@bloomneo/appkit 1.5.1 → 1.5.2

package/examples/storage.ts

@@ -0,0 +1,44 @@
+/**
+ * CANONICAL PATTERN — file upload + retrieval with auto-scaling backend.
+ *
+ * Copy this file when you need to store files. The same code works against
+ * local disk (default), AWS S3 (set AWS_S3_BUCKET), or Cloudflare R2
+ * (set R2_BUCKET). No code changes needed — just .env.
+ */
+
+import { storageClass, errorClass, securityClass } from '@bloomneo/appkit';
+import type { Request, Response } from 'express';
+
+const storage = storageClass.get();
+const error = errorClass.get();
+const security = securityClass.get();
+
+// ── Upload (with rate limit + filename sanitization) ────────────────
+export const uploadRoute = [
+  security.requests(10, 60_000),  // max 10 uploads per minute per IP
+  error.asyncRoute(async (req: Request & { file: any }, res: Response) => {
+    if (!req.file) throw error.badRequest('File required (use multer middleware)');
+
+    // Sanitize the filename so a malicious user can't write to ../../../etc/...
+    const safeName = security.input(req.file.originalname);
+    const key = `uploads/${Date.now()}-${safeName}`;
+
+    await storage.put(key, req.file.buffer, {
+      contentType: req.file.mimetype,
+    });
+
+    res.json({
+      key,
+      url: storage.url(key),  // public URL (or signed URL for private buckets)
+    });
+  }),
+];
+
+// ── Download (signed URL — works with private S3 buckets) ───────────
+export const downloadRoute = error.asyncRoute(async (req, res) => {
+  const key = req.params.key;
+  if (!(await storage.exists(key))) throw error.notFound('File not found');
+
+  const signedUrl = await storage.signedUrl(key, 3600);  // valid for 1 hour
+  res.json({ url: signedUrl });
+});

package/examples/util.ts

@@ -0,0 +1,47 @@
+/**
+ * CANONICAL PATTERN — small zero-dependency utility helpers.
+ *
+ * Copy this file when you need any of the util methods. These are the
+ * common Node.js helpers that get reinvented in every project — appkit
+ * ships them once with consistent semantics.
+ *
+ * Public methods: get, isEmpty, slugify, chunk, debounce, pick,
+ *                 unique, clamp, formatBytes, truncate, sleep, uuid
+ */
+
+import { utilClass } from '@bloomneo/appkit';
+
+const util = utilClass.get();
+
+// ── Safe deep property access (read-only) ───────────────────────────
+const obj = { a: { b: { c: 42 } } };
+const value = util.get(obj, 'a.b.c', 0);              // → 42
+const missing = util.get(obj, 'a.b.x.y', 'default');  // → 'default' (safe)
+// Note: there is no util.set() — use plain assignment for mutation.
+
+// ── Subset ──────────────────────────────────────────────────────────
+const user = { id: 1, email: 'a@b', password: 'secret', role: 'admin' };
+const minimal = util.pick(user, ['id', 'email']);     // → { id, email }
+// Note: there is no util.omit() — use util.pick() with the keys you want to keep.
+
+// ── Array helpers ───────────────────────────────────────────────────
+const items = [1, 2, 3, 4, 5, 6, 7, 8, 9];
+const batches = util.chunk(items, 3);                 // → [[1,2,3], [4,5,6], [7,8,9]]
+const deduped = util.unique([1, 2, 2, 3, 3]);         // → [1, 2, 3]
+
+// ── Function helpers ────────────────────────────────────────────────
+const debouncedSearch = util.debounce((q: string) => {
+  // ...api call
+}, 300);
+// Note: there is no util.throttle() — use util.debounce() for rate-limiting calls.
+
+// ── Misc ────────────────────────────────────────────────────────────
+const id = util.uuid();                               // → 'a1b2c3d4-...'
+const slug = util.slugify('My Awesome Post!');        // → 'my-awesome-post'
+const size = util.formatBytes(1_572_864);             // → '1.5 MB'
+const clamped = util.clamp(150, 0, 100);              // → 100
+const short = util.truncate('A very long string', 10); // → 'A very lon...'
+
+await util.sleep(100);                                // → wait 100ms
+
+export { value, missing, minimal, batches, deduped, id, slug, size, clamped, short };

package/llms.txt

@@ -0,0 +1,591 @@
+# @bloomneo/appkit — full reference
+
+> Machine-readable API reference for AI coding agents.
+> For **rules** (what to always/never do), read [`AGENTS.md`](./AGENTS.md) in this directory first.
+> Both files ship with the package at `node_modules/@bloomneo/appkit/`.
+
+## Setup (every project)
+
+```ts
+// 1. Install
+//    npm install @bloomneo/appkit
+
+// 2. Set env vars in .env (minimum)
+//    BLOOM_AUTH_SECRET=<min 32 chars>
+//    DATABASE_URL=postgresql://...
+
+// 3. Import what you need (the canonical pattern is one xxxClass per module)
+import {
+  authClass,
+  databaseClass,
+  errorClass,
+  loggerClass,
+  cacheClass,
+  storageClass,
+  queueClass,
+  emailClass,
+  eventClass,
+  configClass,
+  securityClass,
+  utilClass,
+} from '@bloomneo/appkit';
+
+// 4. Get instances at module scope (NEVER inside route handlers)
+const auth = authClass.get();
+const database = await databaseClass.get();
+const error = errorClass.get();
+const logger = loggerClass.get('my-app');
+```
+
+## Universal pattern
+
+Every module is `xxxClass.get()`. There are **no exceptions**, no constructors,
+no factories with custom names. If you remember one rule, it's this one.
+
+```ts
+const auth = authClass.get();           // synchronous
+const database = await databaseClass.get(); // async (initializes connection)
+const cache = cacheClass.get('users');  // optional namespace param
+const logger = loggerClass.get('api');  // optional component param
+```
+
+---
+
+## Module 1 — Auth (`@bloomneo/appkit/auth`)
+
+JWT tokens, role.level permissions, Express middleware. Two token types:
+**login tokens** (humans) and **API tokens** (services/webhooks).
+
+### Methods (verified by src/auth/auth.test.ts — 47/47 passing)
+
+```ts
+const auth = authClass.get();
+
+// Token generation — these are the ONLY two public token-creation methods.
+// (`signToken` is a private internal — never call it from consumer code.)
+auth.generateLoginToken(payload, expiresIn?: string): string
+//   payload: { userId: number, role: string, level: string, permissions?: string[] }
+//   default expiresIn: '7d'
+
+auth.generateApiToken(payload, expiresIn?: string): string
+//   payload: { keyId: string, role: string, level: string, permissions?: string[] }
+//   default expiresIn: '1y'
+
+// Token verification — handles BOTH login and API tokens. Throws on bad token.
+auth.verifyToken(token: string): JwtPayload
+
+// Password hashing
+auth.hashPassword(plain: string, rounds?: number): Promise<string>
+auth.comparePassword(plain: string, hash: string): Promise<boolean>  // never throws
+
+// Express middleware factories — return ExpressMiddleware functions
+auth.requireLoginToken(options?): ExpressMiddleware       // user authentication
+auth.requireApiToken(options?): ExpressMiddleware         // API token authentication
+auth.requireUserRoles(['admin.tenant']): ExpressMiddleware       // role check (OR within array)
+auth.requireUserRoles(['admin.tenant', 'admin.org']): ExpressMiddleware
+auth.requireUserPermissions(['manage:users']): ExpressMiddleware // permission check (AND within array)
+
+// Request helpers
+auth.user(req: ExpressRequest): JwtPayload | null   // null-safe extract from req.user OR req.token
+auth.hasRole(userRoleLevel: string, requiredRoleLevel: string): boolean   // inheritance-aware
+auth.can(user: JwtPayload, permission: string): boolean   // permission inheritance
+```
+
+### Middleware chaining rules
+
+- `requireLoginToken()` MUST come first on user routes — it sets `req.user` for downstream.
+- `requireUserRoles([...])` and `requireUserPermissions([...])` chain AFTER `requireLoginToken()`.
+  Never use them standalone, never on API token routes (API tokens don't have user roles).
+- `requireApiToken()` is for SERVICE routes only. Use it alone — never chain `requireUserRoles`
+  after it.
+
+### Role hierarchy (9 levels, automatic inheritance)
+
+The default hierarchy ships with these 9 role.level values:
+
+```
+Level 1: user.basic
+Level 2: user.pro       (NOT 'user.premium')
+Level 3: user.max       (NOT 'user.enterprise')
+Level 4: moderator.review
+Level 5: moderator.approve
+Level 6: moderator.manage
+Level 7: admin.tenant
+Level 8: admin.org
+Level 9: admin.system
+```
+
+`requireUserRoles(['admin.tenant'])` accepts `admin.tenant`, `admin.org`, AND `admin.system`
+via inheritance. To register additional roles, set the `BLOOM_AUTH_ROLES` env var:
+
+```bash
+BLOOM_AUTH_ROLES=user.basic:1,user.pro:2,...,service.webhook:10
+```
+
+If you call `generateLoginToken({ role: 'service', level: 'webhook' })` without
+registering the role, you get `Error: Invalid role.level: "service.webhook"` at runtime.
+
+### Example — login flow
+
+```ts
+import { authClass, databaseClass, errorClass } from '@bloomneo/appkit';
+
+const auth = authClass.get();
+const database = await databaseClass.get();
+const error = errorClass.get();
+
+app.post('/auth/login', error.asyncRoute(async (req, res) => {
+  const { email, password } = req.body ?? {};
+  if (!email || !password) throw error.badRequest('Email and password required');
+
+  const user = await database.user.findUnique({ where: { email } });
+  if (!user) throw error.unauthorized('Invalid credentials');
+
+  const valid = await auth.comparePassword(password, user.password);
+  if (!valid) throw error.unauthorized('Invalid credentials');
+
+  const token = auth.generateLoginToken({
+    userId: user.id,
+    role: user.role,
+    level: user.level,
+  });
+  res.json({ token, user: { id: user.id, email: user.email } });
+}));
+```
+
+### Example — protected admin route
+
+```ts
+app.delete(
+  '/admin/users/:id',
+  auth.requireLoginToken(),                    // 1. authenticate
+  auth.requireUserRoles(['admin.tenant']),     // 2. authorize (chained)
+  error.asyncRoute(async (req, res) => {
+    const me = auth.user(req);                 // null-safe; non-null after middleware
+    if (!me) throw error.unauthorized();
+    await database.user.delete({ where: { id: Number(req.params.id) } });
+    res.json({ deleted: true });
+  })
+);
+```
+
+---
+
+## Module 2 — Database (`@bloomneo/appkit/database`)
+
+Multi-tenant Prisma/Mongoose with automatic tenant filtering.
+
+### Methods
+
+```ts
+const database = await databaseClass.get();
+// `database` is the Prisma client, scoped to current tenant
+
+// Tenant management (when BLOOM_DB_TENANT=auto)
+database.user.findMany()                          // auto-filtered by tenant_id
+database.user.create({ data: {...} })             // auto-stamps tenant_id
+
+// Cross-tenant queries (admin only)
+const dbAll = await databaseClass.getTenants();   // unfiltered, all tenants
+dbAll.user.groupBy({ by: ['tenant_id'], _count: true })
+
+// Org-level (multi-org SaaS)
+const acmeDb = await databaseClass.org('acme').get();  // ORG_ACME=postgresql://acme.../prod
+```
+
+### Required env
+
+```bash
+DATABASE_URL=postgresql://...        # required
+BLOOM_DB_TENANT=auto              # optional, enables multi-tenant filtering
+ORG_<NAME>=postgresql://...          # optional, enables per-org databases
+```
+
+---
+
+## Module 3 — Security (`@bloomneo/appkit/security`)
+
+CSRF protection, rate limiting, AES-256-GCM encryption, input sanitization.
+
+### Methods
+
+```ts
+const security = securityClass.get();
+
+// Rate limiting middleware
+security.requests(maxRequests: number, windowMs: number)
+// e.g. security.requests(100, 900000) → 100 req per 15 min per IP
+
+// CSRF protection middleware — ONE method that does both injection AND validation.
+// Mount once on HTML form routes. No separate requireCsrf() — forms() handles it.
+security.forms(): ExpressMiddleware
+
+// Encryption
+security.encrypt(plaintext: string): string   // AES-256-GCM
+security.decrypt(ciphertext: string): string
+
+// Input sanitization (strip XSS + control chars — NOT email/URL validation)
+security.input(value: string): string
+security.html(value: string): string          // strip disallowed HTML tags, keep safe ones
+security.escape(value: string): string        // escape HTML special chars (&, <, >, etc.)
+
+// NOTE: there is no security.email() or security.url() — use zod or validator.js for those.
+```
+
+### Required env
+
+```bash
+BLOOM_SECURITY_CSRF_SECRET=<min 32 chars>
+BLOOM_SECURITY_ENCRYPTION_KEY=<64 hex chars for AES-256>
+```
+
+---
+
+## Module 4 — Error (`@bloomneo/appkit/error`)
+
+HTTP errors with semantic types and centralized middleware.
+
+### Methods
+
+```ts
+const error = errorClass.get();
+
+// Semantic error throwers (each sets correct HTTP status)
+throw error.badRequest('message')        // 400
+throw error.unauthorized('message')      // 401
+throw error.forbidden('message')         // 403
+throw error.notFound('message')          // 404
+throw error.conflict('message')          // 409
+throw error.tooMany('message')           // 429
+throw error.internal('message')          // 500
+
+// Async route wrapper (catches throws)
+app.get('/x', error.asyncRoute(async (req, res) => {
+  if (!req.params.id) throw error.badRequest('id required');
+  // ...
+}));
+
+// Error-handling middleware (mount LAST in stack)
+app.use(error.handleErrors());
+```
+
+---
+
+## Module 5 — Cache (`@bloomneo/appkit/cache`)
+
+Memory → Redis auto-scaling. Same API across both backends.
+
+### Methods
+
+```ts
+const cache = cacheClass.get();              // default 'app' namespace
+const userCache = cacheClass.get('users');   // custom namespace (isolation)
+
+await cache.set(key: string, value: any, ttlSeconds?: number)
+await cache.get<T>(key: string): Promise<T | null>
+await cache.delete(key: string): Promise<boolean>   // NOTE: delete(), NOT del()
+
+// Presence check — there is no cache.has(). Check for null instead:
+const v = await cache.get('foo');
+if (v !== null) { /* key exists */ }
+
+// THE pattern — use this 90% of the time
+await cache.getOrSet<T>(key, fetcher: () => Promise<T>, ttlSeconds?): Promise<T>
+// e.g. await cache.getOrSet('users:list', () => database.user.findMany(), 300)
+```
+
+Set `REDIS_URL` to auto-upgrade from memory to Redis. No code changes needed.
+
+---
+
+## Module 6 — Storage (`@bloomneo/appkit/storage`)
+
+Local → S3/R2 auto-scaling. Same API across all providers.
+
+### Methods
+
+```ts
+const storage = storageClass.get();
+
+await storage.put(key: string, buffer: Buffer, opts?: { contentType?: string })
+await storage.get(key: string): Promise<Buffer>
+await storage.delete(key: string): Promise<boolean>   // NOTE: delete(), NOT del()
+await storage.exists(key: string): Promise<boolean>   // NOTE: exists(), NOT has()
+await storage.list(prefix?: string, limit?: number): Promise<StorageFile[]>
+storage.url(key: string): string                      // public URL
+await storage.signedUrl(key, expiresIn?: number): Promise<string>  // presigned
+await storage.copy(sourceKey: string, destKey: string): Promise<string>
+```
+
+Set `AWS_S3_BUCKET` (or `R2_BUCKET`) to auto-upgrade from local disk to cloud.
+
+---
+
+## Module 7 — Queue (`@bloomneo/appkit/queue`)
+
+Memory → Redis → DB auto-scaling background jobs.
+
+### Methods
+
+```ts
+const queue = queueClass.get();
+
+// Enqueue immediately (or with a fixed delay)
+await queue.add(jobType: string, data: any, opts?: {
+  delay?: number;      // ms to wait before running (default 0)
+  attempts?: number;   // max retry attempts (NOTE: "attempts" not "retries")
+  priority?: number;   // lower number = higher priority
+})
+
+// Process — register a worker for a job type
+queue.process(jobType, async (data) => {
+  // return the result; throw to trigger a retry
+});
+
+// Schedule — enqueue with a delay in milliseconds (NOT a cron expression)
+await queue.schedule(jobType: string, data: any, delayMs: number): Promise<string>
+// e.g. run once 8 hours from now:
+await queue.schedule('cleanup-tokens', {}, 8 * 60 * 60 * 1000)
+// For recurring/cron jobs use a cron library (node-cron etc.) to call queue.add().
+
+// Other instance methods
+await queue.pause(jobType?: string)
+await queue.resume(jobType?: string)
+await queue.getStats(jobType?: string): Promise<QueueStats>
+await queue.retry(jobId: string)
+await queue.remove(jobId: string)
+```
+
+Memory by default; Redis when `REDIS_URL` is set.
+
+---
+
+## Module 8 — Email (`@bloomneo/appkit/email`)
+
+Console → SMTP → Resend auto-scaling. Templates supported.
+
+### Methods
+
+```ts
+const email = emailClass.get();
+
+// Send a plain or HTML email. EmailData fields:
+await email.send({
+  to: string | string[],          // required
+  subject: string,                // required
+  text?: string,                  // plain-text body
+  html?: string,                  // HTML body (send both for best deliverability)
+  from?: string,                  // override sender
+  replyTo?: string,
+  cc?: string | string[],
+  bcc?: string | string[],
+  // NOTE: there are NO "template" or "data" fields — use sendTemplate() below.
+})
+
+// Convenience shortcuts
+await email.sendText(to: string, subject: string, text: string)
+await email.sendHtml(to: string, subject: string, html: string, text?: string)
+
+// Templated email — pass the template name + all variables in one object
+await email.sendTemplate(templateName: string, data: Record<string, any>)
+// e.g. await email.sendTemplate('password-reset', { to: addr, resetLink, expiresIn: '1 hour' })
+
+await email.sendBatch(emails: EmailData[], batchSize?: number)
+```
+
+`console` strategy in dev (logs to terminal), `smtp` if `SMTP_HOST` set,
+`resend` if `RESEND_API_KEY` set.
+
+---
+
+## Module 9 — Event (`@bloomneo/appkit/event`)
+
+Memory → Redis pub/sub for distributed events. Wildcard pattern matching.
+
+### Methods
+
+```ts
+const events = eventClass.get();              // default namespace
+const userEvents = eventClass.get('users');   // namespace isolation
+
+events.on(eventName: string, handler: (data) => void | Promise<void>)
+events.on('user.*', handler)                  // wildcard
+await events.emit(eventName: string, data: any)
+events.off(eventName, handler)
+```
+
+Set `REDIS_URL` to distribute events across processes/servers.
+
+---
+
+## Module 10 — Util (`@bloomneo/appkit/util`)
+
+12 small zero-dependency helpers for common Node.js tasks.
+
+### Methods
+
+```ts
+const util = utilClass.get();
+
+util.get(obj, 'a.b.c.d', defaultValue)     // safe deep property access (read-only)
+// NOTE: there is no util.set() — use plain assignment for mutation.
+util.pick(obj, ['a', 'b', 'c'])             // subset (keep listed keys)
+// NOTE: there is no util.omit() — use util.pick() with the keys you want to keep.
+util.isEmpty(value: any): boolean           // true for null, undefined, '', [], {}
+util.chunk(array, size)                     // split into batches
+util.unique(array): any[]                   // deduplicate
+util.clamp(value, min, max): number         // clamp(150, 0, 100) → 100
+util.debounce(fn, ms)
+// NOTE: there is no util.throttle() — only debounce.
+util.sleep(ms): Promise<void>
+util.uuid(): string                         // v4 UUID
+util.slugify(text, opts?)                   // url-safe slug
+util.formatBytes(bytes): string             // "1.5 MB"
+util.truncate(text, maxLength): string      // truncate with ellipsis
+// NOTE: there is no util.retry() — implement retry with a loop or a dedicated library.
+```
+
+---
+
+## Module 11 — Config (`@bloomneo/appkit/config`)
+
+Type-safe environment variable access with validation.
+
+### Methods
+
+```ts
+// Instance methods — on the object returned by configClass.get()
+const config = configClass.get();
+
+config.get('section.key', defaultValue?)         // always returns string | undefined
+config.has('section.key'): boolean
+config.getRequired('section.key'): string        // throws if missing
+config.getMany(['KEY_A', 'KEY_B']): Record<string, string | undefined>
+config.getAll(): Record<string, string | undefined>
+
+// NOTE: getNumber() and getBoolean() do NOT exist on the config instance.
+// Parse manually:
+const port = Number(config.get('api.port') ?? 3000);
+const debug = config.get('app.debug') === 'true';
+
+// Environment helpers — on configClass directly (NOT on the instance)
+configClass.isDevelopment(): boolean
+configClass.isProduction(): boolean
+configClass.isTest(): boolean
+configClass.validateRequired(['BLOOM_AUTH_SECRET', 'DATABASE_URL'])  // throws if missing
+```
+
+`config.get('auth.secret')` reads `BLOOM_AUTH_SECRET` (and falls back to
+`BLOOM_AUTH_SECRET` for backwards compatibility, with a dev-mode warning).
+
+---
+
+## Module 12 — Logger (`@bloomneo/appkit/logger`)
+
+Multi-transport structured logging. Console → File → HTTP auto-scaling.
+
+### Methods
+
+```ts
+const logger = loggerClass.get('api');     // component-tagged
+
+logger.debug(message: string, meta?)
+logger.info(message: string, meta?)
+logger.warn(message: string, meta?)
+logger.error(message: string, meta?)
+logger.fatal(message: string, meta?)
+
+// Multi-transport — set env vars to enable
+// BLOOM_LOGGER_FILE_PATH=/var/log/app.log → file transport
+// BLOOM_LOGGER_HTTP_URL=https://logs.example.com → HTTP transport
+```
+
+---
+
+## Environment variable reference
+
+| Variable | Purpose | Required? |
+|---|---|---|
+| `BLOOM_AUTH_SECRET` | JWT signing key (min 32 chars) | yes |
+| `DATABASE_URL` | Prisma connection string | yes |
+| `BLOOM_SECURITY_CSRF_SECRET` | CSRF token signing (min 32 chars) | recommended |
+| `BLOOM_SECURITY_ENCRYPTION_KEY` | AES-256-GCM key (64 hex chars) | recommended |
+| `REDIS_URL` | Distributed cache + queue + events | optional |
+| `AWS_S3_BUCKET` | Cloud storage | optional |
+| `BLOOM_DB_TENANT` | `auto` enables multi-tenant filtering | optional |
+| `RESEND_API_KEY` | Production email | optional |
+| `SMTP_HOST` + `SMTP_USER` + `SMTP_PASS` | SMTP email | optional |
+| `BLOOM_LOGGER_FILE_PATH` | File transport for logger | optional |
+| `BLOOM_LOGGER_HTTP_URL` | HTTP transport for logger | optional |
+| `ORG_<NAME>` | Per-org database (multi-org SaaS) | optional |
+
+**No backwards compatibility.** The legacy `VOILA_*` env var prefix from
+`@voilajsx/appkit` was removed entirely in 1.5.2. There is no fallback,
+no deprecation warning, no compatibility shim. Consumers upgrading must
+rename `VOILA_FOO` → `BLOOM_FOO` in their `.env` files in one go.
+
+---
+
+## Subpath imports
+
+Each module is also available as a subpath for tree-shaking:
+
+```ts
+import { authClass } from '@bloomneo/appkit/auth';
+import { databaseClass } from '@bloomneo/appkit/database';
+import { securityClass } from '@bloomneo/appkit/security';
+import { errorClass } from '@bloomneo/appkit/error';
+import { cacheClass } from '@bloomneo/appkit/cache';
+import { storageClass } from '@bloomneo/appkit/storage';
+import { queueClass } from '@bloomneo/appkit/queue';
+import { emailClass } from '@bloomneo/appkit/email';
+import { eventClass } from '@bloomneo/appkit/event';
+import { loggerClass } from '@bloomneo/appkit/logger';
+import { configClass } from '@bloomneo/appkit/config';
+import { utilClass } from '@bloomneo/appkit/util';
+```
+
+The flat `from '@bloomneo/appkit'` import is preferred when multiple
+modules are used in the same file (most common case).
+
+---
+
+## Migration from `@voilajsx/appkit`
+
+```diff
+- import { authClass } from '@voilajsx/appkit/auth';
++ import { authClass } from '@bloomneo/appkit/auth';
+```
+
+```diff
+- VOILA_AUTH_SECRET=...
++ BLOOM_AUTH_SECRET=...
+```
+
+**BREAKING in 1.5.2:** the legacy `VOILA_*` env var prefix is gone. Rename
+every `VOILA_*` in your `.env` files to `BLOOM_*` in one go. There is no
+fallback, no deprecation warning.
+
+---
+
+## CLI
+
+```bash
+npm install -g @bloomneo/appkit
+appkit generate app myproject              # full backend scaffold
+appkit generate feature product            # basic feature
+appkit generate feature order --db         # database-enabled feature
+appkit generate feature user               # full auth system
+```
+
+For frontend + backend together, use `@bloomneo/bloom` which scaffolds both.
+
+---
+
+## Where to look next
+
+- **Rules** (always/never): `AGENTS.md` in this same directory
+- **Source code**: `dist/` (compiled TypeScript with .d.ts)
+- **Per-module READMEs**: `https://github.com/bloomneo/appkit/tree/main/src` (not shipped in tarball after 1.5.2 — they're verbose human-facing docs available on GitHub for browsing)
+- **CHANGELOG**: `CHANGELOG.md`
+- **Issues**: https://github.com/bloomneo/appkit/issues