@digilogiclabs/create-saas-app 2.1.0 → 2.2.1

package/dist/templates/shared/utils/web/lib/utils.ts

@@ -0,0 +1,85 @@
+import { type ClassValue, clsx } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+
+/** Merge Tailwind classes with conflict resolution */
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}
+
+/** Format currency with locale support */
+export function formatCurrency(amount: number, currency = 'USD', locale = 'en-US'): string {
+  return new Intl.NumberFormat(locale, { style: 'currency', currency }).format(amount);
+}
+
+/** Format date with locale support */
+export function formatDate(date: Date | string, options?: Intl.DateTimeFormatOptions): string {
+  const d = typeof date === 'string' ? new Date(date) : date;
+  return d.toLocaleDateString(
+    'en-US',
+    options || { year: 'numeric', month: 'long', day: 'numeric' }
+  );
+}
+
+/** Get relative time string (e.g., "2 hours ago", "in 3 days") */
+export function getRelativeTime(date: Date | string): string {
+  const d = typeof date === 'string' ? new Date(date) : date;
+  const now = new Date();
+  const diffMs = now.getTime() - d.getTime();
+  const diffSec = Math.floor(diffMs / 1000);
+  const diffMin = Math.floor(diffSec / 60);
+  const diffHour = Math.floor(diffMin / 60);
+  const diffDay = Math.floor(diffHour / 24);
+
+  if (diffSec < 60) return 'just now';
+  if (diffMin < 60) return `${diffMin}m ago`;
+  if (diffHour < 24) return `${diffHour}h ago`;
+  if (diffDay < 7) return `${diffDay}d ago`;
+  if (diffDay < 30) return `${Math.floor(diffDay / 7)}w ago`;
+  return formatDate(d, {
+    month: 'short',
+    day: 'numeric',
+    year: diffDay > 365 ? 'numeric' : undefined,
+  });
+}
+
+/** Truncate text with ellipsis */
+export function truncate(text: string, maxLength: number): string {
+  if (text.length <= maxLength) return text;
+  return text.slice(0, maxLength).trimEnd() + '...';
+}
+
+/** Get initials from a name (e.g., "John Doe" → "JD") */
+export function getInitials(name: string, maxChars = 2): string {
+  return name
+    .split(' ')
+    .filter(Boolean)
+    .map((part) => part[0]?.toUpperCase() || '')
+    .slice(0, maxChars)
+    .join('');
+}
+
+/** Debounce a function */
+export function debounce<T extends (...args: unknown[]) => unknown>(
+  fn: T,
+  delayMs: number
+): (...args: Parameters<T>) => void {
+  let timer: ReturnType<typeof setTimeout>;
+  return (...args: Parameters<T>) => {
+    clearTimeout(timer);
+    timer = setTimeout(() => fn(...args), delayMs);
+  };
+}
+
+/** Sleep for a given number of milliseconds */
+export function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+/** Safely parse JSON, returning null on failure */
+export function safeJsonParse<T = unknown>(json: string): T | null {
+  try {
+    return JSON.parse(json) as T;
+  } catch {
+    return null;
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digilogiclabs/create-saas-app",
-  "version": "2.1.0",
+  "version": "2.2.1",
   "description": "Create modern SaaS applications with DLL Platform - tier-aware scaffolding with platform-core and app-sdk",
   "main": "dist/cli/index.js",
   "bin": {
@@ -38,12 +38,13 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/DigiLogicLabs/create-saas-app.git"
+    "url": "git+https://github.com/DigiLogicLabs/dll-platform.git",
+    "directory": "packages/cli"
   },
   "bugs": {
-    "url": "https://github.com/DigiLogicLabs/create-saas-app/issues"
+    "url": "https://github.com/DigiLogicLabs/dll-platform/issues"
   },
-  "homepage": "https://github.com/DigiLogicLabs/create-saas-app#readme",
+  "homepage": "https://github.com/DigiLogicLabs/dll-platform/tree/main/packages/cli#readme",
   "files": [
     "dist",
     "bin",

package/src/templates/shared/admin/web/app/admin/layout.tsx

@@ -0,0 +1,34 @@
+import { redirect } from 'next/navigation';
+import { auth } from '@/auth';
+import { AdminNav } from '@/components/admin-nav';
+
+/**
+ * Admin layout with authentication guard.
+ *
+ * Protects all /admin/* routes. Requires the user to have the 'admin' role
+ * from Keycloak. Customize the role check and nav links below.
+ */
+
+export default async function AdminLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const session = await auth();
+
+  if (!session?.user) {
+    redirect('/api/auth/signin?callbackUrl=/admin');
+  }
+
+  const roles = (session.user as { roles?: string[] }).roles || [];
+  if (!roles.includes('admin')) {
+    redirect('/');
+  }
+
+  return (
+    <div className="mx-auto max-w-7xl px-4 py-8 sm:px-6 lg:px-8">
+      <AdminNav />
+      <main className="mt-6">{children}</main>
+    </div>
+  );
+}

package/src/templates/shared/admin/web/components/admin-nav.tsx

@@ -0,0 +1,48 @@
+'use client';
+
+import Link from 'next/link';
+import { usePathname } from 'next/navigation';
+
+/**
+ * Admin navigation component.
+ *
+ * Configuration-driven tab navigation with active state.
+ * Add your admin sections to the ADMIN_LINKS array below.
+ */
+
+const ADMIN_LINKS = [
+  { href: '/admin', label: 'Dashboard' },
+  { href: '/admin/users', label: 'Users' },
+  { href: '/admin/settings', label: 'Settings' },
+];
+
+export function AdminNav() {
+  const pathname = usePathname();
+
+  return (
+    <nav className="border-b border-gray-200 dark:border-gray-800">
+      <div className="flex gap-1">
+        {ADMIN_LINKS.map((link) => {
+          const isActive =
+            link.href === '/admin'
+              ? pathname === '/admin'
+              : pathname.startsWith(link.href);
+
+          return (
+            <Link
+              key={link.href}
+              href={link.href}
+              className={`rounded-t-lg px-4 py-2.5 text-sm font-medium transition-colors ${
+                isActive
+                  ? 'border-b-2 border-blue-600 text-blue-600 dark:text-blue-400'
+                  : 'text-gray-600 hover:text-gray-900 dark:text-gray-400 dark:hover:text-gray-200'
+              }`}
+            >
+              {link.label}
+            </Link>
+          );
+        })}
+      </div>
+    </nav>
+  );
+}

package/src/templates/shared/audit/web/lib/audit.ts

@@ -0,0 +1,24 @@
+/**
+ * Audit logging for admin/security-sensitive actions.
+ *
+ * Uses createAuditLogger from platform-core/auth. Currently console-only
+ * (structured logs to stdout). Persistence (Redis/DB) can be added later
+ * by providing a `persist` callback.
+ */
+import 'server-only';
+import { createAuditLogger, StandardAuditActions } from '@digilogiclabs/platform-core/auth';
+
+/** App-specific audit actions extending the standard set. */
+export const AppAuditActions = {
+  ...StandardAuditActions,
+
+  // Add your app-specific actions here:
+  // USER_ROLE_CHANGED: 'app.user.role_changed',
+  // SUBSCRIPTION_CREATED: 'app.subscription.created',
+} as const;
+
+/**
+ * Audit logger instance.
+ * Console-only persistence — logs structured events to stdout.
+ */
+export const audit = createAuditLogger();

package/src/templates/shared/auth/keycloak/web/app/api/auth/federated-logout/route.ts

@@ -0,0 +1,173 @@
+/**
+ * Federated Logout Route
+ *
+ * Handles proper logout from both Auth.js and Keycloak.
+ * Ensures the Keycloak session is cleared so users aren't auto-logged-in
+ * when they try to sign in again.
+ *
+ * Flow:
+ * 1. Get the id_token from the Auth.js session
+ * 2. Return an HTML page with Set-Cookie headers to clear all auth cookies
+ * 3. The HTML page auto-redirects to Keycloak's logout endpoint
+ * 4. Keycloak clears its session and redirects back to the app
+ *
+ * Returns HTML (200) instead of 307 redirect because browsers may not
+ * reliably process Set-Cookie headers on redirect responses.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { auth } from '@/auth';
+import { getToken } from 'next-auth/jwt';
+
+/** Serialize a Set-Cookie header string for cookie deletion. */
+function expireCookie(
+  name: string,
+  options?: { domain?: string; secure?: boolean; hostPrefix?: boolean }
+): string {
+  const parts = [
+    `${name}=`,
+    'Path=/',
+    'Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+    'Max-Age=0',
+    'SameSite=Lax',
+  ];
+  if (options?.hostPrefix) {
+    parts.push('Secure');
+  } else {
+    parts.push('HttpOnly');
+    if (options?.domain) parts.push(`Domain=${options.domain}`);
+    if (options?.secure) parts.push('Secure');
+  }
+  return parts.join('; ');
+}
+
+/** Validate callback URL to prevent open redirect attacks. */
+function isAllowedCallbackUrl(url: string, baseUrl: string): boolean {
+  if (url.startsWith('/') && !url.startsWith('//')) return true;
+  try {
+    const parsed = new URL(url);
+    const base = new URL(baseUrl);
+    const allowedHosts = [base.hostname, `www.${base.hostname}`];
+    if (base.hostname.startsWith('www.')) {
+      allowedHosts.push(base.hostname.slice(4));
+    }
+    return allowedHosts.includes(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+
+export async function GET(request: NextRequest) {
+  const session = await auth();
+  const searchParams = request.nextUrl.searchParams;
+  const rawCallbackUrl = searchParams.get('callbackUrl') || '/';
+  const queryIdToken = searchParams.get('id_token_hint');
+
+  const baseUrl = process.env.NEXTAUTH_URL || process.env.AUTH_URL || 'http://localhost:3000';
+  const callbackUrl = isAllowedCallbackUrl(rawCallbackUrl, baseUrl) ? rawCallbackUrl : '/';
+  const postLogoutRedirectUri = callbackUrl.startsWith('http')
+    ? callbackUrl
+    : `${baseUrl}${callbackUrl}`;
+
+  const keycloakIssuer = process.env.AUTH_KEYCLOAK_ISSUER;
+  if (!keycloakIssuer) {
+    console.error('[Federated Logout] Missing AUTH_KEYCLOAK_ISSUER');
+    return NextResponse.redirect(
+      new URL('/api/auth/signout?callbackUrl=' + encodeURIComponent(callbackUrl), request.url)
+    );
+  }
+
+  // Revoke refresh token (best-effort)
+  const jwtToken = await getToken({ req: request });
+  const refreshToken = jwtToken?.refreshToken as string | undefined;
+  if (refreshToken) {
+    try {
+      await fetch(`${keycloakIssuer}/protocol/openid-connect/revoke`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          token: refreshToken,
+          token_type_hint: 'refresh_token',
+          ...(process.env.AUTH_KEYCLOAK_ID && { client_id: process.env.AUTH_KEYCLOAK_ID }),
+          ...(process.env.AUTH_KEYCLOAK_SECRET && {
+            client_secret: process.env.AUTH_KEYCLOAK_SECRET,
+          }),
+        }),
+      });
+    } catch {
+      // Best-effort — don't block logout
+    }
+  }
+
+  // Build Keycloak logout URL
+  const logoutUrl = new URL(`${keycloakIssuer}/protocol/openid-connect/logout`);
+  logoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+  if (process.env.AUTH_KEYCLOAK_ID) {
+    logoutUrl.searchParams.set('client_id', process.env.AUTH_KEYCLOAK_ID);
+  }
+  const idToken = session?.idToken || queryIdToken;
+  if (idToken) {
+    logoutUrl.searchParams.set('id_token_hint', idToken);
+  }
+
+  const escapedUrl = logoutUrl
+    .toString()
+    .replace(/&/g, '&')
+    .replace(/"/g, '"')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+
+  const html = `<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0;url=${escapedUrl}">
+<title>Signing out...</title>
+<style>body{display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;font-family:system-ui,sans-serif;background:#0a0a0a;color:#fff}p{font-size:1.1rem;opacity:0.7}</style>
+</head><body>
+<p>Signing out&hellip;</p>
+<script>window.location.replace(${JSON.stringify(logoutUrl.toString()).replace(/</g, '\\u003c')});</script>
+</body></html>`;
+
+  const response = new NextResponse(html, {
+    status: 200,
+    headers: {
+      'Content-Type': 'text/html; charset=utf-8',
+      'Cache-Control': 'no-store, no-cache, must-revalidate',
+      Pragma: 'no-cache',
+    },
+  });
+
+  // Clear ALL Auth.js cookie variants
+  const isProduction = process.env.NODE_ENV === 'production';
+  const cookieNames = [
+    'authjs.session-token',
+    '__Secure-authjs.session-token',
+    'authjs.callback-url',
+    '__Secure-authjs.callback-url',
+    'authjs.csrf-token',
+    '__Secure-authjs.csrf-token',
+    'authjs.pkce.code_verifier',
+    '__Secure-authjs.pkce.code_verifier',
+    'authjs.state',
+    '__Secure-authjs.state',
+    // Legacy next-auth names
+    'next-auth.session-token',
+    '__Secure-next-auth.session-token',
+    'next-auth.callback-url',
+    '__Secure-next-auth.callback-url',
+    'next-auth.csrf-token',
+    '__Secure-next-auth.csrf-token',
+  ];
+
+  for (const name of cookieNames) {
+    const needsSecure = isProduction || name.startsWith('__Secure-');
+    response.headers.append('Set-Cookie', expireCookie(name, { secure: needsSecure }));
+  }
+
+  // __Host- prefix cookies
+  for (const name of ['__Host-authjs.csrf-token', '__Host-next-auth.csrf-token']) {
+    response.headers.append('Set-Cookie', expireCookie(name, { hostPrefix: true }));
+  }
+
+  return response;
+}

package/src/templates/shared/auth/keycloak/web/auth.config.ts

@@ -0,0 +1,84 @@
+/**
+ * Auth.js Base Configuration (Edge-compatible)
+ *
+ * This file contains ONLY Edge-runtime-compatible configuration.
+ * It is imported by middleware.ts for Edge middleware auth.
+ *
+ * Server-only code (database sync, events) lives in auth.ts which
+ * extends this config. API routes and server components use auth.ts.
+ *
+ * IMPORTANT: Do NOT add any imports of server-only modules here
+ * (ioredis, pg, nodemailer, platform-core barrel, etc.)
+ */
+
+import Keycloak from 'next-auth/providers/keycloak';
+import type { NextAuthConfig } from 'next-auth';
+import {
+  buildKeycloakCallbacks,
+  buildAuthCookies,
+  buildRedirectCallback,
+} from '@digilogiclabs/platform-core/auth';
+
+// Extend the built-in session types
+declare module 'next-auth' {
+  interface Session {
+    user: {
+      id: string;
+      email?: string | null;
+      name?: string | null;
+      image?: string | null;
+      roles?: string[]; // Keycloak realm roles
+    };
+    idToken?: string; // For federated logout
+    accessToken?: string; // For API calls
+    // refreshToken intentionally NOT exposed to client — used server-side only via getToken()
+    error?: string; // Token refresh error — client should re-authenticate
+  }
+}
+
+/** Keycloak callbacks — JWT token storage, role parsing, automatic refresh, session mapping */
+const keycloakCallbacks = buildKeycloakCallbacks({
+  issuer: process.env.AUTH_KEYCLOAK_ISSUER!,
+  clientId: process.env.AUTH_KEYCLOAK_ID!,
+  clientSecret: process.env.AUTH_KEYCLOAK_SECRET!,
+});
+
+export const authConfig: NextAuthConfig = {
+  // Trust the host in production (required for Auth.js v5 behind reverse proxy)
+  trustHost: true,
+
+  // Cookie configuration for cross-domain OIDC (www/non-www compatibility).
+  // csrfToken uses __Host- prefix which CANNOT have a Domain attribute.
+  // The federated-logout route handles clearing all cookie variants.
+  cookies: buildAuthCookies(),
+
+  providers: [
+    Keycloak({
+      clientId: process.env.AUTH_KEYCLOAK_ID!,
+      clientSecret: process.env.AUTH_KEYCLOAK_SECRET!,
+      issuer: process.env.AUTH_KEYCLOAK_ISSUER!,
+    }),
+  ],
+
+  session: {
+    strategy: 'jwt',
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+
+  callbacks: {
+    ...keycloakCallbacks,
+
+    async signIn() {
+      return true;
+    },
+
+    redirect: buildRedirectCallback(),
+  },
+
+  pages: {
+    signIn: '/auth/signin',
+    error: '/auth/signin',
+  },
+
+  debug: process.env.NODE_ENV === 'development',
+};

package/src/templates/shared/auth/keycloak/web/auth.ts

@@ -0,0 +1,26 @@
+/**
+ * Auth.js Server Configuration
+ *
+ * Extends the Edge-compatible auth.config.ts with server-only features
+ * (database sync, events, etc.). This file is used by API routes and
+ * server components.
+ *
+ * Middleware uses auth.config.ts directly (Edge-compatible).
+ */
+
+import NextAuth from 'next-auth';
+import { authConfig } from './auth.config';
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  ...authConfig,
+
+  // Server-only events — add database sync, audit logging, etc.
+  events: {
+    async signIn({ user }) {
+      // Optional: sync user to your database on sign-in
+      // const db = await getDatabase();
+      // await db.upsert('users', { id: user.id, email: user.email, name: user.name });
+      console.log(`[Auth] User signed in: ${user.email}`);
+    },
+  },
+});

package/src/templates/shared/beta/web/app/api/beta-settings/route.ts

@@ -0,0 +1,25 @@
+import { NextResponse } from 'next/server';
+
+export const dynamic = 'force-dynamic';
+
+/**
+ * GET /api/beta-settings
+ *
+ * Returns beta mode configuration. Controlled via environment variables:
+ *   BETA_MODE           - 'true'/'false' (default: true)
+ *   REQUIRE_INVITE_CODE - 'true'/'false' (default: true)
+ *   BETA_MESSAGE        - Custom message shown to users
+ */
+export async function GET() {
+  const betaMode = process.env.BETA_MODE !== 'false';
+  const requireInviteCode = process.env.REQUIRE_INVITE_CODE !== 'false';
+  const betaMessage =
+    process.env.BETA_MESSAGE ||
+    'We are currently in private beta. Enter your invite code to continue.';
+
+  return NextResponse.json({
+    betaMode,
+    requireInviteCode,
+    betaMessage,
+  });
+}

package/src/templates/shared/beta/web/app/api/validate-beta-code/route.ts

@@ -0,0 +1,67 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { enforceRateLimit, CommonRateLimits } from '@digilogiclabs/platform-core/auth';
+
+export const dynamic = 'force-dynamic';
+
+/**
+ * POST /api/validate-beta-code
+ *
+ * Validates a beta invite code against environment-defined codes.
+ * Rate limited to 5/min with 5-minute block to prevent brute force.
+ *
+ * Env vars:
+ *   BETA_CODES - Comma-separated list of valid codes (e.g. "CODE1,CODE2")
+ */
+export async function POST(request: NextRequest) {
+  // Rate limit: 5 attempts per minute, 5-minute block on exceed
+  const rateLimitResult = await enforceRateLimit(
+    request,
+    'validate-beta-code',
+    CommonRateLimits.betaValidation
+  );
+  if (rateLimitResult) return rateLimitResult;
+
+  try {
+    const body = await request.json();
+    const { code } = body;
+
+    if (!code || typeof code !== 'string') {
+      return NextResponse.json({ valid: false, message: 'Invalid code format' });
+    }
+
+    const normalizedCode = code.trim().toUpperCase();
+
+    if (normalizedCode.length < 3) {
+      return NextResponse.json({
+        valid: false,
+        message: 'Code must be at least 3 characters',
+      });
+    }
+
+    // Get valid codes from environment
+    const validCodesEnv = process.env.BETA_CODES || '';
+    const validCodes = validCodesEnv
+      .split(',')
+      .map((c) => c.trim().toUpperCase())
+      .filter(Boolean);
+
+    const allValidCodes = new Set(validCodes);
+
+    if (allValidCodes.has(normalizedCode)) {
+      return NextResponse.json({
+        valid: true,
+        message: 'Welcome to the beta! You can now continue.',
+      });
+    }
+
+    return NextResponse.json({
+      valid: false,
+      message: 'Invalid invite code. Please check your code and try again.',
+    });
+  } catch {
+    return NextResponse.json(
+      { valid: false, message: 'Unable to validate code. Please try again.' },
+      { status: 500 }
+    );
+  }
+}

package/src/templates/shared/beta/web/lib/beta/settings.ts

@@ -0,0 +1,31 @@
+/**
+ * Beta Gate Client — thin wrapper over platform-core's createBetaClient.
+ *
+ * Pattern: each app provides its own config (endpoints, storage key,
+ * fail-safe defaults). The client handles all fetch/validate/store logic.
+ *
+ * Usage in components:
+ *   import { fetchBetaSettings, validateInviteCode, storeBetaCode } from '@/lib/beta/settings'
+ */
+import { createBetaClient, type BetaClientConfig } from '@digilogiclabs/platform-core/auth';
+
+export type { BetaSettings } from '@digilogiclabs/platform-core';
+
+const betaConfig: BetaClientConfig = {
+  storageKey: 'app_beta_code',
+  settingsEndpoint: '/api/beta-settings',
+  validateEndpoint: '/api/validate-beta-code',
+  failSafeDefaults: {
+    betaMode: true,
+    requireInviteCode: true,
+    betaMessage: 'We are currently in private beta. Enter your invite code to continue.',
+  },
+};
+
+const betaClient = createBetaClient(betaConfig);
+
+export const fetchBetaSettings = betaClient.fetchSettings;
+export const validateInviteCode = betaClient.validateCode;
+export const storeBetaCode = betaClient.storeCode;
+export const getStoredBetaCode = betaClient.getStoredCode;
+export const clearStoredBetaCode = betaClient.clearStoredCode;

package/src/templates/shared/cache/web/lib/cache.ts

@@ -0,0 +1,44 @@
+/**
+ * Cache utilities — TTL presets and HTTP cache header helpers.
+ *
+ * Provides standardized cache durations and response header generation
+ * for CDN and browser caching.
+ */
+
+/** Standard cache TTL presets (in seconds) */
+export const CacheTTL = {
+  /** 5 minutes — frequently changing data */
+  SHORT: 300,
+  /** 1 hour — moderately stable data */
+  MEDIUM: 3600,
+  /** 6 hours — mostly stable data */
+  LONG: 21600,
+  /** 24 hours — rarely changing data */
+  DAY: 86400,
+  /** 7 days — static content */
+  WEEK: 604800,
+} as const;
+
+/**
+ * Generate HTTP cache headers for API responses.
+ *
+ * Returns an object suitable for NextResponse headers or Response init.
+ * Supports CDN-specific headers for Cloudflare, Vercel, and standard proxies.
+ *
+ * @param ttl - Cache duration in seconds
+ * @param revalidate - Stale-while-revalidate window in seconds (default: ttl)
+ */
+export function getCacheHeaders(ttl: number, revalidate?: number): Record<string, string> {
+  const swr = revalidate ?? ttl;
+  return {
+    'Cache-Control': `public, s-maxage=${ttl}, stale-while-revalidate=${swr}`,
+    'CDN-Cache-Control': `public, s-maxage=${ttl}, stale-while-revalidate=${swr}`,
+    'Vercel-CDN-Cache-Control': `public, s-maxage=${ttl}, stale-while-revalidate=${swr}`,
+  };
+}
+
+/** No-cache headers — prevent all caching */
+export const NO_CACHE_HEADERS: Record<string, string> = {
+  'Cache-Control': 'no-store, no-cache, must-revalidate',
+  Pragma: 'no-cache',
+};