setup/tasks.md new file mode 100644 index 0000000..ca2cdea --- /dev/null +++ b/openspec/changes/foolproof-local-convex-setup/tasks.md @@ -0,0 +1,24 @@ +## 1. Setup Bootstrap Architecture + +- [x] 1.1 Replace the current Bash-only orchestration with a standalone Node bootstrap while preserving `./scripts/setup.sh` as the public entrypoint. +- [x] 1.2 Define a shared setup manifest for required core values, optional feature values, env defaults, and per-file local env mappings. +- [x] 1.3 Refactor `scripts/update-env.sh` to reuse the shared env propagation logic instead of duplicating key/file handling. + +## 2. Convex Configuration And Auth Bootstrap + +- [x] 2.1 Implement first-run and rerun handling around the current Convex CLI contract, including safe reuse or `--configure` reconfiguration of the dev deployment. +- [x] 2.2 Replace the stale auth bootstrap path with the repo's actual Convex Auth password signup/sign-in flow and workspace resolution logic. +- [x] 2.3 Validate and set the required backend auth env keys needed for local password-auth bootstrap, with actionable errors when values are missing or invalid. + +## 3. Local Env Safety And User Guidance + +- [x] 3.1 Add non-destructive managed env updates for all supported local env files, preserving unrelated manual keys/comments. +- [x] 3.2 Write and verify the required backend URL/workspace mappings across web, widget, mobile, landing, RN example, and local Convex shell/test env files. +- [x] 3.3 Improve setup output so each failure states what went wrong, why it matters, and the exact self-correction path. + +## 4. Verification And Documentation + +- [x] 4.1 Add deterministic automated tests for clean-environment, rerun/reuse, invalid-value, and env-merge scenarios using isolated temp homes plus stubbed Convex/auth dependencies. +- [x] 4.2 Document an opt-in disposable-container smoke path for exercising the real setup flow against a fresh local environment and real Convex login/project selection. +- [x] 4.3 Update `docs/open-source/setup-self-host-and-deploy.md`, relevant env examples, and any setup references that currently describe stale commands or env requirements. +- [x] 4.4 Run focused verification for the new setup tooling and `openspec validate foolproof-local-convex-setup --strict --no-interactive`. diff --git a/package.json b/package.json index ad73a8b..b0d3c89 100644 --- a/package.json +++ b/package.json @@ -52,6 +52,7 @@ "ci:check": "pnpm lint && pnpm typecheck && pnpm security:convex-auth-guard && pnpm security:convex-any-args-gate && pnpm security:secret-scan && pnpm security:headers-check && pnpm security:audit-gate && pnpm test:convex && pnpm --filter @opencom/web build", "test:summary": "node scripts/test-summary.js", "test:clear": "node scripts/test-summary.js clear", + "test:setup-bootstrap": "node --test scripts/tests/local-convex-setup.test.js", "test:timeout": "node scripts/run-with-timeout.js", "test:e2e:prod": "E2E_USE_PROD_BUILD=true pnpm web:test:e2e", "seed:landing": "pnpm dlx dotenv-cli -e apps/landing/.env.local -- tsx scripts/seed-landing-demo.ts", @@ -82,8 +83,8 @@ "pnpm": { "overrides": { "@isaacs/brace-expansion": "5.0.1", - "@xmldom/xmldom@0.7.13": "0.8.12", - "@xmldom/xmldom@0.8.11": "0.8.12", + "@xmldom/xmldom@0.7.13": "0.8.13", + "@xmldom/xmldom@0.8.11": "0.8.13", "esbuild": "^0.27.0", "fast-xml-parser": "4.5.5", "flatted": "3.4.2", diff --git a/packages/convex/.env.test.example b/packages/convex/.env.test.example index 0644199..d68a5c8 100644 --- a/packages/convex/.env.test.example +++ b/packages/convex/.env.test.example @@ -19,10 +19,11 @@ TEST_ADMIN_SECRET= # To set up a dedicated test deployment: # 1. cd packages/convex -# 2. npx convex login (if not already logged in) -# 3. npx convex dev --project opencom-test --once +# 2. pnpm exec convex dev --once --configure +# 3. Reuse or create a dedicated test deployment when the CLI prompts you # 4. Update CONVEX_URL above with the test deployment URL -# 5. Set SITE_URL in Convex dashboard: npx convex env set SITE_URL http://localhost:3000 -# 6. Set ALLOW_TEST_DATA: npx convex env set ALLOW_TEST_DATA true -# 7. Set TEST_ADMIN_SECRET: npx convex env set TEST_ADMIN_SECRET -# 8. Copy the same secret into TEST_ADMIN_SECRET above +# 5. Run ../../scripts/setup.sh once, or configure Convex Auth JWT_PRIVATE_KEY/JWKS with pnpm exec convex auth add +# 6. Set SITE_URL in Convex dashboard: pnpm exec convex env set SITE_URL http://localhost:3000 +# 7. Set ALLOW_TEST_DATA: pnpm exec convex env set ALLOW_TEST_DATA true +# 8. Set TEST_ADMIN_SECRET: pnpm exec convex env set TEST_ADMIN_SECRET +# 9. Copy the same secret into TEST_ADMIN_SECRET above diff --git a/packages/react-native-sdk/example/.env.example b/packages/react-native-sdk/example/.env.example index 75d70c1..f197a8e 100644 --- a/packages/react-native-sdk/example/.env.example +++ b/packages/react-native-sdk/example/.env.example @@ -1,5 +1,6 @@ # Opencom SDK Configuration # Copy this file to .env.local and fill in your values +# Tip: ./scripts/update-env.sh fills these in automatically for local setup EXPO_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud EXPO_PUBLIC_WORKSPACE_ID=your-workspace-id diff --git a/packages/react-native-sdk/example/README.md b/packages/react-native-sdk/example/README.md index 31fe5e9..6714e0d 100644 --- a/packages/react-native-sdk/example/README.md +++ b/packages/react-native-sdk/example/README.md @@ -23,6 +23,8 @@ EXPO_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud EXPO_PUBLIC_WORKSPACE_ID=your-workspace-id ``` +If you already ran the repo bootstrap, `./scripts/update-env.sh` writes these values for you. + ### 3. Run the App ```bash diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e0c8952..6533fdd 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,8 +6,8 @@ settings: overrides: '@isaacs/brace-expansion': 5.0.1 - '@xmldom/xmldom@0.7.13': 0.8.12 - '@xmldom/xmldom@0.8.11': 0.8.12 + '@xmldom/xmldom@0.7.13': 0.8.13 + '@xmldom/xmldom@0.8.11': 0.8.13 esbuild: ^0.27.0 fast-xml-parser: 4.5.5 flatted: 3.4.2 @@ -3145,8 +3145,8 @@ packages: '@vscode/sudo-prompt@9.3.2': resolution: {integrity: sha512-gcXoCN00METUNFeQOFJ+C9xUI0DKB+0EGMVg7wbVYRHBw2Eq3fKisDZOkRdOz3kqXRKOENMfShPOmypw1/8nOw==} - '@xmldom/xmldom@0.8.12': - resolution: {integrity: sha512-9k/gHF6n/pAi/9tqr3m3aqkuiNosYTurLLUtc7xQ9sxB/wm7WPygCv8GYa6mS0fLJEHhqMC1ATYhz++U/lRHqg==} + '@xmldom/xmldom@0.8.13': + resolution: {integrity: sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw==} engines: {node: '>=10.0.0'} abort-controller@3.0.0: @@ -8817,13 +8817,13 @@ snapshots: '@expo/plist@0.1.3': dependencies: - '@xmldom/xmldom': 0.8.12 + '@xmldom/xmldom': 0.8.13 base64-js: 1.5.1 xmlbuilder: 14.0.0 '@expo/plist@0.4.8': dependencies: - '@xmldom/xmldom': 0.8.12 + '@xmldom/xmldom': 0.8.13 base64-js: 1.5.1 xmlbuilder: 15.1.1 @@ -11095,7 +11095,7 @@ snapshots: '@vscode/sudo-prompt@9.3.2': {} - '@xmldom/xmldom@0.8.12': {} + '@xmldom/xmldom@0.8.13': {} abort-controller@3.0.0: dependencies: @@ -14387,7 +14387,7 @@ snapshots: plist@3.1.0: dependencies: - '@xmldom/xmldom': 0.8.12 + '@xmldom/xmldom': 0.8.13 base64-js: 1.5.1 xmlbuilder: 15.1.1 diff --git a/scripts/lib/local-convex-setup-manifest.js b/scripts/lib/local-convex-setup-manifest.js new file mode 100644 index 0000000..6ae6216 --- /dev/null +++ b/scripts/lib/local-convex-setup-manifest.js @@ -0,0 +1,172 @@ +"use strict"; + +const LOCAL_SITE_URL = "http://localhost:3000"; + +const CORE_BACKEND_ENV = [ + { + id: "convex-auth-jwt-keys", + keys: ["JWT_PRIVATE_KEY", "JWKS"], + required: true, + description: + "Required by Convex Auth to sign password-auth sessions and expose the matching public JWKS.", + resolution: "generate-jwt-keypair", + }, + { + key: "SITE_URL", + required: false, + description: + "Recommended local default for Convex Auth callback/link generation. Needed for OTP/email flows.", + resolution: "default", + defaultValue: LOCAL_SITE_URL, + }, +]; + +const OPTIONAL_BACKEND_PROFILES = [ + { + id: "otp-email", + label: "OTP email sign-in", + description: "Passwordless email code sign-in for web/mobile auth flows.", + checks: [ + { + mode: "any", + keys: ["AUTH_RESEND_KEY", "RESEND_API_KEY"], + message: "set AUTH_RESEND_KEY or RESEND_API_KEY", + }, + { + mode: "all", + keys: ["EMAIL_FROM"], + message: "set EMAIL_FROM", + }, + { + mode: "all", + keys: ["SITE_URL"], + message: "set SITE_URL", + }, + ], + }, + { + id: "email-channel", + label: "Email channel + webhook handling", + description: "Inbound/outbound email conversations and webhook verification.", + checks: [ + { + mode: "all", + keys: ["RESEND_API_KEY"], + message: "set RESEND_API_KEY", + }, + { + mode: "all", + keys: ["EMAIL_FROM"], + message: "set EMAIL_FROM", + }, + { + mode: "all", + keys: ["RESEND_WEBHOOK_SECRET"], + message: "set RESEND_WEBHOOK_SECRET", + }, + { + mode: "any", + keys: ["EMAIL_WEBHOOK_INTERNAL_SECRET", "RESEND_WEBHOOK_SECRET"], + message: "set EMAIL_WEBHOOK_INTERNAL_SECRET (or reuse RESEND_WEBHOOK_SECRET)", + }, + ], + }, + { + id: "ai-agent", + label: "AI agent generation", + description: "Model discovery and generated AI responses.", + checks: [ + { + mode: "all", + keys: ["AI_GATEWAY_API_KEY"], + message: "set AI_GATEWAY_API_KEY", + }, + ], + }, + { + id: "test-demo", + label: "Test/demo helpers", + description: "Landing seed scripts and testAdmin-backed helper flows.", + checks: [ + { + mode: "all", + keys: ["ALLOW_TEST_DATA"], + message: "set ALLOW_TEST_DATA=true", + validate: (value) => value === "true", + }, + { + mode: "all", + keys: ["TEST_ADMIN_SECRET"], + message: "set TEST_ADMIN_SECRET", + }, + ], + }, +]; + +const LOCAL_ENV_TARGETS = [ + { + relativePath: "apps/web/.env.local", + description: "Web dashboard local backend + widget demo defaults", + managedComment: "Managed by Opencom local setup (web dashboard defaults)", + values: ({ convexUrl, workspaceId }) => ({ + E2E_BACKEND_URL: convexUrl, + NEXT_PUBLIC_CONVEX_URL: convexUrl, + NEXT_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL: convexUrl, + NEXT_PUBLIC_TEST_WORKSPACE_ID: workspaceId, + }), + }, + { + relativePath: "apps/widget/.env.local", + description: "Widget local dev bootstrap", + managedComment: "Managed by Opencom local setup (widget dev bootstrap)", + values: ({ convexUrl, workspaceId }) => ({ + VITE_CONVEX_URL: convexUrl, + VITE_WORKSPACE_ID: workspaceId, + }), + }, + { + relativePath: "apps/mobile/.env.local", + description: "Mobile admin app backend defaults", + managedComment: "Managed by Opencom local setup (mobile defaults)", + values: ({ convexUrl, workspaceId }) => ({ + EXPO_PUBLIC_CONVEX_URL: convexUrl, + EXPO_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL: convexUrl, + EXPO_PUBLIC_WORKSPACE_ID: workspaceId, + }), + }, + { + relativePath: "apps/landing/.env.local", + description: "Landing page widget demo defaults", + managedComment: "Managed by Opencom local setup (landing widget demo)", + values: ({ convexUrl, workspaceId }) => ({ + NEXT_PUBLIC_CONVEX_URL: convexUrl, + NEXT_PUBLIC_WORKSPACE_ID: workspaceId, + }), + }, + { + relativePath: "packages/react-native-sdk/example/.env.local", + description: "React Native SDK example defaults", + managedComment: "Managed by Opencom local setup (React Native SDK example)", + values: ({ convexUrl, workspaceId }) => ({ + EXPO_PUBLIC_CONVEX_URL: convexUrl, + EXPO_PUBLIC_WORKSPACE_ID: workspaceId, + }), + }, + { + relativePath: "packages/convex/.env.local", + description: "Local Convex shell/test helpers", + managedComment: "Managed by Opencom local setup (Convex shell/test helpers)", + values: ({ convexUrl, workspaceId }) => ({ + CONVEX_URL: convexUrl, + E2E_BACKEND_URL: convexUrl, + WORKSPACE_ID: workspaceId, + }), + }, +]; + +module.exports = { + CORE_BACKEND_ENV, + LOCAL_ENV_TARGETS, + LOCAL_SITE_URL, + OPTIONAL_BACKEND_PROFILES, +}; diff --git a/scripts/local-convex-setup.js b/scripts/local-convex-setup.js new file mode 100644 index 0000000..b38f5ef --- /dev/null +++ b/scripts/local-convex-setup.js @@ -0,0 +1,1558 @@ +"use strict"; + +const fs = require("node:fs/promises"); +const path = require("node:path"); +const crypto = require("node:crypto"); +const os = require("node:os"); +const { spawn } = require("node:child_process"); +const readline = require("node:readline/promises"); + +const { + CORE_BACKEND_ENV, + LOCAL_ENV_TARGETS, + OPTIONAL_BACKEND_PROFILES, +} = require("./lib/local-convex-setup-manifest"); + +const ROOT_DIR = path.resolve(__dirname, ".."); +const CONVEX_ENV_FILE = path.join("packages", "convex", ".env.local"); +const COLORS = { + red: "\u001b[31m", + green: "\u001b[32m", + yellow: "\u001b[33m", + blue: "\u001b[34m", + bold: "\u001b[1m", + reset: "\u001b[0m", +}; + +class SetupError extends Error { + constructor({ summary, why, fix, details }) { + super(summary); + this.name = "SetupError"; + this.summary = summary; + this.why = why; + this.fix = Array.isArray(fix) ? fix : fix ? [fix] : []; + this.details = details || ""; + } +} + +function colorize(color, value, runtime) { + if (!runtime.output.isTTY) { + return value; + } + return `${color}${value}${COLORS.reset}`; +} + +function formatSectionTitle(value, runtime) { + return colorize(COLORS.bold + COLORS.blue, value, runtime); +} + +function logSection(runtime, title) { + runtime.log(`\n${formatSectionTitle(title, runtime)}`); +} + +function logSuccess(runtime, message) { + runtime.log(`${colorize(COLORS.green, "✓", runtime)} ${message}`); +} + +function logWarning(runtime, message) { + runtime.warn(`${colorize(COLORS.yellow, "!", runtime)} ${message}`); +} + +function parseEnvAssignment(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + + const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\s*$/); + if (!match) { + return null; + } + + return { + key: match[1], + rawValue: match[2], + }; +} + +function unquoteEnvValue(rawValue) { + const trimmed = rawValue.trim(); + if (trimmed.length >= 2 && trimmed.startsWith('"') && trimmed.endsWith('"')) { + return trimmed + .slice(1, -1) + .replace(/\\n/g, "\n") + .replace(/\\r/g, "\r") + .replace(/\\t/g, "\t") + .replace(/\\"/g, '"') + .replace(/\\\\/g, "\\"); + } + + if (trimmed.length >= 2 && trimmed.startsWith("'") && trimmed.endsWith("'")) { + return trimmed.slice(1, -1); + } + + return trimmed; +} + +function parseEnvContent(content) { + const values = {}; + const normalized = content.replace(/\r\n/g, "\n"); + const lines = normalized.split("\n"); + for (const line of lines) { + const parsed = parseEnvAssignment(line); + if (!parsed) { + continue; + } + values[parsed.key] = unquoteEnvValue(parsed.rawValue); + } + return values; +} + +function formatEnvValue(value) { + const stringValue = String(value); + return `"${stringValue + .replace(/\\/g, "\\\\") + .replace(/"/g, '\\"') + .replace(/\n/g, "\\n") + .replace(/\r/g, "\\r") + .replace(/\t/g, "\\t")}"`; +} + +function formatConvexEnvFileValue(value) { + const stringValue = String(value); + if (stringValue.includes('"') && !stringValue.includes("'")) { + return `'${stringValue}'`; + } + return formatEnvValue(value); +} + +function mergeEnvFileContent(existingContent, desiredEntries, managedComment) { + const desiredKeys = Object.keys(desiredEntries); + const normalized = existingContent.replace(/\r\n/g, "\n"); + const hasContent = normalized.length > 0; + const lines = hasContent ? normalized.split("\n") : []; + const seenKeys = new Set(); + + const mergedLines = lines.map((line) => { + const parsed = parseEnvAssignment(line); + if (!parsed || !Object.prototype.hasOwnProperty.call(desiredEntries, parsed.key)) { + return line; + } + + seenKeys.add(parsed.key); + return `${parsed.key}=${formatEnvValue(desiredEntries[parsed.key])}`; + }); + + const missingKeys = desiredKeys.filter((key) => !seenKeys.has(key)); + if (missingKeys.length > 0) { + if (mergedLines.length > 0 && mergedLines[mergedLines.length - 1] !== "") { + mergedLines.push(""); + } + mergedLines.push(`# ${managedComment}`); + for (const key of missingKeys) { + mergedLines.push(`${key}=${formatEnvValue(desiredEntries[key])}`); + } + } + + let result = mergedLines.join("\n"); + if (!result.endsWith("\n")) { + result = `${result}\n`; + } + return result; +} + +function generateJwtKeyPair() { + const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { + modulusLength: 2048, + publicExponent: 0x10001, + }); + const jwtPrivateKey = privateKey + .export({ type: "pkcs8", format: "pem" }) + .trimEnd() + .replace(/\n/g, " "); + const publicJwk = publicKey.export({ format: "jwk" }); + return { + JWT_PRIVATE_KEY: jwtPrivateKey, + JWKS: JSON.stringify({ keys: [{ use: "sig", ...publicJwk }] }), + }; +} + +function isValidJwtPrivateKey(value) { + const normalized = String(value || "").trim(); + return ( + normalized.startsWith("-----BEGIN PRIVATE KEY-----") && + normalized.endsWith("-----END PRIVATE KEY-----") + ); +} + +function isValidJwks(value) { + try { + const parsed = JSON.parse(String(value || "")); + return ( + parsed && + typeof parsed === "object" && + Array.isArray(parsed.keys) && + parsed.keys.length > 0 + ); + } catch { + return false; + } +} + +function isValidCoreBackendEnvValue(entry, key, value) { + if (!value) { + return false; + } + if (entry.resolution !== "generate-jwt-keypair") { + return true; + } + if (key === "JWT_PRIVATE_KEY") { + return isValidJwtPrivateKey(value); + } + if (key === "JWKS") { + return isValidJwks(value); + } + return true; +} + +function trimCommandOutput(value) { + return value.replace(/\r\n/g, "\n").trim(); +} + +function toErrorMessage(error) { + if (error instanceof Error && error.message) { + return error.message; + } + return String(error); +} + +async function fileExists(filePath) { + try { + await fs.access(filePath); + return true; + } catch { + return false; + } +} + +async function readEnvFile(filePath) { + if (!(await fileExists(filePath))) { + return {}; + } + const content = await fs.readFile(filePath, "utf8"); + return parseEnvContent(content); +} + +function createTerminalUi({ input = process.stdin, output = process.stdout } = {}) { + const rl = readline.createInterface({ input, output }); + + async function ask(question, options = {}) { + const suffix = + options.defaultValue !== undefined && options.defaultValue !== "" + ? ` [${options.defaultValue}]` + : ""; + + while (true) { + const answer = await rl.question(`${question}${suffix}: `); + const resolved = answer.trim() || options.defaultValue || ""; + if (resolved || !options.required) { + return resolved; + } + output.write("This value is required.\n"); + } + } + + async function askSecret(question, options = {}) { + if (!input.isTTY || !output.isTTY || typeof input.setRawMode !== "function") { + return ask(question, options); + } + + const suffix = + options.defaultValue !== undefined && options.defaultValue !== "" + ? ` [${"*".repeat(String(options.defaultValue).length)}]` + : ""; + + output.write(`${question}${suffix}: `); + const wasRaw = input.isRaw; + input.setRawMode(true); + input.resume(); + input.setEncoding("utf8"); + + return await new Promise((resolve, reject) => { + let value = ""; + + function cleanup() { + input.off("data", onData); + input.setRawMode(Boolean(wasRaw)); + input.pause(); + } + + function finish(resolvedValue) { + cleanup(); + output.write("\n"); + resolve(resolvedValue); + } + + function onData(chunk) { + const characters = Array.from(chunk); + for (const character of characters) { + if (character === "\u0003") { + cleanup(); + reject(new Error("Interrupted")); + return; + } + + if (character === "\r" || character === "\n") { + const resolved = value || options.defaultValue || ""; + if (!resolved && options.required) { + output.write("\nThis value is required.\n"); + output.write(`${question}${suffix}: `); + value = ""; + continue; + } + finish(resolved); + return; + } + + if (character === "\u007f" || character === "\b") { + if (value.length > 0) { + value = value.slice(0, -1); + output.write("\b \b"); + } + continue; + } + + value += character; + output.write("*"); + } + } + + input.on("data", onData); + }); + } + + async function confirm(question, defaultValue = true) { + const prompt = defaultValue ? " [Y/n]: " : " [y/N]: "; + const answer = (await rl.question(`${question}${prompt}`)).trim().toLowerCase(); + if (!answer) { + return defaultValue; + } + return answer === "y" || answer === "yes"; + } + + async function select(question, options, defaultIndex = 0) { + output.write(`${question}\n`); + options.forEach((option, index) => { + const marker = index === defaultIndex ? " (default)" : ""; + output.write(` ${index + 1}. ${option.label}${marker}\n`); + }); + + while (true) { + const answer = (await rl.question("Choose an option: ")).trim(); + const index = answer ? Number.parseInt(answer, 10) - 1 : defaultIndex; + if (Number.isInteger(index) && index >= 0 && index < options.length) { + return options[index].value; + } + output.write("Enter one of the numbered options above.\n"); + } + } + + return { + ask, + askSecret, + confirm, + select, + close: async () => { + rl.close(); + }, + }; +} + +function createRuntime(overrides = {}) { + const input = overrides.input || process.stdin; + const output = overrides.output || process.stdout; + const ui = overrides.ui || createTerminalUi({ input, output }); + return { + rootDir: overrides.rootDir || ROOT_DIR, + input, + output, + ui, + fetchImpl: overrides.fetchImpl || global.fetch, + generateJwtKeyPair: overrides.generateJwtKeyPair || generateJwtKeyPair, + log: overrides.log || ((message) => output.write(`${message}\n`)), + warn: overrides.warn || ((message) => output.write(`${message}\n`)), + error: overrides.error || ((message) => output.write(`${message}\n`)), + async readFile(filePath, encoding = "utf8") { + return fs.readFile(filePath, encoding); + }, + async writeFile(filePath, contents) { + await fs.mkdir(path.dirname(filePath), { recursive: true }); + await fs.writeFile(filePath, contents, "utf8"); + }, + async exists(filePath) { + return fileExists(filePath); + }, + async runCommand(command, args, options = {}) { + return runCommand(command, args, { + cwd: options.cwd || this.rootDir, + env: options.env, + stdio: options.stdio || "pipe", + }); + }, + }; +} + +function runCommand(command, args, options = {}) { + return new Promise((resolve, reject) => { + const child = spawn(command, args, { + cwd: options.cwd, + env: options.env ? { ...process.env, ...options.env } : process.env, + stdio: options.stdio === "inherit" ? "inherit" : ["ignore", "pipe", "pipe"], + }); + + let stdout = ""; + let stderr = ""; + + if (child.stdout) { + child.stdout.on("data", (chunk) => { + stdout += String(chunk); + }); + } + + if (child.stderr) { + child.stderr.on("data", (chunk) => { + stderr += String(chunk); + }); + } + + child.on("error", reject); + child.on("close", (code) => { + if (code === 0) { + resolve({ stdout, stderr, code }); + return; + } + + const error = new Error( + `Command failed: ${command} ${args.join(" ")}\n${trimCommandOutput(stderr || stdout)}` + ); + error.code = code; + error.stdout = stdout; + error.stderr = stderr; + reject(error); + }); + }); +} + +function sanitizeConvexUrl(value) { + return String(value || "") + .trim() + .replace(/\/$/, ""); +} + +function convexCloudToSiteUrl(value) { + return sanitizeConvexUrl(value).replace(/\.convex\.cloud$/, ".convex.site"); +} + +async function getConvexConfig(runtime) { + const env = await readEnvFile(path.join(runtime.rootDir, CONVEX_ENV_FILE)); + const convexUrl = sanitizeConvexUrl(env.CONVEX_URL || env.E2E_BACKEND_URL || ""); + return { + env, + convexUrl, + deployment: String(env.CONVEX_DEPLOYMENT || "").trim(), + }; +} + +async function installDependencies(runtime) { + logSection(runtime, "1. Install Dependencies"); + runtime.log("Running pnpm install so the workspace and Convex CLI are ready for setup."); + try { + await runtime.runCommand("pnpm", ["install"], { stdio: "inherit" }); + } catch (error) { + throw new SetupError({ + summary: "pnpm install failed.", + why: "The local bootstrap cannot continue until the workspace dependencies are installed.", + fix: [ + "Resolve the pnpm install failure shown above, then rerun ./scripts/setup.sh.", + "If you are setting up pnpm for the first time, confirm `pnpm -v` works in this shell.", + ], + details: toErrorMessage(error), + }); + } + logSuccess(runtime, "Dependencies installed."); +} + +async function ensureConvexDeployment(runtime, options) { + logSection(runtime, "2. Configure Or Reuse The Convex Dev Deployment"); + const existing = await getConvexConfig(runtime); + let shouldReconfigure = Boolean(options.reconfigure); + + if (!existing.deployment || !existing.convexUrl) { + runtime.log( + "No usable local Convex deployment metadata was found. Starting the Convex CLI flow." + ); + } else if (!shouldReconfigure) { + runtime.log(`Found existing deployment ${existing.deployment} in packages/convex/.env.local.`); + if (!options.nonInteractive) { + const reuse = await runtime.ui.confirm( + "Reuse the currently configured Convex deployment?", + true + ); + shouldReconfigure = !reuse; + } + } + + if (!existing.deployment || !existing.convexUrl || shouldReconfigure) { + const args = ["--filter", "@opencom/convex", "exec", "convex", "dev", "--once"]; + if (shouldReconfigure) { + args.push("--configure"); + } + + try { + await runtime.runCommand("pnpm", args, { stdio: "inherit" }); + } catch (error) { + throw new SetupError({ + summary: "Convex project configuration failed.", + why: "The rest of the bootstrap needs a working dev deployment before it can validate auth or write local env files.", + fix: [ + "Finish any login/project-selection prompts from the Convex CLI, then rerun ./scripts/setup.sh.", + "If you wanted a different deployment, rerun ./scripts/setup.sh --reconfigure.", + "If the CLI completed successfully but the file still looks wrong, inspect packages/convex/.env.local.", + ], + details: toErrorMessage(error), + }); + } + } + + const refreshed = await getConvexConfig(runtime); + if (!refreshed.deployment || !refreshed.convexUrl) { + throw new SetupError({ + summary: "Convex setup did not produce the deployment metadata this repo expects.", + why: "Opencom needs both CONVEX_DEPLOYMENT and CONVEX_URL in packages/convex/.env.local to continue safely.", + fix: [ + "Rerun ./scripts/setup.sh --reconfigure and complete the Convex CLI flow.", + "If the CLI already succeeded, inspect packages/convex/.env.local for CONVEX_DEPLOYMENT and CONVEX_URL.", + ], + }); + } + + logSuccess(runtime, `Using deployment ${refreshed.deployment}.`); + logSuccess(runtime, `Resolved backend URL ${refreshed.convexUrl}.`); + return refreshed; +} + +async function getBackendEnvValue(runtime, key) { + try { + const result = await runtime.runCommand("pnpm", [ + "--filter", + "@opencom/convex", + "exec", + "convex", + "env", + "get", + key, + ]); + return trimCommandOutput(result.stdout); + } catch (error) { + const message = trimCommandOutput(error.stderr || error.stdout || ""); + if (/not set|could not find|No environment variable/i.test(message)) { + return ""; + } + throw error; + } +} + +async function setBackendEnvValue(runtime, key, value) { + await runtime.runCommand( + "pnpm", + ["--filter", "@opencom/convex", "exec", "convex", "env", "set", key, value], + { stdio: "inherit" } + ); +} + +async function setBackendEnvValues(runtime, values, options = {}) { + const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "opencom-convex-env-")); + const tempEnvFile = path.join(tempDir, "env.values"); + const content = + Object.entries(values) + .map(([key, value]) => `${key}=${formatConvexEnvFileValue(value)}`) + .join("\n") + "\n"; + + try { + await runtime.writeFile(tempEnvFile, content); + const args = [ + "--filter", + "@opencom/convex", + "exec", + "convex", + "env", + "set", + "--from-file", + tempEnvFile, + ]; + if (options.force) { + args.push("--force"); + } + await runtime.runCommand("pnpm", args, { stdio: "inherit" }); + } finally { + await fs.rm(tempDir, { recursive: true, force: true }); + } +} + +async function ensureCoreBackendEnv(runtime) { + logSection(runtime, "3. Validate Backend Auth Bootstrap Env"); + const resolvedValues = {}; + + for (const entry of CORE_BACKEND_ENV) { + if (entry.resolution === "generate-jwt-keypair") { + const keys = entry.keys || []; + const currentValues = {}; + for (const key of keys) { + currentValues[key] = await getBackendEnvValue(runtime, key); + } + + const missingKeys = keys.filter( + (key) => !isValidCoreBackendEnvValue(entry, key, currentValues[key]) + ); + if (missingKeys.length > 0) { + const generatedValues = runtime.generateJwtKeyPair(); + const desiredValues = Object.fromEntries(keys.map((key) => [key, generatedValues[key]])); + try { + await setBackendEnvValues(runtime, desiredValues, { force: true }); + Object.assign(currentValues, desiredValues); + } catch (error) { + throw new SetupError({ + summary: `Could not set required backend env ${missingKeys.join(", ")}.`, + why: entry.description, + fix: [ + "Run `pnpm --filter @opencom/convex exec convex auth add`, then rerun ./scripts/setup.sh.", + "If either JWT_PRIVATE_KEY or JWKS is missing, regenerate and set both values from the same key pair.", + ], + details: toErrorMessage(error), + }); + } + } + + for (const key of keys) { + resolvedValues[key] = currentValues[key]; + } + logSuccess(runtime, `${keys.join(" and ")} are configured.`); + continue; + } + + let currentValue = await getBackendEnvValue(runtime, entry.key); + if (!currentValue) { + if (entry.resolution === "default") { + currentValue = entry.defaultValue; + } + + try { + await setBackendEnvValue(runtime, entry.key, currentValue); + } catch (error) { + if (entry.required) { + throw new SetupError({ + summary: `Could not set required backend env ${entry.key}.`, + why: entry.description, + fix: [ + `Run \`pnpm --filter @opencom/convex exec convex env set ${entry.key} \`, then rerun ./scripts/setup.sh.`, + ], + details: toErrorMessage(error), + }); + } + + logWarning( + runtime, + `Could not set optional backend env ${entry.key}. ${entry.description}` + ); + continue; + } + } + + resolvedValues[entry.key] = currentValue; + if (entry.required) { + logSuccess(runtime, `${entry.key} is configured.`); + } else { + logSuccess(runtime, `${entry.key} is configured or defaulted for local use.`); + } + } + + return resolvedValues; +} + +async function callConvexJson(runtime, convexUrl, kind, pathName, args, token) { + if (typeof runtime.fetchImpl !== "function") { + throw new SetupError({ + summary: "Fetch is not available in this Node runtime.", + why: "The setup bootstrap uses HTTP calls to the configured Convex deployment for auth and workspace resolution.", + fix: ["Use Node.js 18+ and rerun ./scripts/setup.sh."], + }); + } + + const url = `${sanitizeConvexUrl(convexUrl)}/api/${kind}`; + const headers = { + "Content-Type": "application/json", + }; + + if (token) { + headers.Authorization = `Bearer ${token}`; + } + + const body = { + path: pathName, + args: args || {}, + }; + + if (kind === "action") { + body.format = "json"; + } + + let response; + try { + response = await runtime.fetchImpl(url, { + method: "POST", + headers, + body: JSON.stringify(body), + }); + } catch (error) { + throw new SetupError({ + summary: `Could not reach ${pathName} on the configured Convex deployment.`, + why: "The bootstrap cannot verify auth or workspace state when the backend is unreachable.", + fix: [ + "Confirm the Convex dev deployment is running and that CONVEX_URL points at the correct instance.", + "If you reconfigured the deployment, rerun ./scripts/setup.sh --reconfigure.", + ], + details: toErrorMessage(error), + }); + } + + const responseText = await response.text(); + let payload; + try { + payload = responseText ? JSON.parse(responseText) : null; + } catch { + payload = responseText; + } + + if (!response.ok) { + const details = + typeof payload === "string" + ? payload + : JSON.stringify(payload, null, 2) || response.statusText; + throw new SetupError({ + summary: `${pathName} returned HTTP ${response.status}.`, + why: "The bootstrap step could not complete with the backend response it received.", + fix: [ + "Inspect the backend error below, fix the misconfiguration, then rerun ./scripts/setup.sh.", + ], + details, + }); + } + + if (payload && typeof payload === "object" && payload.status === "error") { + throw new Error(payload.errorMessage || JSON.stringify(payload)); + } + + if ( + payload && + typeof payload === "object" && + payload.status === "success" && + "value" in payload + ) { + return payload.value; + } + + return payload; +} + +async function getSetupState(runtime, convexUrl) { + return callConvexJson(runtime, convexUrl, "query", "setup:checkExistingSetup", {}); +} + +function emailPrefix(email) { + return String(email).split("@")[0] || "Opencom Admin"; +} + +async function collectSignupCredentials(runtime, options) { + const email = + options.adminEmail || + (options.nonInteractive ? "" : await runtime.ui.ask("Admin email", { required: true })); + const password = + options.adminPassword || + (options.nonInteractive + ? "" + : await runtime.ui.askSecret("Admin password", { required: true })); + + if (!email || !password) { + throw new SetupError({ + summary: "Email and password are required for non-interactive bootstrap.", + why: "The script cannot create the bootstrap admin account without credentials.", + fix: ["Pass --email and --password, or rerun ./scripts/setup.sh without --non-interactive."], + }); + } + + const adminName = + options.adminName || + (options.nonInteractive + ? emailPrefix(email) + : await runtime.ui.ask("Admin display name", { + defaultValue: emailPrefix(email), + })); + + const workspaceName = + options.workspaceName || + (options.nonInteractive + ? "" + : await runtime.ui.ask("Workspace name (leave blank to use the default)", { + defaultValue: "", + })); + + return { + email, + password, + adminName, + workspaceName, + }; +} + +async function collectSigninCredentials(runtime, options) { + const email = + options.adminEmail || + (options.nonInteractive + ? "" + : await runtime.ui.ask("Existing admin email", { required: true })); + const password = + options.adminPassword || + (options.nonInteractive + ? "" + : await runtime.ui.askSecret("Existing admin password", { required: true })); + + if (!email || !password) { + throw new SetupError({ + summary: "Existing admin credentials are required for non-interactive reruns.", + why: "The bootstrap needs to authenticate before it can list or reuse the existing workspaces on this deployment.", + fix: ["Pass --email and --password, or rerun ./scripts/setup.sh without --non-interactive."], + }); + } + + return { email, password }; +} + +function authErrorFixes(errorMessage) { + const normalized = errorMessage.toLowerCase(); + const fixes = []; + + if (normalized.includes("invalid credentials") || normalized.includes("account not found")) { + fixes.push( + "Use an existing admin account on this deployment, or rerun against a different deployment." + ); + } + + if ( + normalized.includes("auth_secret") || + normalized.includes("jwt_private_key") || + normalized.includes("jwks") || + normalized.includes("convex_site_url") || + normalized.includes("missing environment variable") || + normalized.includes("openid") || + normalized.includes("issuer") || + normalized.includes("site_url") + ) { + fixes.push( + "Confirm JWT_PRIVATE_KEY and JWKS are set from the same key pair, and that CONVEX_SITE_URL is available on the deployment." + ); + } + + if (fixes.length === 0) { + fixes.push( + "Check the backend error below, correct the auth configuration or credentials, then rerun the setup." + ); + } + + return fixes; +} + +async function signInWithPassword(runtime, convexUrl, params) { + try { + const response = await callConvexJson(runtime, convexUrl, "action", "auth:signIn", { + provider: "password", + params, + }); + const token = response?.tokens?.token; + if (!token) { + throw new Error("auth:signIn did not return a JWT token."); + } + return token; + } catch (error) { + const message = error instanceof SetupError ? error.summary : toErrorMessage(error); + const details = error instanceof SetupError ? error.details || toErrorMessage(error) : message; + const fixInput = `${message}\n${details}`; + throw new SetupError({ + summary: `Password auth bootstrap failed: ${message}`, + why: "The local setup flow relies on the repo's real Convex Auth password sign-in/sign-up path.", + fix: authErrorFixes(fixInput), + details, + }); + } +} + +async function getCurrentUser(runtime, convexUrl, token) { + return callConvexJson(runtime, convexUrl, "query", "auth:currentUser", {}, token); +} + +async function createWorkspace(runtime, convexUrl, token, workspaceName) { + try { + return await callConvexJson( + runtime, + convexUrl, + "mutation", + "workspaces:create", + { name: workspaceName }, + token + ); + } catch (error) { + throw new SetupError({ + summary: `Could not create workspace "${workspaceName}".`, + why: "The deployment already had users, and the bootstrap could not create the explicitly requested new workspace.", + fix: [ + "Try a different workspace name, or choose one of the existing workspaces on the deployment.", + ], + details: toErrorMessage(error), + }); + } +} + +async function switchWorkspace(runtime, convexUrl, token, workspaceId) { + await callConvexJson( + runtime, + convexUrl, + "mutation", + "auth:switchWorkspace", + { workspaceId }, + token + ); +} + +function findWorkspace(workspaces, workspaceId) { + return (workspaces || []).find((workspace) => workspace && workspace._id === workspaceId) || null; +} + +async function chooseWorkspace(runtime, options, currentUserPayload, convexUrl, token) { + const workspaces = currentUserPayload?.workspaces || []; + const activeWorkspaceId = currentUserPayload?.user?.workspaceId || null; + + if (workspaces.length === 0 && !options.createWorkspace) { + throw new SetupError({ + summary: "The authenticated account does not have any workspaces to reuse.", + why: "Opencom needs a workspace ID before it can populate the local env files.", + fix: [ + 'Create a workspace in the app and rerun the bootstrap, or rerun ./scripts/setup.sh --create-workspace --workspace "My Workspace".', + ], + }); + } + + if (options.createWorkspace) { + const workspaceName = + options.workspaceName || + (options.nonInteractive + ? "" + : await runtime.ui.ask("New workspace name", { required: true })); + if (!workspaceName) { + throw new SetupError({ + summary: + "A workspace name is required when creating a new workspace on an existing deployment.", + why: "The bootstrap cannot create a new workspace without a name.", + fix: [ + 'Pass --workspace "My Workspace", or rerun interactively and provide the name when prompted.', + ], + }); + } + + const workspaceId = await createWorkspace(runtime, convexUrl, token, workspaceName); + await switchWorkspace(runtime, convexUrl, token, workspaceId); + return { workspaceId, created: true }; + } + + if (options.nonInteractive || workspaces.length === 1) { + return { + workspaceId: activeWorkspaceId || workspaces[0]._id, + created: false, + }; + } + + const choices = workspaces.map((workspace) => ({ + label: + workspace._id === activeWorkspaceId + ? `${workspace.name} (${workspace.role}, current)` + : `${workspace.name} (${workspace.role})`, + value: workspace._id, + })); + choices.push({ + label: "Create a new workspace for this account", + value: "__create_workspace__", + }); + + const defaultIndex = Math.max( + choices.findIndex((choice) => choice.value === activeWorkspaceId), + 0 + ); + + const selected = await runtime.ui.select( + "Choose the workspace to wire into your local env files:", + choices, + defaultIndex + ); + + if (selected === "__create_workspace__") { + const workspaceName = await runtime.ui.ask("New workspace name", { required: true }); + const workspaceId = await createWorkspace(runtime, convexUrl, token, workspaceName); + await switchWorkspace(runtime, convexUrl, token, workspaceId); + return { workspaceId, created: true }; + } + + if (selected !== activeWorkspaceId) { + await switchWorkspace(runtime, convexUrl, token, selected); + } + + return { workspaceId: selected, created: false }; +} + +async function resolveWorkspace(runtime, options, convexConfig) { + logSection(runtime, "4. Create Or Reuse The Bootstrap Workspace"); + const state = await getSetupState(runtime, convexConfig.convexUrl); + + if (!state?.hasUsers) { + runtime.log( + "The deployment is empty, so the bootstrap will create the first admin account/workspace." + ); + const credentials = await collectSignupCredentials(runtime, options); + const token = await signInWithPassword(runtime, convexConfig.convexUrl, { + flow: "signUp", + email: credentials.email, + password: credentials.password, + name: credentials.adminName, + ...(credentials.workspaceName + ? { + workspaceName: credentials.workspaceName, + } + : {}), + }); + + const currentUser = await getCurrentUser(runtime, convexConfig.convexUrl, token); + const workspace = findWorkspace(currentUser?.workspaces, currentUser?.user?.workspaceId); + if (!workspace || !currentUser?.user?.workspaceId) { + throw new SetupError({ + summary: + "Sign-up succeeded, but the bootstrap could not resolve the newly created workspace.", + why: "The local env propagation step needs the authenticated workspace identifier.", + fix: [ + "Inspect auth:currentUser on the configured deployment, then rerun ./scripts/setup.sh once the account/workspace exists.", + ], + }); + } + + logSuccess(runtime, `Created bootstrap admin ${credentials.email}.`); + logSuccess(runtime, `Resolved workspace ${workspace.name} (${workspace._id}).`); + return { + adminEmail: credentials.email, + workspaceId: workspace._id, + workspaceName: workspace.name, + }; + } + + runtime.log( + "This deployment already has users. The bootstrap will reuse an existing admin account by default." + ); + const credentials = await collectSigninCredentials(runtime, options); + const token = await signInWithPassword(runtime, convexConfig.convexUrl, { + flow: "signIn", + email: credentials.email, + password: credentials.password, + }); + const currentUser = await getCurrentUser(runtime, convexConfig.convexUrl, token); + const selection = await chooseWorkspace( + runtime, + options, + currentUser, + convexConfig.convexUrl, + token + ); + const refreshedCurrentUser = await getCurrentUser(runtime, convexConfig.convexUrl, token); + const workspace = findWorkspace(refreshedCurrentUser?.workspaces, selection.workspaceId); + if (!workspace) { + throw new SetupError({ + summary: "The selected workspace could not be resolved after authentication.", + why: "Opencom cannot populate the local env files with a workspace that is not visible to the authenticated account.", + fix: [ + "Choose a different workspace, or confirm the account has access to the workspace you selected.", + ], + }); + } + + logSuccess( + runtime, + `${selection.created ? "Created" : "Using"} workspace ${workspace.name} (${workspace._id}).` + ); + return { + adminEmail: credentials.email, + workspaceId: workspace._id, + workspaceName: workspace.name, + }; +} + +async function writeManagedEnvFiles(runtime, context) { + logSection(runtime, "5. Propagate Local Env Files Safely"); + + for (const target of LOCAL_ENV_TARGETS) { + const absolutePath = path.join(runtime.rootDir, target.relativePath); + const desiredEntries = target.values(context); + const existingContent = (await runtime.exists(absolutePath)) + ? await runtime.readFile(absolutePath, "utf8") + : ""; + const nextContent = mergeEnvFileContent(existingContent, desiredEntries, target.managedComment); + + await runtime.writeFile(absolutePath, nextContent); + const verifiedValues = await readEnvFile(absolutePath); + + for (const [key, expectedValue] of Object.entries(desiredEntries)) { + if (String(verifiedValues[key] || "") !== String(expectedValue)) { + throw new SetupError({ + summary: `Failed to verify ${key} in ${target.relativePath}.`, + why: "The setup only succeeds if each local env file contains the same backend URL and workspace ID mapping it just resolved.", + fix: [ + `Inspect ${target.relativePath} and remove any conflicting manual value for ${key}, then rerun the setup.`, + ], + }); + } + } + + logSuccess(runtime, `Updated ${target.relativePath} without overwriting unrelated entries.`); + } +} + +async function evaluateOptionalProfiles(runtime) { + const results = []; + + for (const profile of OPTIONAL_BACKEND_PROFILES) { + const missingReasons = []; + for (const check of profile.checks) { + const values = []; + for (const key of check.keys) { + values.push(await getBackendEnvValue(runtime, key)); + } + + const passes = (() => { + if (check.mode === "any") { + return values.some((value) => value && (!check.validate || check.validate(value))); + } + return values.every((value) => value && (!check.validate || check.validate(value))); + })(); + + if (!passes) { + missingReasons.push(check.message); + } + } + + results.push({ + ...profile, + enabled: missingReasons.length === 0, + missingReasons, + }); + } + + return results; +} + +function printSetupSummary(runtime, summary, optionalProfiles) { + logSection(runtime, "6. Setup Summary"); + runtime.log(`Deployment: ${summary.deployment}`); + runtime.log(`Backend URL: ${summary.convexUrl}`); + runtime.log(`Workspace: ${summary.workspaceName} (${summary.workspaceId})`); + runtime.log(`Bootstrap admin: ${summary.adminEmail}`); + + const disabledProfiles = optionalProfiles.filter((profile) => !profile.enabled); + if (disabledProfiles.length > 0) { + runtime.log("\nOptional features still disabled:"); + for (const profile of disabledProfiles) { + runtime.log(`- ${profile.label}: ${profile.missingReasons.join("; ")}`); + } + } + + runtime.log("\nNext steps:"); + runtime.log("- pnpm dev:web"); + runtime.log("- pnpm dev:widget"); + runtime.log("- pnpm dev:landing"); + runtime.log("- pnpm dev:mobile"); +} + +async function maybeStartDevServers(runtime, options) { + if (options.skipDev) { + return; + } + + const shouldStart = options.startDev + ? true + : options.nonInteractive + ? false + : await runtime.ui.confirm("Start the web and widget dev servers now?", false); + + if (!shouldStart) { + return; + } + + logSection(runtime, "Starting Dev Servers"); + runtime.log("Launching pnpm dev:web and pnpm dev:widget. Press Ctrl+C to stop both."); + + const webProcess = spawn("pnpm", ["dev:web"], { + cwd: runtime.rootDir, + stdio: "inherit", + env: process.env, + }); + const widgetProcess = spawn("pnpm", ["dev:widget"], { + cwd: runtime.rootDir, + stdio: "inherit", + env: process.env, + }); + + const stopChildren = () => { + if (!webProcess.killed) { + webProcess.kill("SIGTERM"); + } + if (!widgetProcess.killed) { + widgetProcess.kill("SIGTERM"); + } + }; + + process.once("SIGINT", stopChildren); + process.once("SIGTERM", stopChildren); + + await new Promise((resolve, reject) => { + let settled = false; + + function finish(error) { + if (settled) { + return; + } + settled = true; + process.removeListener("SIGINT", stopChildren); + process.removeListener("SIGTERM", stopChildren); + if (error) { + reject(error); + return; + } + resolve(); + } + + webProcess.on("error", finish); + widgetProcess.on("error", finish); + webProcess.on("exit", (code) => { + if (code && code !== 0) { + finish(new Error(`pnpm dev:web exited with code ${code}.`)); + return; + } + stopChildren(); + finish(); + }); + widgetProcess.on("exit", (code) => { + if (code && code !== 0) { + finish(new Error(`pnpm dev:widget exited with code ${code}.`)); + return; + } + stopChildren(); + finish(); + }); + }); +} + +async function runSetup(options, runtime = createRuntime()) { + await installDependencies(runtime); + const convexConfig = await ensureConvexDeployment(runtime, options); + await ensureCoreBackendEnv(runtime); + const workspace = await resolveWorkspace(runtime, options, convexConfig); + await writeManagedEnvFiles(runtime, { + convexUrl: convexConfig.convexUrl, + workspaceId: workspace.workspaceId, + }); + const optionalProfiles = await evaluateOptionalProfiles(runtime); + printSetupSummary( + runtime, + { + adminEmail: workspace.adminEmail, + deployment: convexConfig.deployment, + convexUrl: convexConfig.convexUrl, + workspaceId: workspace.workspaceId, + workspaceName: workspace.workspaceName, + }, + optionalProfiles + ); + await maybeStartDevServers(runtime, options); +} + +async function resolveUpdateEnvInputs(runtime, options) { + const convexEnv = await readEnvFile(path.join(runtime.rootDir, CONVEX_ENV_FILE)); + const webEnv = await readEnvFile(path.join(runtime.rootDir, "apps/web/.env.local")); + const widgetEnv = await readEnvFile(path.join(runtime.rootDir, "apps/widget/.env.local")); + const landingEnv = await readEnvFile(path.join(runtime.rootDir, "apps/landing/.env.local")); + + const convexUrl = + options.convexUrl || + convexEnv.CONVEX_URL || + convexEnv.E2E_BACKEND_URL || + webEnv.NEXT_PUBLIC_CONVEX_URL || + webEnv.E2E_BACKEND_URL || + ""; + const workspaceId = + options.workspaceId || + convexEnv.WORKSPACE_ID || + widgetEnv.VITE_WORKSPACE_ID || + landingEnv.NEXT_PUBLIC_WORKSPACE_ID || + ""; + + const resolvedConvexUrl = + convexUrl || + (options.nonInteractive ? "" : await runtime.ui.ask("Convex URL", { required: true })); + const resolvedWorkspaceId = + workspaceId || + (options.nonInteractive ? "" : await runtime.ui.ask("Workspace ID", { required: true })); + + if (!resolvedConvexUrl || !resolvedWorkspaceId) { + throw new SetupError({ + summary: "Convex URL and workspace ID are both required to update local env files.", + why: "The shared env propagation logic needs both values before it can write consistent local app configuration.", + fix: ["Pass --url and --workspace, or rerun ./scripts/update-env.sh interactively."], + }); + } + + return { + convexUrl: sanitizeConvexUrl(resolvedConvexUrl), + workspaceId: resolvedWorkspaceId.trim(), + }; +} + +async function runUpdateEnv(options, runtime = createRuntime()) { + logSection(runtime, "Update Local Env Files"); + const resolved = await resolveUpdateEnvInputs(runtime, options); + await writeManagedEnvFiles(runtime, resolved); + runtime.log("\nUpdated local env files successfully."); + runtime.log(`Backend URL: ${resolved.convexUrl}`); + runtime.log(`Workspace ID: ${resolved.workspaceId}`); +} + +function printSetupUsage(runtime) { + runtime.log("Usage: ./scripts/setup.sh [options]"); + runtime.log(""); + runtime.log("Options:"); + runtime.log(" --email Bootstrap or existing admin email"); + runtime.log(" --password Bootstrap or existing admin password"); + runtime.log(" --name Bootstrap admin display name"); + runtime.log(" --workspace Workspace name (new workspace only)"); + runtime.log(" --reconfigure Force Convex CLI reconfiguration"); + runtime.log(" --create-workspace Create a new workspace on an existing deployment"); + runtime.log(" --skip-dev Never prompt to start dev servers"); + runtime.log(" --start-dev Start web + widget dev servers after setup"); + runtime.log(" --non-interactive Disable prompts (requires --email and --password)"); + runtime.log(" -h, --help Show this help message"); +} + +function printUpdateEnvUsage(runtime) { + runtime.log("Usage: ./scripts/update-env.sh [options]"); + runtime.log(""); + runtime.log("Options:"); + runtime.log(" --url Convex deployment URL"); + runtime.log(" --workspace Workspace ID"); + runtime.log(" --non-interactive Disable prompts"); + runtime.log(" -h, --help Show this help message"); +} + +function parseSetupArgs(argv) { + const options = { + adminEmail: "", + adminPassword: "", + adminName: "", + workspaceName: "", + createWorkspace: false, + reconfigure: false, + skipDev: false, + startDev: false, + nonInteractive: false, + help: false, + }; + + for (let index = 0; index < argv.length; index += 1) { + const argument = argv[index]; + switch (argument) { + case "--email": + options.adminEmail = argv[index + 1] || ""; + index += 1; + break; + case "--password": + options.adminPassword = argv[index + 1] || ""; + index += 1; + break; + case "--name": + options.adminName = argv[index + 1] || ""; + index += 1; + break; + case "--workspace": + options.workspaceName = argv[index + 1] || ""; + index += 1; + break; + case "--create-workspace": + options.createWorkspace = true; + break; + case "--reconfigure": + options.reconfigure = true; + break; + case "--skip-dev": + options.skipDev = true; + break; + case "--start-dev": + options.startDev = true; + break; + case "--non-interactive": + options.nonInteractive = true; + break; + case "-h": + case "--help": + options.help = true; + break; + default: + throw new SetupError({ + summary: `Unknown option: ${argument}`, + fix: ["Run ./scripts/setup.sh --help to see the supported flags."], + }); + } + } + + return options; +} + +function parseUpdateEnvArgs(argv) { + const options = { + convexUrl: "", + workspaceId: "", + nonInteractive: false, + help: false, + }; + + for (let index = 0; index < argv.length; index += 1) { + const argument = argv[index]; + switch (argument) { + case "--url": + options.convexUrl = argv[index + 1] || ""; + index += 1; + break; + case "--workspace": + options.workspaceId = argv[index + 1] || ""; + index += 1; + break; + case "--non-interactive": + options.nonInteractive = true; + break; + case "-h": + case "--help": + options.help = true; + break; + default: + throw new SetupError({ + summary: `Unknown option: ${argument}`, + fix: ["Run ./scripts/update-env.sh --help to see the supported flags."], + }); + } + } + + return options; +} + +function printSetupFailure(runtime, error) { + runtime.error(`\n${colorize(COLORS.red, "Setup failed.", runtime)}`); + runtime.error(`What went wrong: ${error.summary || toErrorMessage(error)}`); + if (error.why) { + runtime.error(`Why it matters: ${error.why}`); + } + if (error.fix && error.fix.length > 0) { + runtime.error("How to fix it:"); + for (const step of error.fix) { + runtime.error(`- ${step}`); + } + } + if (error.details) { + runtime.error("Backend/command details:"); + runtime.error(error.details); + } +} + +async function runSetupCli(argv, runtime = createRuntime()) { + let options; + try { + options = parseSetupArgs(argv); + } catch (error) { + printSetupFailure(runtime, error); + return 1; + } + + if (options.help) { + printSetupUsage(runtime); + return 0; + } + + try { + await runSetup(options, runtime); + return 0; + } catch (error) { + printSetupFailure(runtime, error); + return 1; + } finally { + if (runtime.ui?.close) { + await runtime.ui.close(); + } + } +} + +async function runUpdateEnvCli(argv, runtime = createRuntime()) { + let options; + try { + options = parseUpdateEnvArgs(argv); + } catch (error) { + printSetupFailure(runtime, error); + return 1; + } + + if (options.help) { + printUpdateEnvUsage(runtime); + return 0; + } + + try { + await runUpdateEnv(options, runtime); + return 0; + } catch (error) { + printSetupFailure(runtime, error); + return 1; + } finally { + if (runtime.ui?.close) { + await runtime.ui.close(); + } + } +} + +if (require.main === module) { + runSetupCli(process.argv.slice(2)).then((code) => { + process.exitCode = code; + }); +} + +module.exports = { + CONVEX_ENV_FILE, + SetupError, + convexCloudToSiteUrl, + createRuntime, + generateJwtKeyPair, + mergeEnvFileContent, + parseEnvContent, + readEnvFile, + runSetup, + runSetupCli, + runUpdateEnv, + runUpdateEnvCli, + sanitizeConvexUrl, +}; diff --git a/scripts/setup.sh b/scripts/setup.sh index 8e44465..260c9e0 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,350 +1,32 @@ #!/bin/bash -set -e +set -euo pipefail -# Colors for output -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -BLUE='\033[0;34m' -NC='\033[0m' # No Color - -# Script directory SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(dirname "$SCRIPT_DIR")" -echo -e "${BLUE}╔════════════════════════════════════════════════════════════╗${NC}" -echo -e "${BLUE}║ Opencom Self-Host Setup Script ║${NC}" -echo -e "${BLUE}╚════════════════════════════════════════════════════════════╝${NC}" -echo "" - -# Parse arguments -ADMIN_EMAIL="" -ADMIN_PASSWORD="" -ADMIN_NAME="" -WORKSPACE_NAME="" -SKIP_DEV_SERVER=false -NON_INTERACTIVE=false - -while [[ $# -gt 0 ]]; do - case $1 in - --email) - ADMIN_EMAIL="$2" - shift 2 - ;; - --password) - ADMIN_PASSWORD="$2" - shift 2 - ;; - --name) - ADMIN_NAME="$2" - shift 2 - ;; - --workspace) - WORKSPACE_NAME="$2" - shift 2 - ;; - --skip-dev) - SKIP_DEV_SERVER=true - shift - ;; - --non-interactive) - NON_INTERACTIVE=true - shift - ;; - -h|--help) - echo "Usage: ./setup.sh [options]" - echo "" - echo "Options:" - echo " --email EMAIL Admin email address" - echo " --password PASSWORD Admin password" - echo " --name NAME Admin display name" - echo " --workspace NAME Workspace name (default: My Workspace)" - echo " --skip-dev Skip starting dev servers" - echo " --non-interactive Run without prompts (requires --email and --password)" - echo " -h, --help Show this help message" - exit 0 - ;; - *) - echo -e "${RED}Unknown option: $1${NC}" - exit 1 - ;; - esac -done - -# Function to check command exists -check_command() { - if ! command -v "$1" &> /dev/null; then - echo -e "${RED}Error: $1 is not installed${NC}" - return 1 - fi - return 0 -} - -# Function to check version -check_version() { - local cmd=$1 - local required=$2 - local current - - if [ "$cmd" = "node" ]; then - current=$(node -v | sed 's/v//' | cut -d. -f1) - elif [ "$cmd" = "pnpm" ]; then - current=$(pnpm -v | cut -d. -f1) - fi - - if [ "$current" -lt "$required" ]; then - echo -e "${RED}Error: $cmd version $required+ required, found $current${NC}" - return 1 - fi - return 0 -} - -# Step 1: Check prerequisites -echo -e "${YELLOW}[1/8] Checking prerequisites...${NC}" - -if ! check_command "node"; then - echo -e "${RED}Please install Node.js 18+ from https://nodejs.org${NC}" +if ! command -v node >/dev/null 2>&1; then + echo "Error: node is required. Install Node.js 18+ and rerun ./scripts/setup.sh." >&2 exit 1 fi -if ! check_version "node" 18; then - echo -e "${RED}Please upgrade Node.js to version 18+${NC}" +if ! command -v pnpm >/dev/null 2>&1; then + echo "Error: pnpm is required. Install PNPM 9+ and rerun ./scripts/setup.sh." >&2 exit 1 fi -echo -e " ${GREEN}✓${NC} Node.js $(node -v)" -if ! check_command "pnpm"; then - echo -e "${RED}Please install pnpm: npm install -g pnpm${NC}" +NODE_VERSION="$(node -v)" +NODE_MAJOR="$(printf '%s\n' "$NODE_VERSION" | sed 's/^v//' | cut -d. -f1)" +if ! [[ "$NODE_MAJOR" =~ ^[0-9]+$ ]] || [ "${NODE_MAJOR}" -lt 18 ]; then + echo "Error: Node.js 18+ is required. Found ${NODE_VERSION:-unknown}." >&2 exit 1 fi -if ! check_version "pnpm" 9; then - echo -e "${YELLOW}Warning: pnpm 9+ recommended, found $(pnpm -v)${NC}" -fi -echo -e " ${GREEN}✓${NC} pnpm $(pnpm -v)" - -# Step 2: Install dependencies -echo "" -echo -e "${YELLOW}[2/8] Installing dependencies...${NC}" -cd "$ROOT_DIR" -pnpm install - -# Step 3: Check Convex login -echo "" -echo -e "${YELLOW}[3/8] Checking Convex authentication...${NC}" -cd "$ROOT_DIR/packages/convex" - -if ! npx convex whoami &> /dev/null; then - echo -e "${YELLOW}You need to log in to Convex.${NC}" - echo -e "Running: npx convex login" - npx convex login -fi -echo -e " ${GREEN}✓${NC} Logged in to Convex" - -# Step 4: Deploy Convex -echo "" -echo -e "${YELLOW}[4/8] Setting up Convex project...${NC}" - -# Generate a unique project name -PROJECT_NAME="opencom-$(date +%s | tail -c 6)" - -# Run convex dev --once and capture output -echo -e "Creating Convex project: ${PROJECT_NAME}" -CONVEX_OUTPUT=$(npx convex dev --once --project "$PROJECT_NAME" 2>&1) || true - -# Extract the deployment URL -CONVEX_URL=$(echo "$CONVEX_OUTPUT" | grep -oE 'https://[a-zA-Z0-9-]+\.convex\.cloud' | head -1) - -if [ -z "$CONVEX_URL" ]; then - # Try to get it from .env.local if it was created - if [ -f ".env.local" ]; then - CONVEX_URL=$(grep "CONVEX_DEPLOYMENT" .env.local | cut -d'=' -f2 | sed 's/"//g') - if [ -z "$CONVEX_URL" ]; then - CONVEX_URL=$(grep "NEXT_PUBLIC_CONVEX_URL" .env.local | cut -d'=' -f2 | sed 's/"//g') - fi - fi -fi - -if [ -z "$CONVEX_URL" ]; then - echo -e "${RED}Could not determine Convex deployment URL${NC}" - echo "Please check if the deployment succeeded and try again." - echo "Output was: $CONVEX_OUTPUT" +PNPM_VERSION="$(pnpm -v)" +PNPM_MAJOR="${PNPM_VERSION%%.*}" +if ! [[ "$PNPM_MAJOR" =~ ^[0-9]+$ ]] || [ "${PNPM_MAJOR}" -lt 9 ]; then + echo "Error: PNPM 9+ is required. Found ${PNPM_VERSION:-unknown}. Install PNPM 9+ and rerun ./scripts/setup.sh." >&2 exit 1 fi -echo -e " ${GREEN}✓${NC} Convex deployed: $CONVEX_URL" - -# Step 5: Generate and set AUTH_SECRET -echo "" -echo -e "${YELLOW}[5/8] Setting up environment variables...${NC}" - -# Generate AUTH_SECRET -if command -v openssl &> /dev/null; then - AUTH_SECRET=$(openssl rand -base64 32) -else - # Fallback to Node.js - AUTH_SECRET=$(node -e "console.log(require('crypto').randomBytes(32).toString('base64'))") -fi - -echo -e " ${GREEN}✓${NC} Generated AUTH_SECRET" - -# Set AUTH_SECRET in Convex -echo "Setting AUTH_SECRET in Convex environment..." -npx convex env set AUTH_SECRET "$AUTH_SECRET" 2>/dev/null || echo -e "${YELLOW}Note: Could not set AUTH_SECRET automatically. Please set it manually in Convex dashboard.${NC}" - -# Set SITE_URL for Convex Auth (required for OTP email verification) -echo "Setting SITE_URL in Convex environment..." -npx convex env set SITE_URL "http://localhost:3000" 2>/dev/null || echo -e "${YELLOW}Note: Could not set SITE_URL automatically. Please set it manually in Convex dashboard.${NC}" -echo -e "${YELLOW}Note: Update SITE_URL in Convex dashboard when deploying to production.${NC}" - -# Step 6: Get admin credentials -echo "" -echo -e "${YELLOW}[6/8] Creating admin account...${NC}" - -if [ -z "$ADMIN_EMAIL" ]; then - if [ "$NON_INTERACTIVE" = true ]; then - echo -e "${RED}Error: --email required in non-interactive mode${NC}" - exit 1 - fi - read -p "Enter admin email: " ADMIN_EMAIL -fi - -if [ -z "$ADMIN_PASSWORD" ]; then - if [ "$NON_INTERACTIVE" = true ]; then - echo -e "${RED}Error: --password required in non-interactive mode${NC}" - exit 1 - fi - read -s -p "Enter admin password: " ADMIN_PASSWORD - echo "" -fi - -if [ -z "$ADMIN_NAME" ]; then - ADMIN_NAME="${ADMIN_EMAIL%%@*}" -fi - -if [ -z "$WORKSPACE_NAME" ]; then - WORKSPACE_NAME="My Workspace" -fi - -# Step 7: Create admin account via auth:signup -echo "" -echo -e "${YELLOW}[7/8] Creating workspace and admin user...${NC}" - -# Check if setup has already been done -EXISTING_SETUP=$(npx convex run setup:checkExistingSetup '{}' 2>&1) || true - -if echo "$EXISTING_SETUP" | grep -q '"hasUsers":true'; then - echo -e "${YELLOW}Note: Users already exist in this Convex deployment.${NC}" - echo -e "${YELLOW}Attempting to create new admin account anyway...${NC}" -fi - -# Use the existing auth:signup mutation (same code path as normal signup) -SIGNUP_ARGS="{\"email\":\"$ADMIN_EMAIL\",\"password\":\"$ADMIN_PASSWORD\",\"name\":\"$ADMIN_NAME\",\"workspaceName\":\"$WORKSPACE_NAME\"}" - -SIGNUP_RESULT=$(npx convex run auth:signup "$SIGNUP_ARGS" 2>&1) || true - -# Parse the workspace ID from the user object in the result -WORKSPACE_ID=$(echo "$SIGNUP_RESULT" | grep -oE '"workspaceId":\s*"[^"]+"' | sed 's/"workspaceId":\s*"//' | sed 's/"$//' | head -1) - -if [ -z "$WORKSPACE_ID" ]; then - # Try alternate parsing for Convex IDs - WORKSPACE_ID=$(echo "$SIGNUP_RESULT" | grep -oE '[a-z0-9]{32}' | head -1) -fi - -if echo "$SIGNUP_RESULT" | grep -q 'already exists'; then - echo -e "${RED}Error: User with email $ADMIN_EMAIL already exists${NC}" - echo -e "${YELLOW}You can log in with this email on the web dashboard.${NC}" - echo -e "${YELLOW}To get the workspace ID, check the Convex dashboard or web app settings.${NC}" - WORKSPACE_ID="YOUR_WORKSPACE_ID" -fi - -if [ -z "$WORKSPACE_ID" ] || [ "$WORKSPACE_ID" = "YOUR_WORKSPACE_ID" ]; then - echo -e "${YELLOW}Warning: Could not parse workspace ID from signup result.${NC}" - echo -e "${YELLOW}You may need to get it from Convex dashboard or web app settings.${NC}" - WORKSPACE_ID="YOUR_WORKSPACE_ID" -else - echo -e " ${GREEN}✓${NC} Workspace created: $WORKSPACE_ID" - echo -e " ${GREEN}✓${NC} Admin user created: $ADMIN_EMAIL" -fi - -# Step 8: Generate .env.local files -echo "" -echo -e "${YELLOW}[8/8] Generating environment files...${NC}" - -cd "$ROOT_DIR" - -# apps/web/.env.local -cat > apps/web/.env.local << EOF -NEXT_PUBLIC_CONVEX_URL=$CONVEX_URL -NEXT_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=$CONVEX_URL -EOF -echo -e " ${GREEN}✓${NC} Created apps/web/.env.local" - -# apps/widget/.env.local -cat > apps/widget/.env.local << EOF -VITE_CONVEX_URL=$CONVEX_URL -VITE_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Created apps/widget/.env.local" - -# apps/mobile/.env.local -cat > apps/mobile/.env.local << EOF -EXPO_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=$CONVEX_URL -EXPO_PUBLIC_CONVEX_URL=$CONVEX_URL -EXPO_PUBLIC_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Created apps/mobile/.env.local" - -# packages/react-native-sdk/example/.env.local -cat > packages/react-native-sdk/example/.env.local << EOF -EXPO_PUBLIC_CONVEX_URL=$CONVEX_URL -EXPO_PUBLIC_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Created packages/react-native-sdk/example/.env.local" - -# packages/convex/.env.local (for Convex URL reference) -cat > packages/convex/.env.local << EOF -CONVEX_URL=$CONVEX_URL -EOF -echo -e " ${GREEN}✓${NC} Created packages/convex/.env.local" - -# Success message -echo "" -echo -e "${GREEN}╔════════════════════════════════════════════════════════════╗${NC}" -echo -e "${GREEN}║ Setup Complete! ║${NC}" -echo -e "${GREEN}╚════════════════════════════════════════════════════════════╝${NC}" -echo "" -echo -e "${BLUE}Configuration:${NC}" -echo -e " Convex URL: $CONVEX_URL" -echo -e " Workspace ID: $WORKSPACE_ID" -echo -e " Admin Email: $ADMIN_EMAIL" -echo "" - -if [ "$SKIP_DEV_SERVER" = true ]; then - echo -e "${BLUE}To start development servers:${NC}" - echo -e " pnpm dev:web # Web dashboard at http://localhost:3000" - echo -e " pnpm dev:widget # Widget at http://localhost:5173" - echo "" -else - echo -e "${BLUE}Starting development servers...${NC}" - echo "" - echo -e " Web dashboard: ${GREEN}http://localhost:3000${NC}" - echo -e " Widget: ${GREEN}http://localhost:5173${NC}" - echo "" - echo -e "Press Ctrl+C to stop the servers." - echo "" - - # Start dev servers - pnpm dev:web & pnpm dev:widget & - wait -fi - -echo -e "${BLUE}To run the React Native SDK example:${NC}" -echo -e " cd packages/react-native-sdk/example" -echo -e " pnpm start" -echo "" -echo -e "${BLUE}Login credentials:${NC}" -echo -e " Email: $ADMIN_EMAIL" -echo -e " Password: (the one you provided)" -echo "" +exec node "$ROOT_DIR/scripts/local-convex-setup.js" "$@" diff --git a/scripts/tests/local-convex-setup.test.js b/scripts/tests/local-convex-setup.test.js new file mode 100644 index 0000000..df64c45 --- /dev/null +++ b/scripts/tests/local-convex-setup.test.js @@ -0,0 +1,630 @@ +"use strict"; + +const test = require("node:test"); +const assert = require("node:assert/strict"); +const { spawnSync } = require("node:child_process"); +const fs = require("node:fs/promises"); +const os = require("node:os"); +const path = require("node:path"); + +const { + SetupError, + generateJwtKeyPair, + mergeEnvFileContent, + parseEnvContent, + readEnvFile, + runSetup, + runUpdateEnv, +} = require("../local-convex-setup"); + +const GENERATED_JWT_PRIVATE_KEY = "generated-jwt-private-key"; +const GENERATED_JWKS = JSON.stringify({ + keys: [{ use: "sig", kty: "RSA", n: "generated-modulus", e: "AQAB" }], +}); + +async function createTempRepo() { + const rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "opencom-local-setup-")); + await fs.mkdir(path.join(rootDir, "packages/convex"), { recursive: true }); + await fs.mkdir(path.join(rootDir, "packages/react-native-sdk/example"), { recursive: true }); + await fs.mkdir(path.join(rootDir, "apps/web"), { recursive: true }); + await fs.mkdir(path.join(rootDir, "apps/widget"), { recursive: true }); + await fs.mkdir(path.join(rootDir, "apps/mobile"), { recursive: true }); + await fs.mkdir(path.join(rootDir, "apps/landing"), { recursive: true }); + return rootDir; +} + +async function writeExecutable(filePath, contents) { + await fs.writeFile(filePath, contents, "utf8"); + await fs.chmod(filePath, 0o755); +} + +async function createFakeBin(tools) { + const binDir = await fs.mkdtemp(path.join(os.tmpdir(), "opencom-local-setup-bin-")); + for (const [name, contents] of Object.entries(tools)) { + await writeExecutable(path.join(binDir, name), contents); + } + return binDir; +} + +function runWrapperWithFakePath(scriptName, fakeBinDir) { + const repoRoot = path.resolve(__dirname, "../.."); + return spawnSync("bash", [path.join(repoRoot, "scripts", scriptName), "--help"], { + cwd: repoRoot, + env: { + ...process.env, + PATH: `${fakeBinDir}${path.delimiter}${process.env.PATH || ""}`, + }, + encoding: "utf8", + }); +} + +function createHarness({ + rootDir, + initialConvexEnv = "", + backendEnv = {}, + setupState = { hasUsers: false, hasWorkspaces: false }, + workspaces = [], + authError = "", + requireWorkspaceCreation = false, +}) { + const commands = []; + const envStore = { ...backendEnv }; + const tokenValue = "token-local-bootstrap"; + let activeWorkspaceId = workspaces[0]?._id || null; + let authAttempts = 0; + + async function ensureConvexEnvFile(contents) { + await fs.writeFile(path.join(rootDir, "packages/convex/.env.local"), contents, "utf8"); + } + + async function getFileContents(relativePath) { + return fs.readFile(path.join(rootDir, relativePath), "utf8"); + } + + const runtime = { + rootDir, + output: { + isTTY: false, + write() {}, + }, + ui: { + async ask() { + return ""; + }, + async askSecret() { + return ""; + }, + async confirm() { + return true; + }, + async select(_question, options, defaultIndex) { + return options[defaultIndex].value; + }, + async close() {}, + }, + log() {}, + warn() {}, + error() {}, + generateJwtKeyPair() { + return { + JWT_PRIVATE_KEY: GENERATED_JWT_PRIVATE_KEY, + JWKS: GENERATED_JWKS, + }; + }, + async exists(filePath) { + try { + await fs.access(filePath); + return true; + } catch { + return false; + } + }, + async readFile(filePath, encoding = "utf8") { + return fs.readFile(filePath, encoding); + }, + async writeFile(filePath, contents) { + await fs.mkdir(path.dirname(filePath), { recursive: true }); + await fs.writeFile(filePath, contents, "utf8"); + }, + async runCommand(command, args) { + commands.push([command, ...args]); + const joined = `${command} ${args.join(" ")}`; + + if (joined === "pnpm install") { + return { stdout: "", stderr: "", code: 0 }; + } + + if ( + joined === "pnpm --filter @opencom/convex exec convex dev --once" || + joined === "pnpm --filter @opencom/convex exec convex dev --once --configure" + ) { + await ensureConvexEnvFile( + [ + initialConvexEnv, + 'CONVEX_DEPLOYMENT="dev:opencom-test"', + 'CONVEX_URL="https://opencom-test.convex.cloud"', + ] + .filter(Boolean) + .join("\n") + "\n" + ); + return { stdout: "", stderr: "", code: 0 }; + } + + if ( + command === "pnpm" && + args[0] === "--filter" && + args[1] === "@opencom/convex" && + args[2] === "exec" && + args[3] === "convex" && + args[4] === "env" && + args[5] === "get" + ) { + const key = args[6]; + if (envStore[key]) { + return { stdout: `${envStore[key]}\n`, stderr: "", code: 0 }; + } + const error = new Error(`missing env ${key}`); + error.stdout = ""; + error.stderr = `Environment variable ${key} is not set.`; + throw error; + } + + if ( + command === "pnpm" && + args[0] === "--filter" && + args[1] === "@opencom/convex" && + args[2] === "exec" && + args[3] === "convex" && + args[4] === "env" && + args[5] === "set" + ) { + if (args[6] === "--from-file") { + const parsedValues = parseEnvContent(await fs.readFile(args[7], "utf8")); + Object.assign(envStore, parsedValues); + return { stdout: "", stderr: "", code: 0 }; + } + envStore[args[6]] = args[7]; + return { stdout: "", stderr: "", code: 0 }; + } + + throw new Error(`Unexpected command: ${joined}`); + }, + async fetchImpl(_url, init) { + const request = JSON.parse(init.body); + + if (request.path === "setup:checkExistingSetup") { + return new Response(JSON.stringify(setupState), { status: 200 }); + } + + if (request.path === "auth:signIn") { + authAttempts += 1; + if (authError) { + return new Response(JSON.stringify({ status: "error", errorMessage: authError }), { + status: 200, + }); + } + + if (request.args.params.flow === "signUp" && workspaces.length === 0) { + workspaces.push({ + _id: "workspace_bootstrap", + name: request.args.params.workspaceName || "Bootstrap Workspace", + role: "admin", + }); + activeWorkspaceId = "workspace_bootstrap"; + } + + return new Response( + JSON.stringify({ + status: "success", + value: { + tokens: { + token: tokenValue, + refreshToken: "refresh-token", + }, + }, + }), + { status: 200 } + ); + } + + if (request.path === "auth:currentUser") { + if (requireWorkspaceCreation && !workspaces.length) { + return new Response( + JSON.stringify({ + user: { + _id: "user_1", + workspaceId: null, + }, + workspaces: [], + }), + { status: 200 } + ); + } + + return new Response( + JSON.stringify({ + user: { + _id: "user_1", + email: authAttempts > 0 ? "admin@example.com" : "unknown@example.com", + workspaceId: activeWorkspaceId, + }, + workspaces, + }), + { status: 200 } + ); + } + + if (request.path === "workspaces:create") { + const created = { + _id: "workspace_created", + name: request.args.name, + role: "owner", + }; + workspaces.push(created); + activeWorkspaceId = created._id; + return new Response(JSON.stringify(created._id), { status: 200 }); + } + + if (request.path === "auth:switchWorkspace") { + activeWorkspaceId = request.args.workspaceId; + return new Response(JSON.stringify({ success: true }), { status: 200 }); + } + + throw new Error(`Unexpected fetch path: ${request.path}`); + }, + }; + + return { + commands, + envStore, + getFileContents, + runtime, + }; +} + +test("setup.sh rejects pnpm older than the pinned major before running setup", async () => { + const fakeBin = await createFakeBin({ + node: "#!/bin/sh\nif [ \"$1\" = \"-v\" ]; then echo \"v18.20.0\"; exit 0; fi\necho \"unexpected node execution\" >&2\nexit 42\n", + pnpm: "#!/bin/sh\necho \"8.15.9\"\n", + }); + + const result = runWrapperWithFakePath("setup.sh", fakeBin); + + assert.equal(result.status, 1); + assert.match(result.stderr, /PNPM 9\+ is required/); + assert.match(result.stderr, /8\.15\.9/); +}); + +test("update-env.sh rejects Node older than the runtime contract", async () => { + const fakeBin = await createFakeBin({ + node: "#!/bin/sh\nif [ \"$1\" = \"-v\" ]; then echo \"v16.20.2\"; exit 0; fi\necho \"unexpected node execution\" >&2\nexit 42\n", + }); + + const result = runWrapperWithFakePath("update-env.sh", fakeBin); + + assert.equal(result.status, 1); + assert.match(result.stderr, /Node\.js 18\+ is required/); + assert.match(result.stderr, /v16\.20\.2/); +}); + +test("clean-environment setup configures deployment, auth env, and local files", async () => { + const rootDir = await createTempRepo(); + const harness = createHarness({ + rootDir, + backendEnv: {}, + setupState: { hasUsers: false, hasWorkspaces: false }, + workspaces: [], + }); + + await runSetup( + { + adminEmail: "admin@example.com", + adminPassword: "Opencom!123", + adminName: "Admin User", + workspaceName: "Fresh Workspace", + nonInteractive: true, + skipDev: true, + }, + harness.runtime + ); + + assert.equal(harness.envStore.JWT_PRIVATE_KEY, GENERATED_JWT_PRIVATE_KEY); + assert.equal(harness.envStore.JWKS, GENERATED_JWKS); + assert.equal(harness.envStore.SITE_URL, "http://localhost:3000"); + assert.ok( + harness.commands.some((command) => command.join(" ") === "pnpm install"), + "expected pnpm install to run" + ); + assert.ok( + harness.commands.some( + (command) => command.join(" ") === "pnpm --filter @opencom/convex exec convex dev --once" + ), + "expected convex dev --once to run" + ); + + const webEnv = await readEnvFile(path.join(rootDir, "apps/web/.env.local")); + const convexEnv = await readEnvFile(path.join(rootDir, "packages/convex/.env.local")); + + assert.equal(webEnv.NEXT_PUBLIC_CONVEX_URL, "https://opencom-test.convex.cloud"); + assert.equal(webEnv.NEXT_PUBLIC_TEST_WORKSPACE_ID, "workspace_bootstrap"); + assert.equal(convexEnv.CONVEX_DEPLOYMENT, "dev:opencom-test"); + assert.equal(convexEnv.CONVEX_URL, "https://opencom-test.convex.cloud"); + assert.equal(convexEnv.WORKSPACE_ID, "workspace_bootstrap"); + assert.equal(convexEnv.E2E_BACKEND_URL, "https://opencom-test.convex.cloud"); +}); + +test("rerun setup reuses existing deployment and preserves unrelated env entries", async () => { + const rootDir = await createTempRepo(); + await fs.writeFile( + path.join(rootDir, "packages/convex/.env.local"), + [ + "# Keep this comment", + 'CUSTOM_KEEP="yes"', + 'CONVEX_DEPLOYMENT="dev:existing"', + 'CONVEX_URL="https://existing.convex.cloud"', + ].join("\n") + "\n", + "utf8" + ); + await fs.writeFile( + path.join(rootDir, "apps/web/.env.local"), + ["# Existing web comment", 'MANUAL_FLAG="keep-me"', 'NEXT_PUBLIC_CONVEX_URL="stale"'].join( + "\n" + ) + "\n", + "utf8" + ); + + const harness = createHarness({ + rootDir, + backendEnv: { + JWT_PRIVATE_KEY: "already-configured-private-key", + JWKS: JSON.stringify({ keys: [{ use: "sig", kty: "RSA", n: "existing", e: "AQAB" }] }), + SITE_URL: "http://localhost:3000", + }, + setupState: { hasUsers: true, hasWorkspaces: true }, + workspaces: [ + { _id: "workspace_active", name: "Active Workspace", role: "admin" }, + { _id: "workspace_other", name: "Other Workspace", role: "agent" }, + ], + }); + + await runSetup( + { + adminEmail: "admin@example.com", + adminPassword: "Opencom!123", + nonInteractive: true, + skipDev: true, + }, + harness.runtime + ); + + assert.ok( + !harness.commands.some( + (command) => command.join(" ") === "pnpm --filter @opencom/convex exec convex dev --once" + ), + "expected existing deployment to be reused without reconfiguration" + ); + + const convexContent = await harness.getFileContents("packages/convex/.env.local"); + const webContent = await harness.getFileContents("apps/web/.env.local"); + const webEnv = parseEnvContent(webContent); + + assert.match(convexContent, /# Keep this comment/); + assert.match(convexContent, /CUSTOM_KEEP="yes"/); + assert.match(webContent, /# Existing web comment/); + assert.match(webContent, /MANUAL_FLAG="keep-me"/); + assert.equal(webEnv.NEXT_PUBLIC_TEST_WORKSPACE_ID, "workspace_active"); + assert.equal(webEnv.NEXT_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL, "https://existing.convex.cloud"); +}); + +test("partial Convex Auth JWT env regenerates both paired values", async () => { + const rootDir = await createTempRepo(); + await fs.writeFile( + path.join(rootDir, "packages/convex/.env.local"), + [ + 'CONVEX_DEPLOYMENT="dev:existing"', + 'CONVEX_URL="https://existing.convex.cloud"', + ].join("\n") + "\n", + "utf8" + ); + + const harness = createHarness({ + rootDir, + backendEnv: { + JWT_PRIVATE_KEY: "stale-unpaired-private-key", + SITE_URL: "http://localhost:3000", + }, + setupState: { hasUsers: true, hasWorkspaces: true }, + workspaces: [{ _id: "workspace_active", name: "Active Workspace", role: "admin" }], + }); + + await runSetup( + { + adminEmail: "admin@example.com", + adminPassword: "Opencom!123", + nonInteractive: true, + skipDev: true, + }, + harness.runtime + ); + + assert.equal(harness.envStore.JWT_PRIVATE_KEY, GENERATED_JWT_PRIVATE_KEY); + assert.equal(harness.envStore.JWKS, GENERATED_JWKS); + assert.ok( + harness.commands.some( + (command) => + command[0] === "pnpm" && + command.slice(1, 8).join(" ") === + "--filter @opencom/convex exec convex env set --from-file" && + command.includes("--force") + ), + "expected JWT_PRIVATE_KEY and JWKS to be reset together from a file" + ); +}); + +test("malformed Convex Auth JWKS regenerates both paired values", async () => { + const rootDir = await createTempRepo(); + await fs.writeFile( + path.join(rootDir, "packages/convex/.env.local"), + [ + 'CONVEX_DEPLOYMENT="dev:existing"', + 'CONVEX_URL="https://existing.convex.cloud"', + ].join("\n") + "\n", + "utf8" + ); + + const harness = createHarness({ + rootDir, + backendEnv: { + JWT_PRIVATE_KEY: "-----BEGIN PRIVATE KEY----- stale -----END PRIVATE KEY-----", + JWKS: "{\\\"keys\\\":[{\\\"use\\\":\\\"sig\\\"}]}", + SITE_URL: "http://localhost:3000", + }, + setupState: { hasUsers: true, hasWorkspaces: true }, + workspaces: [{ _id: "workspace_active", name: "Active Workspace", role: "admin" }], + }); + + await runSetup( + { + adminEmail: "admin@example.com", + adminPassword: "Opencom!123", + nonInteractive: true, + skipDev: true, + }, + harness.runtime + ); + + assert.equal(harness.envStore.JWT_PRIVATE_KEY, GENERATED_JWT_PRIVATE_KEY); + assert.equal(harness.envStore.JWKS, GENERATED_JWKS); +}); + +test("setup surfaces actionable errors when auth sign-in fails", async () => { + const rootDir = await createTempRepo(); + const harness = createHarness({ + rootDir, + initialConvexEnv: [ + 'CONVEX_DEPLOYMENT="dev:existing"', + 'CONVEX_URL="https://existing.convex.cloud"', + ].join("\n"), + backendEnv: { + JWT_PRIVATE_KEY: "already-configured-private-key", + JWKS: JSON.stringify({ keys: [{ use: "sig", kty: "RSA", n: "existing", e: "AQAB" }] }), + SITE_URL: "http://localhost:3000", + }, + setupState: { hasUsers: true, hasWorkspaces: true }, + workspaces: [{ _id: "workspace_active", name: "Active Workspace", role: "admin" }], + authError: "Invalid credentials", + }); + + await assert.rejects( + () => + runSetup( + { + adminEmail: "admin@example.com", + adminPassword: "wrong-password", + nonInteractive: true, + skipDev: true, + }, + harness.runtime + ), + (error) => { + assert.ok(error instanceof SetupError); + assert.match(error.summary, /Invalid credentials/i); + assert.match(error.why, /Convex Auth password sign-in\/sign-up path/i); + assert.ok(error.fix.some((step) => /existing admin account/i.test(step))); + return true; + } + ); +}); + +test("generateJwtKeyPair returns a Convex Auth compatible key pair shape", () => { + const pair = generateJwtKeyPair(); + assert.match(pair.JWT_PRIVATE_KEY, /^-----BEGIN PRIVATE KEY-----/); + assert.match(pair.JWT_PRIVATE_KEY, /-----END PRIVATE KEY-----$/); + + const jwks = JSON.parse(pair.JWKS); + assert.equal(Array.isArray(jwks.keys), true); + assert.equal(jwks.keys.length, 1); + assert.equal(jwks.keys[0].use, "sig"); + assert.equal(jwks.keys[0].kty, "RSA"); + assert.equal(jwks.keys[0].e, "AQAB"); + assert.equal(typeof jwks.keys[0].n, "string"); +}); + +test("update-env writes all local targets without deleting unrelated keys or comments", async () => { + const rootDir = await createTempRepo(); + await fs.writeFile( + path.join(rootDir, "apps/landing/.env.local"), + ["# Manual landing note", 'NEXT_PUBLIC_WIDGET_URL="https://cdn.example/widget.js"'].join("\n") + + "\n", + "utf8" + ); + + const runtime = { + rootDir, + output: { + isTTY: false, + write() {}, + }, + ui: { + async close() {}, + }, + log() {}, + warn() {}, + error() {}, + async exists(filePath) { + try { + await fs.access(filePath); + return true; + } catch { + return false; + } + }, + async readFile(filePath, encoding = "utf8") { + return fs.readFile(filePath, encoding); + }, + async writeFile(filePath, contents) { + await fs.mkdir(path.dirname(filePath), { recursive: true }); + await fs.writeFile(filePath, contents, "utf8"); + }, + }; + + await runUpdateEnv( + { + convexUrl: "https://manual.convex.cloud", + workspaceId: "workspace_sync", + nonInteractive: true, + }, + runtime + ); + + const landingContent = await fs.readFile(path.join(rootDir, "apps/landing/.env.local"), "utf8"); + const landingEnv = parseEnvContent(landingContent); + const widgetEnv = await readEnvFile(path.join(rootDir, "apps/widget/.env.local")); + const convexEnv = await readEnvFile(path.join(rootDir, "packages/convex/.env.local")); + + assert.match(landingContent, /# Manual landing note/); + assert.match(landingContent, /NEXT_PUBLIC_WIDGET_URL="https:\/\/cdn.example\/widget.js"/); + assert.equal(landingEnv.NEXT_PUBLIC_CONVEX_URL, "https://manual.convex.cloud"); + assert.equal(landingEnv.NEXT_PUBLIC_WORKSPACE_ID, "workspace_sync"); + assert.equal(widgetEnv.VITE_WORKSPACE_ID, "workspace_sync"); + assert.equal(convexEnv.E2E_BACKEND_URL, "https://manual.convex.cloud"); + assert.equal(convexEnv.WORKSPACE_ID, "workspace_sync"); +}); + +test("mergeEnvFileContent updates managed keys in place and appends missing ones once", () => { + const merged = mergeEnvFileContent( + ["# Existing", 'KEEP_ME="1"', 'NEXT_PUBLIC_CONVEX_URL="old"'].join("\n") + "\n", + { + NEXT_PUBLIC_CONVEX_URL: "https://fresh.convex.cloud", + NEXT_PUBLIC_TEST_WORKSPACE_ID: "workspace_123", + }, + "Managed block" + ); + + const env = parseEnvContent(merged); + assert.match(merged, /# Existing/); + assert.match(merged, /KEEP_ME="1"/); + assert.equal(env.NEXT_PUBLIC_CONVEX_URL, "https://fresh.convex.cloud"); + assert.equal(env.NEXT_PUBLIC_TEST_WORKSPACE_ID, "workspace_123"); + assert.equal((merged.match(/Managed block/g) || []).length, 1); +}); diff --git a/scripts/update-env.sh b/scripts/update-env.sh index 35f859f..1943a8b 100755 --- a/scripts/update-env.sh +++ b/scripts/update-env.sh @@ -1,133 +1,20 @@ #!/bin/bash -set -e +set -euo pipefail -# Colors for output -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -BLUE='\033[0;34m' -NC='\033[0m' # No Color - -# Script directory SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(dirname "$SCRIPT_DIR")" -echo -e "${BLUE}Opencom Environment Update Script${NC}" -echo "" - -# Parse arguments -CONVEX_URL="" -WORKSPACE_ID="" - -while [[ $# -gt 0 ]]; do - case $1 in - --url) - CONVEX_URL="$2" - shift 2 - ;; - --workspace) - WORKSPACE_ID="$2" - shift 2 - ;; - -h|--help) - echo "Usage: ./update-env.sh [options]" - echo "" - echo "Options:" - echo " --url URL Convex deployment URL" - echo " --workspace ID Workspace ID" - echo " -h, --help Show this help message" - echo "" - echo "If options are not provided, you will be prompted for values." - exit 0 - ;; - *) - echo -e "${RED}Unknown option: $1${NC}" - exit 1 - ;; - esac -done - -# Prompt for values if not provided -if [ -z "$CONVEX_URL" ]; then - # Try to get current value - CURRENT_URL="" - if [ -f "$ROOT_DIR/apps/web/.env.local" ]; then - CURRENT_URL=$(grep "CONVEX_URL" "$ROOT_DIR/apps/web/.env.local" | cut -d'=' -f2 | head -1) - fi - - if [ -n "$CURRENT_URL" ]; then - read -p "Enter Convex URL [$CURRENT_URL]: " CONVEX_URL - CONVEX_URL=${CONVEX_URL:-$CURRENT_URL} - else - read -p "Enter Convex URL: " CONVEX_URL - fi -fi - -if [ -z "$WORKSPACE_ID" ]; then - # Try to get current value - CURRENT_WORKSPACE="" - if [ -f "$ROOT_DIR/apps/widget/.env.local" ]; then - CURRENT_WORKSPACE=$(grep "WORKSPACE_ID" "$ROOT_DIR/apps/widget/.env.local" | cut -d'=' -f2 | head -1) - fi - - if [ -n "$CURRENT_WORKSPACE" ]; then - read -p "Enter Workspace ID [$CURRENT_WORKSPACE]: " WORKSPACE_ID - WORKSPACE_ID=${WORKSPACE_ID:-$CURRENT_WORKSPACE} - else - read -p "Enter Workspace ID: " WORKSPACE_ID - fi +if ! command -v node >/dev/null 2>&1; then + echo "Error: node is required. Install Node.js 18+ and rerun ./scripts/update-env.sh." >&2 + exit 1 fi -if [ -z "$CONVEX_URL" ] || [ -z "$WORKSPACE_ID" ]; then - echo -e "${RED}Error: Both Convex URL and Workspace ID are required${NC}" +NODE_VERSION="$(node -v)" +NODE_MAJOR="$(printf '%s\n' "$NODE_VERSION" | sed 's/^v//' | cut -d. -f1)" +if ! [[ "$NODE_MAJOR" =~ ^[0-9]+$ ]] || [ "${NODE_MAJOR}" -lt 18 ]; then + echo "Error: Node.js 18+ is required. Found ${NODE_VERSION:-unknown}. Install Node.js 18+ and rerun ./scripts/update-env.sh." >&2 exit 1 fi -echo "" -echo -e "${YELLOW}Updating environment files...${NC}" - -cd "$ROOT_DIR" - -# Update or create apps/web/.env.local -cat > apps/web/.env.local << EOF -NEXT_PUBLIC_CONVEX_URL=$CONVEX_URL -NEXT_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=$CONVEX_URL -EOF -echo -e " ${GREEN}✓${NC} Updated apps/web/.env.local" - -# Update or create apps/widget/.env.local -cat > apps/widget/.env.local << EOF -VITE_CONVEX_URL=$CONVEX_URL -VITE_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Updated apps/widget/.env.local" - -# Update or create apps/mobile/.env.local -cat > apps/mobile/.env.local << EOF -EXPO_PUBLIC_OPENCOM_DEFAULT_BACKEND_URL=$CONVEX_URL -EXPO_PUBLIC_CONVEX_URL=$CONVEX_URL -EXPO_PUBLIC_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Updated apps/mobile/.env.local" - -# Update or create packages/react-native-sdk/example/.env.local -cat > packages/react-native-sdk/example/.env.local << EOF -EXPO_PUBLIC_CONVEX_URL=$CONVEX_URL -EXPO_PUBLIC_WORKSPACE_ID=$WORKSPACE_ID -EOF -echo -e " ${GREEN}✓${NC} Updated packages/react-native-sdk/example/.env.local" - -# Update or create packages/convex/.env.local -cat > packages/convex/.env.local << EOF -CONVEX_URL=$CONVEX_URL -EOF -echo -e " ${GREEN}✓${NC} Updated packages/convex/.env.local" - -echo "" -echo -e "${GREEN}Environment files updated successfully!${NC}" -echo "" -echo -e "${BLUE}Configuration:${NC}" -echo -e " Convex URL: $CONVEX_URL" -echo -e " Workspace ID: $WORKSPACE_ID" -echo "" +exec node "$ROOT_DIR/scripts/update-local-env.js" "$@" diff --git a/scripts/update-local-env.js b/scripts/update-local-env.js new file mode 100644 index 0000000..8945553 --- /dev/null +++ b/scripts/update-local-env.js @@ -0,0 +1,7 @@ +"use strict"; + +const { runUpdateEnvCli } = require("./local-convex-setup"); + +runUpdateEnvCli(process.argv.slice(2)).then((code) => { + process.exitCode = code; +}); diff --git a/skills-lock.json b/skills-lock.json new file mode 100644 index 0000000..9451d83 --- /dev/null +++ b/skills-lock.json @@ -0,0 +1,30 @@ +{ + "version": 1, + "skills": { + "convex-create-component": { + "source": "get-convex/agent-skills", + "sourceType": "github", + "computedHash": "d110fca7f65b4919367e6fc63a93bf54abea2cf5e4e097234c947559ffa6e527" + }, + "convex-migration-helper": { + "source": "get-convex/agent-skills", + "sourceType": "github", + "computedHash": "46d1ac354eefbed05e1367d828e893816c13302276080bfaf6bcd828281be486" + }, + "convex-performance-audit": { + "source": "get-convex/agent-skills", + "sourceType": "github", + "computedHash": "30ea0d3c259df011e44ea9b70502ab272f5ac3bd1fb3672ae18489ba99b2c4ae" + }, + "convex-quickstart": { + "source": "get-convex/agent-skills", + "sourceType": "github", + "computedHash": "8ae9e1b02f526ea65e7895fac82af74142cd8e70e364d9dae9dbf79a296fb5ef" + }, + "convex-setup-auth": { + "source": "get-convex/agent-skills", + "sourceType": "github", + "computedHash": "e719d31d1ab0d19ca7b942d1154d3ff436b5c156900eea9866c2aaeb910a1388" + } + } +}