Add basic frontend

Author: alukach

docker-compose.yml

@@ -181,11 +181,27 @@ services:
       - ZED_TOKEN=eoapi-secret-token
     volumes:
       - type: bind
-        source: runtime/spicedb
+        source: ./runtime/spicedb/init
         target: /home/spicedb
     depends_on:
       - spicedb
 
+  spicedb-ui:
+    build:
+      context: ./runtime/spicedb/spicedb-ui
+
+    # Set environment variables directly in the docker-compose file
+    environment:
+      ENV_VARIABLE: ${ENV_VARIABLE}
+      NEXT_PUBLIC_ENV_VARIABLE: ${NEXT_PUBLIC_ENV_VARIABLE}
+
+    volumes:
+      - ./runtime/spicedb/spicedb-ui/src:/app/src
+      - ./runtime/spicedb/spicedb-ui/public:/app/public
+    restart: always
+    ports:
+      - 3000:3000
+
 networks:
   default:
     name: eoapi-network

runtime/spicedb/schema.zed renamed to runtime/spicedb/init/schema.zed

@@ -0,0 +1,138 @@
+schema: |-
+  definition user {}
+
+  definition anonymous_user {}
+
+  definition team {
+  	// Recursive team structure to support groups of groups
+  	relation owner: user | team#owner_or_member
+  	relation member: user
+  	permission owner_or_member = member + owner
+  }
+
+  definition collection {
+  	// Recursive collection structure to support collections of collections
+  	relation collection: collection
+  	relation owner: user | team#owner_or_member
+  	relation editor: user | team#owner_or_member
+  	relation reader: user | team#owner_or_member | user:*
+
+  	// Collection-level permissions
+  	permission read = reader + update
+  	permission update = editor + editor->owner_or_member + delete
+  	permission delete = owner + owner->owner_or_member
+  	permission make_public = delete
+  	permission transfer_ownership = owner + owner->owner_or_member
+
+  	// Item-level permissions
+  	permission add_item = update
+  }
+
+  definition item {
+  	relation collection: collection
+  	relation reader: user | team#owner_or_member | anonymous_user:*
+  	// Permissions are mostly inherited from collection, except support for one-off read permissions
+  	permission read = reader + collection->read
+  	permission update = collection->update
+  	permission delete = collection->update
+  }
+relationships: |-
+  team:super_admins#owner@user:alice
+  team:admins#owner@team:super_admins#owner_or_member
+  team:editors#owner@team:admins#owner_or_member
+  team:editors#member@user:bob
+  collection:public#owner@team:editors#owner_or_member
+  collection:public#editor@team:editors#owner_or_member
+  collection:public#reader@user:*
+  collection:private#owner@team:admins#owner_or_member
+  item:public/001#collection@collection:public
+  item:public/002#collection@collection:public
+  item:public/003#collection@collection:public
+  item:public/004#collection@collection:public
+  item:public/005#collection@collection:public
+  item:public/006#collection@collection:public
+  item:public/007#collection@collection:public
+  item:public/008#collection@collection:public
+  item:public/009#collection@collection:public
+  item:public/010#collection@collection:public
+  item:private/001#collection@collection:private
+  item:private/002#collection@collection:private
+  item:private/003#collection@collection:private
+  item:private/004#collection@collection:private
+  item:private/005#collection@collection:private
+  item:private/006#collection@collection:private
+  item:private/007#collection@collection:private
+  item:private/008#collection@collection:private
+  item:private/009#collection@collection:private
+  item:private/010#collection@collection:priva
+assertions:
+  assertTrue:
+    - collection:public#read@user:alice
+    - collection:public#read@user:0
+    - item:public/001#read@user:0
+    - collection:public#read@user:alice
+    - collection:public#add_item@user:alice
+    - collection:public#update@user:alice
+    - collection:public#delete@user:alice
+    - collection:public#add_item@user:bob
+    - collection:public#delete@user:bob
+    - collection:private#read@user:alice
+    - collection:private#add_item@user:alice
+    - item:private/001#read@user:alice
+    - item:private/001#delete@user:alice
+    - item:public/001#read@user:some-new-user
+  assertFalse:
+    - collection:private#add_item@user:bob
+    - collection:public#add_item@user:0
+    - collection:private#add_item@user:0
+    - item:private/001#delete@user:0
+    - item:private/002#read@user:0
+validation:
+  collection:private#add_item:
+    - "[team:admins#owner_or_member] is <collection:private#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+  collection:private#read:
+    - "[team:admins#owner_or_member] is <collection:private#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+  collection:private#transfer_ownership:
+    - "[team:admins#owner_or_member] is <collection:private#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+  collection:public#add_item:
+    - "[team:admins#owner_or_member] is <team:editors#owner>"
+    - "[team:editors#owner_or_member] is <collection:public#editor>/<collection:public#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+    - "[user:bob] is <team:editors#member>"
+  collection:public#delete:
+    - "[team:admins#owner_or_member] is <team:editors#owner>"
+    - "[team:editors#owner_or_member] is <collection:public#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+    - "[user:bob] is <team:editors#member>"
+  collection:public#read:
+    - "[team:admins#owner_or_member] is <team:editors#owner>"
+    - "[team:editors#owner_or_member] is <collection:public#editor>/<collection:public#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:*] is <collection:public#reader>"
+    - "[user:alice] is <team:super_admins#owner>"
+    - "[user:bob] is <team:editors#member>"
+  collection:public#transfer_ownership:
+    - "[team:admins#owner_or_member] is <team:editors#owner>"
+    - "[team:editors#owner_or_member] is <collection:public#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+    - "[user:bob] is <team:editors#member>"
+  item:private/002#read:
+    - "[team:admins#owner_or_member] is <collection:private#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:alice] is <team:super_admins#owner>"
+  item:public/001#read:
+    - "[team:admins#owner_or_member] is <team:editors#owner>"
+    - "[team:editors#owner_or_member] is <collection:public#editor>/<collection:public#owner>"
+    - "[team:super_admins#owner_or_member] is <team:admins#owner>"
+    - "[user:*] is <collection:public#reader>"
+    - "[user:alice] is <team:super_admins#owner>"
+    - "[user:bob] is <team:editors#member>"

runtime/spicedb/init/zed.yaml

@@ -0,0 +1 @@
+node_modules

runtime/spicedb/spicedb-ui/.dockerignore

@@ -0,0 +1,3 @@
+{
+  "extends": "next/core-web-vitals"
+}

runtime/spicedb/spicedb-ui/.eslintrc.json

@@ -0,0 +1,36 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+.yarn/install-state.gz
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# local env files
+.env*.local
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts

runtime/spicedb/spicedb-ui/.gitignore

@@ -0,0 +1,34 @@
+FROM node:18-alpine
+
+WORKDIR /app
+
+# Install dependencies based on the preferred package manager
+COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
+RUN \
+  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
+  elif [ -f package-lock.json ]; then npm ci; \
+  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i; \
+  # Allow install without lockfile, so example works even without Node.js installed locally
+  else echo "Warning: Lockfile not found. It is recommended to commit lockfiles to version control." && yarn install; \
+  fi
+
+COPY src ./src
+COPY public ./public
+COPY next.config.* .
+COPY postcss.config.js .
+COPY tailwind.config.ts .
+COPY tsconfig.json .
+
+# Next.js collects completely anonymous telemetry data about general usage. Learn more here: https://nextjs.org/telemetry
+# Uncomment the following line to disable telemetry at run time
+# ENV NEXT_TELEMETRY_DISABLED 1
+
+# Note: Don't expose ports here, Compose will handle that for us
+
+# Start Next.js in development mode based on the preferred package manager
+CMD \
+  if [ -f yarn.lock ]; then yarn dev; \
+  elif [ -f package-lock.json ]; then npm run dev; \
+  elif [ -f pnpm-lock.yaml ]; then pnpm dev; \
+  else npm run dev; \
+  fi

runtime/spicedb/spicedb-ui/Dockerfile

@@ -0,0 +1,36 @@
+This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).
+
+## Getting Started
+
+First, run the development server:
+
+```bash
+npm run dev
+# or
+yarn dev
+# or
+pnpm dev
+# or
+bun dev
+```
+
+Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+
+You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+
+This project uses [`next/font`](https://nextjs.org/docs/basic-features/font-optimization) to automatically optimize and load Inter, a custom Google Font.
+
+## Learn More
+
+To learn more about Next.js, take a look at the following resources:
+
+- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
+- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+
+You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js/) - your feedback and contributions are welcome!
+
+## Deploy on Vercel
+
+The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+
+Check out our [Next.js deployment documentation](https://nextjs.org/docs/deployment) for more details.

runtime/spicedb/spicedb-ui/README.md

@@ -0,0 +1,4 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {};
+
+export default nextConfig;