npm - @digilogiclabs/create-saas-app - Versions diffs - 2.1.0 → 2.2.1 - Mend

@digilogiclabs/create-saas-app 2.1.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/src/templates/shared/legal/web/app/(legal)/terms/page.tsx ADDED Viewed

@@ -0,0 +1,154 @@
+import { Metadata } from 'next';
+import { LEGAL_CONFIG } from '@/lib/legal-config';
+export const metadata: Metadata = {
+  title: `Terms of Service | ${LEGAL_CONFIG.appName}`,
+  description: `Terms of Service for ${LEGAL_CONFIG.appName}. Read our terms and conditions.`,
+  alternates: {
+    canonical: `${LEGAL_CONFIG.appUrl}/terms`,
+  },
+};
+export default function TermsPage() {
+  const {
+    appName,
+    companyName,
+    appUrl,
+    supportEmail,
+    effectiveDate,
+    minimumAge,
+    jurisdiction,
+    hasPayments,
+    platformFeePercent,
+  } = LEGAL_CONFIG;
+  return (
+    <main className="min-h-screen bg-white dark:bg-gray-950">
+      <div className="mx-auto max-w-3xl px-4 py-16 sm:px-6 lg:px-8">
+        <h1 className="mb-2 text-3xl font-bold tracking-tight text-gray-900 dark:text-white">
+          Terms of Service
+        </h1>
+        <p className="mb-8 text-sm text-gray-500 dark:text-gray-400">
+          Effective: {effectiveDate}
+        </p>
+        <div className="prose prose-gray dark:prose-invert max-w-none">
+          <section>
+            <h2>1. Acceptance of Terms</h2>
+            <p>
+              By accessing or using {appName} ({appUrl}), you agree to be bound
+              by these Terms of Service. If you do not agree, do not use the
+              service.
+            </p>
+          </section>
+          {minimumAge > 0 && (
+            <section>
+              <h2>2. Age Requirement</h2>
+              <p>
+                You must be at least {minimumAge} years old to use {appName}. By
+                using this service, you represent that you meet this age
+                requirement.
+              </p>
+            </section>
+          )}
+          <section>
+            <h2>{minimumAge > 0 ? '3' : '2'}. User Accounts</h2>
+            <p>
+              You are responsible for maintaining the confidentiality of your
+              account credentials and for all activities under your account.
+              Notify us immediately of any unauthorized use.
+            </p>
+          </section>
+          <section>
+            <h2>{minimumAge > 0 ? '4' : '3'}. Acceptable Use</h2>
+            <p>You agree not to:</p>
+            <ul>
+              <li>Violate any applicable laws or regulations</li>
+              <li>
+                Upload harmful, offensive, or infringing content
+              </li>
+              <li>Attempt to access other users&apos; accounts</li>
+              <li>
+                Use automated tools to scrape or interfere with the service
+              </li>
+              <li>Impersonate any person or entity</li>
+            </ul>
+          </section>
+          {hasPayments && (
+            <section>
+              <h2>{minimumAge > 0 ? '5' : '4'}. Payments &amp; Fees</h2>
+              <p>
+                Payments are processed securely through Stripe. All fees are
+                listed at the time of purchase.
+                {Number(platformFeePercent) > 0 &&
+                  ` ${appName} charges a ${platformFeePercent}% platform fee on applicable transactions.`}
+              </p>
+              <p>
+                Refund policies are described at the point of sale. You are
+                responsible for any applicable taxes on your purchases.
+              </p>
+            </section>
+          )}
+          <section>
+            <h2>Intellectual Property</h2>
+            <p>
+              {appName} and its original content, features, and functionality
+              are owned by {companyName}. You retain ownership of content you
+              submit but grant us a license to display it as part of the
+              service.
+            </p>
+          </section>
+          <section>
+            <h2>Termination</h2>
+            <p>
+              We may suspend or terminate your account for violations of these
+              terms. You may delete your account at any time. Upon termination,
+              your right to use the service ceases immediately.
+            </p>
+          </section>
+          <section>
+            <h2>Limitation of Liability</h2>
+            <p>
+              {appName} is provided &quot;as is&quot; without warranties of any
+              kind. {companyName} shall not be liable for any indirect,
+              incidental, or consequential damages arising from your use of the
+              service.
+            </p>
+          </section>
+          <section>
+            <h2>Governing Law</h2>
+            <p>
+              These terms are governed by the laws of {jurisdiction}. Any
+              disputes shall be resolved in the courts of {jurisdiction}.
+            </p>
+          </section>
+          <section>
+            <h2>Changes to Terms</h2>
+            <p>
+              We may update these terms at any time. Continued use after changes
+              constitutes acceptance. We will notify registered users of
+              material changes via email.
+            </p>
+          </section>
+          <section>
+            <h2>Contact</h2>
+            <p>
+              Questions about these terms? Contact us at{' '}
+              <a href={`mailto:${supportEmail}`}>{supportEmail}</a>.
+            </p>
+          </section>
+        </div>
+      </div>
+    </main>
+  );
+}

package/src/templates/shared/legal/web/lib/legal-config.ts ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * Legal page configuration.
+ *
+ * Update these values to match your app's legal details.
+ * Used by the Terms of Service and Privacy Policy pages.
+ */
+export const LEGAL_CONFIG = {
+  /** App display name */
+  appName: 'My App',
+  /** Company or entity name */
+  companyName: 'My Company',
+  /** Production URL (no trailing slash) */
+  appUrl: process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000',
+  /** Support email address */
+  supportEmail: 'support@example.com',
+  /** Privacy-specific contact email */
+  privacyEmail: 'privacy@example.com',
+  /** Date the terms/privacy were last updated */
+  effectiveDate: 'January 1, 2026',
+  /** Minimum age requirement (0 to disable) */
+  minimumAge: 18,
+  /** Jurisdiction / governing law */
+  jurisdiction: 'the United States',
+  /** Whether the app processes payments */
+  hasPayments: true,
+  /** Platform fee percentage (if applicable) */
+  platformFeePercent: '0',
+  /** Whether the app uses cookies beyond essentials */
+  usesAnalyticsCookies: true,
+  /** Third-party services used (listed in privacy policy) */
+  thirdPartyServices: [
+    'Stripe (payment processing)',
+    'Cloudflare (CDN and security)',
+    'Resend (transactional email)',
+  ],
+  /** Data retention period */
+  dataRetentionPeriod: '3 years after account deletion',
+} as const;

package/src/templates/shared/loading/web/app/loading.tsx ADDED Viewed

@@ -0,0 +1,5 @@
+import { LoadingSpinner } from '@/components/skeleton';
+export default function Loading() {
+  return <LoadingSpinner />;
+}

package/src/templates/shared/loading/web/components/skeleton.tsx ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * Reusable skeleton loading components.
+ *
+ * Use these in loading.tsx files for consistent loading states.
+ * All components use Tailwind's animate-pulse for the shimmer effect.
+ */
+/** Base skeleton block with customizable dimensions */
+export function Skeleton({
+  className = '',
+}: {
+  className?: string;
+}) {
+  return (
+    <div
+      className={`animate-pulse rounded bg-gray-200 dark:bg-gray-800 ${className}`}
+    />
+  );
+}
+/** Skeleton for a card with title, description, and action area */
+export function CardSkeleton() {
+  return (
+    <div className="rounded-lg border border-gray-200 p-6 dark:border-gray-800">
+      <Skeleton className="mb-4 h-4 w-3/4" />
+      <Skeleton className="mb-2 h-3 w-full" />
+      <Skeleton className="mb-4 h-3 w-5/6" />
+      <Skeleton className="h-8 w-24" />
+    </div>
+  );
+}
+/** Skeleton for a grid of cards */
+export function CardGridSkeleton({ count = 6 }: { count?: number }) {
+  return (
+    <div className="grid gap-6 sm:grid-cols-2 lg:grid-cols-3">
+      {Array.from({ length: count }, (_, i) => (
+        <CardSkeleton key={i} />
+      ))}
+    </div>
+  );
+}
+/** Skeleton for a table with rows */
+export function TableSkeleton({ rows = 5 }: { rows?: number }) {
+  return (
+    <div className="space-y-3">
+      {/* Header */}
+      <div className="flex gap-4 border-b border-gray-200 pb-3 dark:border-gray-800">
+        <Skeleton className="h-4 w-1/4" />
+        <Skeleton className="h-4 w-1/3" />
+        <Skeleton className="h-4 w-1/4" />
+        <Skeleton className="h-4 w-1/6" />
+      </div>
+      {/* Rows */}
+      {Array.from({ length: rows }, (_, i) => (
+        <div key={i} className="flex gap-4 py-2">
+          <Skeleton className="h-4 w-1/4" />
+          <Skeleton className="h-4 w-1/3" />
+          <Skeleton className="h-4 w-1/4" />
+          <Skeleton className="h-4 w-1/6" />
+        </div>
+      ))}
+    </div>
+  );
+}
+/** Skeleton for a full page with hero and content */
+export function PageSkeleton() {
+  return (
+    <div className="mx-auto max-w-4xl px-4 py-8">
+      {/* Hero */}
+      <Skeleton className="mb-4 h-8 w-2/3" />
+      <Skeleton className="mb-8 h-4 w-1/2" />
+      {/* Content blocks */}
+      <div className="space-y-4">
+        <Skeleton className="h-4 w-full" />
+        <Skeleton className="h-4 w-5/6" />
+        <Skeleton className="h-4 w-4/5" />
+        <Skeleton className="h-32 w-full" />
+        <Skeleton className="h-4 w-full" />
+        <Skeleton className="h-4 w-3/4" />
+      </div>
+    </div>
+  );
+}
+/** Default loading spinner for loading.tsx files */
+export function LoadingSpinner() {
+  return (
+    <div className="flex min-h-[50vh] items-center justify-center">
+      <div className="h-8 w-8 animate-spin rounded-full border-4 border-gray-200 border-t-blue-600 dark:border-gray-700 dark:border-t-blue-400" />
+    </div>
+  );
+}

package/src/templates/shared/middleware/web/middleware.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Next.js Middleware (Edge Runtime)
+ *
+ * IMPORTANT: This file runs in the Edge runtime. Do NOT import:
+ * - Server-only modules (ioredis, pg, nodemailer)
+ * - The main platform-core barrel (pulls in node:stream)
+ * - auth.ts (server-only) — use auth.config.ts instead
+ *
+ * Use @digilogiclabs/platform-core/auth subpath for Edge-safe imports.
+ */
+import NextAuth from 'next-auth';
+import { authConfig } from './auth.config';
+const { auth } = NextAuth(authConfig);
+// ---------------------------------------------------------------------------
+// Route definitions
+// ---------------------------------------------------------------------------
+/** Routes that require authentication */
+const protectedRoutes = ['/dashboard', '/settings', '/account'];
+/** Routes that are always public */
+const publicRoutes = ['/', '/auth/signin', '/auth/signup', '/api/health', '/api/auth'];
+/** Admin-only routes */
+const adminRoutes = ['/admin'];
+// ---------------------------------------------------------------------------
+// Middleware handler
+// ---------------------------------------------------------------------------
+export default auth((req) => {
+  const { pathname } = req.nextUrl;
+  const session = req.auth;
+  // Allow public routes and API routes
+  if (publicRoutes.some((r) => pathname.startsWith(r))) {
+    return;
+  }
+  // Allow static files and Next.js internals
+  if (pathname.startsWith('/_next') || pathname.startsWith('/favicon') || pathname.includes('.')) {
+    return;
+  }
+  // Check authentication for protected routes
+  const isProtected = protectedRoutes.some((r) => pathname.startsWith(r));
+  const isAdmin = adminRoutes.some((r) => pathname.startsWith(r));
+  if ((isProtected || isAdmin) && !session) {
+    const signInUrl = new URL('/auth/signin', req.url);
+    signInUrl.searchParams.set('callbackUrl', pathname);
+    return Response.redirect(signInUrl);
+  }
+  // Check admin role
+  if (isAdmin && session) {
+    const roles = (session.user as { roles?: string[] })?.roles || [];
+    if (!roles.includes('admin')) {
+      return Response.redirect(new URL('/dashboard', req.url));
+    }
+  }
+});
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\\..*).*)'],
+};

package/src/templates/shared/observability/web/lib/observability.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import { getClientIp } from '@digilogiclabs/platform-core/auth';
+/**
+ * Observability helpers — audit logging, error reporting, metrics.
+ *
+ * All functions are fire-and-forget (no await needed) and fail silently.
+ * Uses platform-core adapters when available, falls back to console.
+ *
+ * Customize the SERVICE_NAME and add app-specific audit actions.
+ */
+const SERVICE_NAME = 'my-app';
+// ─── Lazy Singletons ────────────────────────────────────────
+let auditLogPromise: Promise<AuditLogger> | null = null;
+interface AuditLogger {
+  log(event: AuditEvent): Promise<void>;
+}
+interface AuditEvent {
+  action: string;
+  actor: { id: string; type: string; email?: string };
+  resource?: { type: string; id?: string };
+  outcome: 'success' | 'failure' | 'blocked';
+  metadata?: Record<string, unknown>;
+  category?: string;
+  ip?: string;
+  userAgent?: string;
+}
+async function getAuditLog(): Promise<AuditLogger> {
+  if (!auditLogPromise) {
+    auditLogPromise = (async () => {
+      try {
+        const { getPlatform } = await import('@/lib/platform');
+        const platform = await getPlatform();
+        const { DatabaseAuditLog } = await import('@digilogiclabs/platform-core');
+        return new DatabaseAuditLog(platform.db, { serviceName: SERVICE_NAME });
+      } catch {
+        return {
+          log: async (event: AuditEvent) => {
+            console.log(`[Audit] ${event.action}`, JSON.stringify(event));
+          },
+        };
+      }
+    })();
+  }
+  return auditLogPromise;
+}
+// ─── Public Helpers ──────────────────────────────────────────
+/** Get user agent string from request */
+export function getUserAgent(request: Request): string {
+  return request.headers.get('user-agent') || 'unknown';
+}
+// Re-export getClientIp from platform-core
+export { getClientIp } from '@digilogiclabs/platform-core/auth';
+/** Log an audit event (fire-and-forget) */
+export function auditAction(params: {
+  action: string;
+  actorId: string;
+  actorEmail?: string;
+  resourceType?: string;
+  resourceId?: string;
+  outcome?: 'success' | 'failure' | 'blocked';
+  metadata?: Record<string, unknown>;
+  request?: Request;
+}): void {
+  const category = inferCategory(params.action);
+  getAuditLog()
+    .then((log) =>
+      log.log({
+        action: params.action,
+        actor: {
+          id: params.actorId,
+          type: params.actorId === 'system' ? 'system' : 'user',
+          email: params.actorEmail,
+        },
+        resource: params.resourceType
+          ? { type: params.resourceType, id: params.resourceId }
+          : undefined,
+        outcome: params.outcome || 'success',
+        metadata: params.metadata,
+        category,
+        ip: params.request ? getClientIp(params.request) : undefined,
+        userAgent: params.request ? getUserAgent(params.request) : undefined,
+      })
+    )
+    .catch(() => {});
+}
+/** Log an admin action */
+export function auditAdminAction(
+  params: Omit<Parameters<typeof auditAction>[0], 'action'> & { action: string }
+): void {
+  auditAction({ ...params, action: `admin.${params.action}` });
+}
+/** Log a cron job action */
+export function auditCronAction(
+  params: Omit<Parameters<typeof auditAction>[0], 'actorId'> & { action: string }
+): void {
+  auditAction({ ...params, actorId: 'system', action: `cron.${params.action}` });
+}
+/** Capture an error (fire-and-forget) */
+export function captureError(error: unknown, context?: Record<string, unknown>): void {
+  try {
+    const message = error instanceof Error ? error.message : String(error);
+    const stack = error instanceof Error ? error.stack : undefined;
+    console.error(`[${SERVICE_NAME}] Error:`, message, context || '');
+    if (stack && process.env.NODE_ENV === 'development') {
+      console.error(stack);
+    }
+  } catch {
+    // Silent fail — observability must never crash the app
+  }
+}
+// ─── Helpers ─────────────────────────────────────────────────
+function inferCategory(action: string): string {
+  if (action.startsWith('admin.')) return 'admin';
+  if (action.startsWith('payment.')) return 'billing';
+  if (action.startsWith('account.')) return 'data_mutation';
+  if (action.startsWith('auth.')) return 'authentication';
+  if (action.startsWith('cron.')) return 'system';
+  if (action.startsWith('security.')) return 'security';
+  return 'general';
+}

package/src/templates/shared/payments/web/app/api/webhooks/stripe/route.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Stripe Webhook Handler
+ *
+ * Handles Stripe webhook events for subscription lifecycle management.
+ * Uses HMAC signature verification and Redis-based idempotency.
+ *
+ * Required env vars:
+ *   STRIPE_SECRET_KEY      - Stripe API key
+ *   STRIPE_WEBHOOK_SECRET  - Webhook signing secret (whsec_...)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import Stripe from 'stripe';
+import { getRedisClient } from '@/lib/redis';
+import { enforceRateLimit, AppRateLimits } from '@/lib/api-security';
+export const dynamic = 'force-dynamic';
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
+  apiVersion: '2024-12-18.acacia',
+});
+/**
+ * Check if this webhook event has already been processed (idempotency).
+ * Uses Redis SET NX + EX pattern — atomic check-and-set with 24h TTL.
+ * Returns true if already processed, false if new.
+ */
+async function isEventProcessed(eventId: string): Promise<boolean> {
+  const redis = getRedisClient();
+  if (!redis) return false; // No Redis — allow processing (best-effort)
+  try {
+    const result = await redis.set(`webhook:${eventId}`, '1', 'EX', 86400, 'NX');
+    return result === null; // null = key already existed = already processed
+  } catch {
+    return false; // Redis error — allow processing
+  }
+}
+export async function POST(request: NextRequest) {
+  // Rate limit webhook calls (generous — Stripe retries on failure)
+  const rateLimited = await enforceRateLimit(request, 'stripe-webhook', AppRateLimits.webhook);
+  if (rateLimited) return rateLimited;
+  const body = await request.text();
+  const signature = request.headers.get('stripe-signature');
+  if (!signature) {
+    return NextResponse.json({ error: 'Missing signature' }, { status: 400 });
+  }
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(body, signature, process.env.STRIPE_WEBHOOK_SECRET!);
+  } catch (err) {
+    console.error('[Stripe Webhook] Signature verification failed:', err);
+    return NextResponse.json({ error: 'Invalid signature' }, { status: 400 });
+  }
+  // Idempotency check — prevent duplicate processing
+  if (await isEventProcessed(event.id)) {
+    return NextResponse.json({ received: true, duplicate: true });
+  }
+  try {
+    switch (event.type) {
+      case 'checkout.session.completed': {
+        const session = event.data.object as Stripe.Checkout.Session;
+        console.log('[Stripe Webhook] Checkout completed:', session.id);
+        // TODO: Activate subscription, provision access, send welcome email
+        break;
+      }
+      case 'invoice.paid': {
+        const invoice = event.data.object as Stripe.Invoice;
+        console.log('[Stripe Webhook] Invoice paid:', invoice.id);
+        // TODO: Record payment, extend subscription
+        break;
+      }
+      case 'invoice.payment_failed': {
+        const invoice = event.data.object as Stripe.Invoice;
+        console.log('[Stripe Webhook] Payment failed:', invoice.id);
+        // TODO: Notify user, start grace period
+        break;
+      }
+      case 'customer.subscription.updated': {
+        const subscription = event.data.object as Stripe.Subscription;
+        console.log('[Stripe Webhook] Subscription updated:', subscription.id);
+        // TODO: Handle plan changes, cancellation scheduling
+        break;
+      }
+      case 'customer.subscription.deleted': {
+        const subscription = event.data.object as Stripe.Subscription;
+        console.log('[Stripe Webhook] Subscription deleted:', subscription.id);
+        // TODO: Revoke access, send cancellation email
+        break;
+      }
+      default:
+        console.log(`[Stripe Webhook] Unhandled event type: ${event.type}`);
+    }
+    return NextResponse.json({ received: true });
+  } catch (error) {
+    console.error('[Stripe Webhook] Handler error:', error);
+    return NextResponse.json({ error: 'Webhook handler failed' }, { status: 500 });
+  }
+}

package/src/templates/shared/platform/web/lib/platform.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Platform-Core Singleton
+ *
+ * Lazy-initialized platform instance with adapter auto-selection from env vars.
+ * Uses a promise-based lock to prevent race conditions during initialization.
+ *
+ * Usage:
+ *   import { getPlatform } from '@/lib/platform';
+ *   const platform = await getPlatform();
+ *   await platform.cache.set('key', value, 3600);
+ */
+import 'server-only';
+import { createPlatformAsync, type IPlatform } from '@digilogiclabs/platform-core';
+let _platform: IPlatform | null = null;
+let _initPromise: Promise<IPlatform> | null = null;
+/**
+ * Get or initialize the platform singleton.
+ * Adapters are selected automatically based on environment variables:
+ * - DATABASE_URL → PostgreSQL adapter
+ * - REDIS_URL → Redis cache adapter
+ * - RESEND_API_KEY → Resend email adapter
+ * Falls back to memory adapters when env vars are not set.
+ */
+export async function getPlatform(): Promise<IPlatform> {
+  if (_platform) return _platform;
+  if (!_initPromise) {
+    _initPromise = createPlatformAsync().then((p) => {
+      _platform = p;
+      return p;
+    });
+  }
+  return _initPromise;
+}

package/src/templates/shared/redis/web/lib/rate-limit-store.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import 'server-only';
+import { createRedisRateLimitStore } from '@digilogiclabs/platform-core/auth';
+import type { RateLimitStore } from '@digilogiclabs/platform-core/auth';
+import { getRedisClient } from './redis';
+let _store: RateLimitStore | null = null;
+/**
+ * Returns a Redis-backed rate limit store, or undefined to fall back to in-memory.
+ * The store is created lazily on first call and reused thereafter.
+ */
+export function getRateLimitStore(): RateLimitStore | undefined {
+  if (_store) return _store;
+  const redis = getRedisClient();
+  if (!redis) return undefined; // falls back to in-memory in enforceRateLimit
+  _store = createRedisRateLimitStore(redis, { keyPrefix: 'rl:' });
+  return _store;
+}