@enderworld/onlyapi 1.5.1 → 1.6.0

package/src/cli/template.ts

@@ -0,0 +1,957 @@
+/**
+ * Minimal project template — generated by `onlyapi init`.
+ *
+ * Produces a clean ~12-file project that boots a working API with:
+ *   - Health check
+ *   - Auth (register / login / logout)
+ *   - User profile (me)
+ *   - SQLite database (zero-config)
+ *   - JWT authentication
+ *   - CORS + rate limiting
+ *   - Structured logging
+ */
+
+export interface TemplateFile {
+  readonly path: string;
+  readonly content: string;
+}
+
+export const generateTemplate = (projectName: string): TemplateFile[] => [
+  // ── package.json ────────────────────────────────────────────────────
+  {
+    path: "package.json",
+    content: `{
+  "name": ${JSON.stringify(projectName)},
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "bun --watch src/main.ts",
+    "start": "NODE_ENV=production bun src/main.ts",
+    "check": "tsc --noEmit",
+    "test": "bun test",
+    "lint": "bunx @biomejs/biome check src/"
+  },
+  "dependencies": {
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^1.9.4",
+    "@types/bun": "^1.2.2",
+    "typescript": "^5.7.3"
+  }
+}
+`,
+  },
+
+  // ── tsconfig.json ───────────────────────────────────────────────────
+  {
+    path: "tsconfig.json",
+    content: `{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ESNext"],
+    "types": ["bun-types"],
+    "strict": true,
+    "noImplicitAny": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "outDir": "dist",
+    "rootDir": "."
+  },
+  "include": ["src/**/*.ts", "tests/**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}
+`,
+  },
+
+  // ── biome.json ──────────────────────────────────────────────────────
+  {
+    path: "biome.json",
+    content: `{
+  "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json",
+  "organizeImports": { "enabled": true },
+  "linter": {
+    "enabled": true,
+    "rules": { "recommended": true }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100
+  }
+}
+`,
+  },
+
+  // ── .env.example ────────────────────────────────────────────────────
+  {
+    path: ".env.example",
+    content: `# Environment
+NODE_ENV=development
+PORT=3000
+HOST=0.0.0.0
+
+# Security
+JWT_SECRET=change-me-to-a-64-char-random-string
+JWT_EXPIRES_IN=15m
+
+# Logging
+LOG_LEVEL=debug
+
+# Database
+DATABASE_PATH=data/app.sqlite
+`,
+  },
+
+  // ── .gitignore ──────────────────────────────────────────────────────
+  {
+    path: ".gitignore",
+    content: `node_modules/
+dist/
+data/
+.env
+*.sqlite
+*.log
+`,
+  },
+
+  // ── .dockerignore ───────────────────────────────────────────────────
+  {
+    path: ".dockerignore",
+    content: `node_modules/
+dist/
+data/
+.env
+.git/
+*.md
+`,
+  },
+
+  // ── Dockerfile ──────────────────────────────────────────────────────
+  {
+    path: "Dockerfile",
+    content: `FROM oven/bun:1.3-alpine AS builder
+WORKDIR /app
+COPY package.json bun.lock* ./
+RUN bun install --frozen-lockfile
+COPY tsconfig.json ./
+COPY src/ src/
+RUN bun run check
+RUN mkdir -p /app/data
+
+FROM oven/bun:1.3-alpine
+WORKDIR /app
+COPY --from=builder /app/src/ src/
+COPY --from=builder /app/node_modules/ node_modules/
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/tsconfig.json ./
+COPY --from=builder /app/data/ data/
+RUN addgroup -S app && adduser -S app -G app && chown -R app:app /app
+USER app
+EXPOSE 3000
+ENV NODE_ENV=production
+ENV HOST=0.0.0.0
+ENV PORT=3000
+CMD ["bun", "src/main.ts"]
+`,
+  },
+
+  // ── README.md ───────────────────────────────────────────────────────
+  {
+    path: "README.md",
+    content: `# ${projectName}
+
+Built with [onlyApi](https://github.com/lysari/onlyapi) — zero-dependency REST API on Bun.
+
+## Quick Start
+
+\`\`\`bash
+bun run dev        # Start dev server (hot-reload)
+bun test           # Run tests
+bun run check      # Type-check
+\`\`\`
+
+## API Endpoints
+
+| Method | Path                    | Description       | Auth |
+|--------|-------------------------|-------------------|------|
+| GET    | /health                 | Health check      | No   |
+| POST   | /api/v1/auth/register   | Register          | No   |
+| POST   | /api/v1/auth/login      | Login             | No   |
+| POST   | /api/v1/auth/logout     | Logout            | Yes  |
+| GET    | /api/v1/users/me        | Get profile       | Yes  |
+| PATCH  | /api/v1/users/me        | Update profile    | Yes  |
+| DELETE | /api/v1/users/me        | Delete account    | Yes  |
+
+## Project Structure
+
+\`\`\`
+src/
+  main.ts              # Entry point — wires everything together
+  config.ts            # Environment config with validation
+  database.ts          # SQLite setup + migrations
+  server.ts            # HTTP server + routing
+  handlers/
+    auth.handler.ts    # Register, login, logout
+    health.handler.ts  # Health check
+    user.handler.ts    # User profile CRUD
+  middleware/
+    auth.ts            # JWT authentication guard
+  services/
+    auth.service.ts    # Auth business logic
+    user.service.ts    # User business logic
+  utils/
+    password.ts        # Argon2id hashing
+    token.ts           # JWT sign/verify
+    response.ts        # JSON response helpers
+\`\`\`
+
+## Environment Variables
+
+| Variable       | Default              | Description             |
+|----------------|----------------------|-------------------------|
+| PORT           | 3000                 | Server port             |
+| HOST           | 0.0.0.0              | Bind address            |
+| JWT_SECRET     | —                    | **Required** JWT secret |
+| JWT_EXPIRES_IN | 15m                  | Token expiration        |
+| DATABASE_PATH  | data/app.sqlite      | SQLite file path        |
+| LOG_LEVEL      | debug                | info / debug / warn     |
+| NODE_ENV       | development          | development / production|
+
+## Docker
+
+\`\`\`bash
+docker build -t ${projectName} .
+docker run -e JWT_SECRET="your-secret-here" -p 3000:3000 ${projectName}
+\`\`\`
+`,
+  },
+
+  // ── src/main.ts ─────────────────────────────────────────────────────
+  {
+    path: "src/main.ts",
+    content: `import { loadConfig } from "./config.js";
+import { createDatabase } from "./database.js";
+import { createAuthService } from "./services/auth.service.js";
+import { createUserService } from "./services/user.service.js";
+import { createServer } from "./server.js";
+import { createPasswordHasher } from "./utils/password.js";
+import { createTokenService } from "./utils/token.js";
+
+// ── Load config ───────────────────────────────────────────────────────
+const config = loadConfig();
+
+// ── Database ──────────────────────────────────────────────────────────
+const db = createDatabase(config.databasePath);
+
+// ── Services ──────────────────────────────────────────────────────────
+const passwordHasher = createPasswordHasher();
+const tokenService = createTokenService(config.jwt.secret, config.jwt.expiresIn);
+const authService = createAuthService(db, passwordHasher, tokenService);
+const userService = createUserService(db, passwordHasher);
+
+// ── Server ────────────────────────────────────────────────────────────
+const server = createServer({
+  config,
+  authService,
+  userService,
+  tokenService,
+});
+
+console.log(\`
+  ⚡ \${config.nodeEnv === "production" ? "PRODUCTION" : "DEV"} server running
+  → http://\${config.host}:\${config.port}
+  → SQLite: \${config.databasePath}
+\`);
+
+// ── Graceful shutdown ─────────────────────────────────────────────────
+const shutdown = () => {
+  console.log("\\nShutting down...");
+  server.stop();
+  db.close();
+  process.exit(0);
+};
+
+process.on("SIGINT", shutdown);
+process.on("SIGTERM", shutdown);
+`,
+  },
+
+  // ── src/config.ts ───────────────────────────────────────────────────
+  {
+    path: "src/config.ts",
+    content: `import { z } from "zod";
+
+const configSchema = z.object({
+  port: z.coerce.number().default(3000),
+  host: z.string().default("0.0.0.0"),
+  nodeEnv: z.enum(["development", "production"]).default("development"),
+  jwt: z.object({
+    secret: z.string().min(32, "JWT_SECRET must be at least 32 characters"),
+    expiresIn: z.string().default("15m"),
+  }),
+  databasePath: z.string().default("data/app.sqlite"),
+  logLevel: z.enum(["debug", "info", "warn", "error"]).default("debug"),
+  corsOrigins: z.string().default("*"),
+  rateLimitMax: z.coerce.number().default(100),
+  rateLimitWindowMs: z.coerce.number().default(60_000),
+});
+
+export type AppConfig = z.infer<typeof configSchema>;
+
+export const loadConfig = (): AppConfig => {
+  const result = configSchema.safeParse({
+    port: Bun.env.PORT,
+    host: Bun.env.HOST,
+    nodeEnv: Bun.env.NODE_ENV,
+    jwt: {
+      secret: Bun.env.JWT_SECRET,
+      expiresIn: Bun.env.JWT_EXPIRES_IN,
+    },
+    databasePath: Bun.env.DATABASE_PATH,
+    logLevel: Bun.env.LOG_LEVEL,
+    corsOrigins: Bun.env.CORS_ORIGINS,
+    rateLimitMax: Bun.env.RATE_LIMIT_MAX_REQUESTS,
+    rateLimitWindowMs: Bun.env.RATE_LIMIT_WINDOW_MS,
+  });
+
+  if (!result.success) {
+    const errors = result.error.issues
+      .map((i) => \`  ✗ \${i.path.join(".")} → \${i.message}\`)
+      .join("\\n");
+
+    console.error(\`\\n  CONFIG ERROR   Invalid configuration\\n\\n\${errors}\\n\`);
+    console.error("  Hint: Copy .env.example to .env and set the required values:\\n");
+    console.error("  $ cp .env.example .env\\n");
+    process.exit(1);
+  }
+
+  return result.data;
+};
+`,
+  },
+
+  // ── src/database.ts ─────────────────────────────────────────────────
+  {
+    path: "src/database.ts",
+    content: `import { Database } from "bun:sqlite";
+import { existsSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+
+export const createDatabase = (dbPath: string): Database => {
+  // Ensure data directory exists
+  const dir = dirname(dbPath);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+  const db = new Database(dbPath, { create: true });
+
+  // Performance settings
+  db.exec("PRAGMA journal_mode = WAL");
+  db.exec("PRAGMA synchronous = NORMAL");
+  db.exec("PRAGMA foreign_keys = ON");
+
+  // Run migrations
+  migrate(db);
+
+  return db;
+};
+
+const migrate = (db: Database): void => {
+  db.exec(\`
+    CREATE TABLE IF NOT EXISTS users (
+      id         TEXT PRIMARY KEY,
+      email      TEXT NOT NULL UNIQUE,
+      password   TEXT NOT NULL,
+      name       TEXT NOT NULL DEFAULT '',
+      role       TEXT NOT NULL DEFAULT 'user',
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )
+  \`);
+
+  db.exec(\`
+    CREATE TABLE IF NOT EXISTS token_blacklist (
+      token_id   TEXT PRIMARY KEY,
+      expires_at TEXT NOT NULL
+    )
+  \`);
+
+  console.log("  ✓ Database ready");
+};
+`,
+  },
+
+  // ── src/server.ts ───────────────────────────────────────────────────
+  {
+    path: "src/server.ts",
+    content: `import type { AuthService } from "./services/auth.service.js";
+import type { UserService } from "./services/user.service.js";
+import type { TokenService } from "./utils/token.js";
+import type { AppConfig } from "./config.js";
+import { authHandlers } from "./handlers/auth.handler.js";
+import { healthHandler } from "./handlers/health.handler.js";
+import { userHandlers } from "./handlers/user.handler.js";
+import { authenticate } from "./middleware/auth.js";
+import { json } from "./utils/response.js";
+
+interface ServerDeps {
+  config: AppConfig;
+  authService: AuthService;
+  userService: UserService;
+  tokenService: TokenService;
+}
+
+export const createServer = (deps: ServerDeps) => {
+  const { config, tokenService } = deps;
+  const auth = authHandlers(deps.authService);
+  const health = healthHandler();
+  const users = userHandlers(deps.userService);
+
+  // ── Rate limiting (in-memory) ───────────────────────────────────────
+  const hits = new Map<string, { count: number; resetAt: number }>();
+
+  const isRateLimited = (ip: string): boolean => {
+    const now = Date.now();
+    const entry = hits.get(ip);
+
+    if (!entry || now > entry.resetAt) {
+      hits.set(ip, { count: 1, resetAt: now + config.rateLimitWindowMs });
+      return false;
+    }
+
+    entry.count++;
+    return entry.count > config.rateLimitMax;
+  };
+
+  // ── CORS headers ───────────────────────────────────────────────────
+  const corsHeaders = (origin: string | null): Record<string, string> => {
+    const allowed = config.corsOrigins === "*" || (origin && config.corsOrigins.includes(origin));
+    return {
+      "Access-Control-Allow-Origin": allowed ? (origin ?? "*") : "",
+      "Access-Control-Allow-Methods": "GET, POST, PATCH, DELETE, OPTIONS",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      "Access-Control-Max-Age": "86400",
+    };
+  };
+
+  // ── Request handler ────────────────────────────────────────────────
+  const server = Bun.serve({
+    port: config.port,
+    hostname: config.host,
+
+    async fetch(req) {
+      const url = new URL(req.url);
+      const { pathname } = url;
+      const method = req.method;
+      const origin = req.headers.get("origin");
+
+      // CORS preflight
+      if (method === "OPTIONS") {
+        return new Response(null, { status: 204, headers: corsHeaders(origin) });
+      }
+
+      // Rate limiting
+      const ip = server.requestIP(req)?.address ?? "unknown";
+      if (isRateLimited(ip)) {
+        return json({ error: "Too many requests" }, 429, corsHeaders(origin));
+      }
+
+      try {
+        let response: Response;
+
+        // ── Public routes ──
+        if (pathname === "/health" && method === "GET") {
+          response = health.check();
+        } else if (pathname === "/api/v1/auth/register" && method === "POST") {
+          response = await auth.register(req);
+        } else if (pathname === "/api/v1/auth/login" && method === "POST") {
+          response = await auth.login(req);
+        }
+
+        // ── Protected routes ──
+        else if (pathname === "/api/v1/auth/logout" && method === "POST") {
+          const authResult = await authenticate(req, tokenService);
+          if (!authResult.ok) return json({ error: authResult.error }, 401, corsHeaders(origin));
+          response = await auth.logout(authResult.userId, req);
+        } else if (pathname === "/api/v1/users/me" && method === "GET") {
+          const authResult = await authenticate(req, tokenService);
+          if (!authResult.ok) return json({ error: authResult.error }, 401, corsHeaders(origin));
+          response = await users.getProfile(authResult.userId);
+        } else if (pathname === "/api/v1/users/me" && method === "PATCH") {
+          const authResult = await authenticate(req, tokenService);
+          if (!authResult.ok) return json({ error: authResult.error }, 401, corsHeaders(origin));
+          response = await users.updateProfile(authResult.userId, req);
+        } else if (pathname === "/api/v1/users/me" && method === "DELETE") {
+          const authResult = await authenticate(req, tokenService);
+          if (!authResult.ok) return json({ error: authResult.error }, 401, corsHeaders(origin));
+          response = await users.deleteAccount(authResult.userId);
+        }
+
+        // ── 404 ──
+        else {
+          response = json({ error: "Not found" }, 404);
+        }
+
+        // Add CORS headers to every response
+        const headers = corsHeaders(origin);
+        for (const [k, v] of Object.entries(headers)) {
+          response.headers.set(k, v);
+        }
+
+        return response;
+      } catch (err) {
+        console.error("Unhandled error:", err);
+        return json({ error: "Internal server error" }, 500, corsHeaders(origin));
+      }
+    },
+  });
+
+  return server;
+};
+`,
+  },
+
+  // ── src/handlers/health.handler.ts ──────────────────────────────────
+  {
+    path: "src/handlers/health.handler.ts",
+    content: `import { json } from "../utils/response.js";
+
+export const healthHandler = () => ({
+  check: (): Response =>
+    json({ status: "ok", uptime: process.uptime() }),
+});
+`,
+  },
+
+  // ── src/handlers/auth.handler.ts ────────────────────────────────────
+  {
+    path: "src/handlers/auth.handler.ts",
+    content: `import type { AuthService } from "../services/auth.service.js";
+import { json } from "../utils/response.js";
+import { z } from "zod";
+
+const registerSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1).optional(),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string(),
+});
+
+export const authHandlers = (authService: AuthService) => ({
+  register: async (req: Request): Promise<Response> => {
+    const body = registerSchema.safeParse(await req.json());
+    if (!body.success) return json({ error: body.error.issues }, 400);
+
+    const result = await authService.register(body.data);
+    if (!result.ok) return json({ error: result.error }, 409);
+
+    return json({ data: result.data }, 201);
+  },
+
+  login: async (req: Request): Promise<Response> => {
+    const body = loginSchema.safeParse(await req.json());
+    if (!body.success) return json({ error: body.error.issues }, 400);
+
+    const result = await authService.login(body.data.email, body.data.password);
+    if (!result.ok) return json({ error: result.error }, 401);
+
+    return json({ data: result.data });
+  },
+
+  logout: async (userId: string, req: Request): Promise<Response> => {
+    const header = req.headers.get("authorization") ?? "";
+    const token = header.replace("Bearer ", "");
+
+    await authService.logout(token);
+    return json({ data: { message: "Logged out" } });
+  },
+});
+`,
+  },
+
+  // ── src/handlers/user.handler.ts ────────────────────────────────────
+  {
+    path: "src/handlers/user.handler.ts",
+    content: `import type { UserService } from "../services/user.service.js";
+import { json } from "../utils/response.js";
+import { z } from "zod";
+
+const updateSchema = z.object({
+  name: z.string().min(1).optional(),
+  email: z.string().email().optional(),
+});
+
+export const userHandlers = (userService: UserService) => ({
+  getProfile: async (userId: string): Promise<Response> => {
+    const user = userService.findById(userId);
+    if (!user) return json({ error: "User not found" }, 404);
+
+    const { password: _, ...profile } = user;
+    return json({ data: profile });
+  },
+
+  updateProfile: async (userId: string, req: Request): Promise<Response> => {
+    const body = updateSchema.safeParse(await req.json());
+    if (!body.success) return json({ error: body.error.issues }, 400);
+
+    const updated = userService.update(userId, body.data);
+    if (!updated) return json({ error: "User not found" }, 404);
+
+    const { password: _, ...profile } = updated;
+    return json({ data: profile });
+  },
+
+  deleteAccount: async (userId: string): Promise<Response> => {
+    const deleted = userService.delete(userId);
+    if (!deleted) return json({ error: "User not found" }, 404);
+
+    return json({ data: { message: "Account deleted" } });
+  },
+});
+`,
+  },
+
+  // ── src/middleware/auth.ts ──────────────────────────────────────────
+  {
+    path: "src/middleware/auth.ts",
+    content: `import type { TokenService } from "../utils/token.js";
+
+type AuthResult =
+  | { ok: true; userId: string }
+  | { ok: false; error: string };
+
+export const authenticate = async (
+  req: Request,
+  tokenService: TokenService,
+): Promise<AuthResult> => {
+  const header = req.headers.get("authorization");
+  if (!header?.startsWith("Bearer ")) {
+    return { ok: false, error: "Missing or invalid Authorization header" };
+  }
+
+  const token = header.slice(7);
+  const payload = tokenService.verify(token);
+
+  if (!payload) {
+    return { ok: false, error: "Invalid or expired token" };
+  }
+
+  if (tokenService.isBlacklisted(payload.jti)) {
+    return { ok: false, error: "Token has been revoked" };
+  }
+
+  return { ok: true, userId: payload.sub };
+};
+`,
+  },
+
+  // ── src/services/auth.service.ts ────────────────────────────────────
+  {
+    path: "src/services/auth.service.ts",
+    content: `import type { Database } from "bun:sqlite";
+import type { PasswordHasher } from "../utils/password.js";
+import type { TokenService } from "../utils/token.js";
+
+type Result<T> = { ok: true; data: T } | { ok: false; error: string };
+
+interface RegisterInput {
+  email: string;
+  password: string;
+  name?: string;
+}
+
+export interface AuthService {
+  register(input: RegisterInput): Promise<Result<{ id: string; email: string; token: string }>>;
+  login(email: string, password: string): Promise<Result<{ token: string; user: { id: string; email: string; name: string } }>>;
+  logout(token: string): Promise<void>;
+}
+
+export const createAuthService = (
+  db: Database,
+  passwordHasher: PasswordHasher,
+  tokenService: TokenService,
+): AuthService => ({
+  async register(input) {
+    // Check if user exists
+    const existing = db.query("SELECT id FROM users WHERE email = ?").get(input.email);
+    if (existing) return { ok: false, error: "Email already registered" };
+
+    const id = crypto.randomUUID();
+    const hashedPassword = await passwordHasher.hash(input.password);
+
+    db.query("INSERT INTO users (id, email, password, name) VALUES (?, ?, ?, ?)").run(
+      id,
+      input.email,
+      hashedPassword,
+      input.name ?? "",
+    );
+
+    const token = tokenService.sign({ sub: id, email: input.email, role: "user" });
+    return { ok: true, data: { id, email: input.email, token } };
+  },
+
+  async login(email, password) {
+    const user = db
+      .query("SELECT id, email, password, name, role FROM users WHERE email = ?")
+      .get(email) as { id: string; email: string; password: string; name: string; role: string } | null;
+
+    if (!user) return { ok: false, error: "Invalid credentials" };
+
+    const valid = await passwordHasher.verify(user.password, password);
+    if (!valid) return { ok: false, error: "Invalid credentials" };
+
+    const token = tokenService.sign({ sub: user.id, email: user.email, role: user.role });
+    return {
+      ok: true,
+      data: { token, user: { id: user.id, email: user.email, name: user.name } },
+    };
+  },
+
+  async logout(token) {
+    const payload = tokenService.verify(token);
+    if (payload?.jti) {
+      tokenService.blacklist(payload.jti, payload.exp);
+    }
+  },
+});
+`,
+  },
+
+  // ── src/services/user.service.ts ────────────────────────────────────
+  {
+    path: "src/services/user.service.ts",
+    content: `import type { Database } from "bun:sqlite";
+import type { PasswordHasher } from "../utils/password.js";
+
+interface User {
+  id: string;
+  email: string;
+  password: string;
+  name: string;
+  role: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface UserService {
+  findById(id: string): User | null;
+  update(id: string, data: { name?: string; email?: string }): User | null;
+  delete(id: string): boolean;
+}
+
+export const createUserService = (db: Database, _passwordHasher: PasswordHasher): UserService => ({
+  findById(id) {
+    return db.query("SELECT * FROM users WHERE id = ?").get(id) as User | null;
+  },
+
+  update(id, data) {
+    const fields: string[] = [];
+    const values: unknown[] = [];
+
+    if (data.name !== undefined) {
+      fields.push("name = ?");
+      values.push(data.name);
+    }
+    if (data.email !== undefined) {
+      fields.push("email = ?");
+      values.push(data.email);
+    }
+
+    if (fields.length === 0) return this.findById(id);
+
+    fields.push("updated_at = datetime('now')");
+    values.push(id);
+
+    db.query(\`UPDATE users SET \${fields.join(", ")} WHERE id = ?\`).run(...values);
+    return this.findById(id);
+  },
+
+  delete(id) {
+    const result = db.query("DELETE FROM users WHERE id = ?").run(id);
+    return result.changes > 0;
+  },
+});
+`,
+  },
+
+  // ── src/utils/password.ts ───────────────────────────────────────────
+  {
+    path: "src/utils/password.ts",
+    content: `/**
+ * Password hashing using Bun's built-in Argon2id.
+ */
+export interface PasswordHasher {
+  hash(password: string): Promise<string>;
+  verify(hash: string, password: string): Promise<boolean>;
+}
+
+export const createPasswordHasher = (): PasswordHasher => ({
+  async hash(password) {
+    return Bun.password.hash(password, { algorithm: "argon2id" });
+  },
+
+  async verify(hash, password) {
+    return Bun.password.verify(password, hash);
+  },
+});
+`,
+  },
+
+  // ── src/utils/token.ts ──────────────────────────────────────────────
+  {
+    path: "src/utils/token.ts",
+    content: [
+      "/**",
+      " * JWT token service using Bun's native HMAC-SHA256.",
+      " */",
+      "",
+      "export interface TokenPayload {",
+      "  sub: string;",
+      "  jti: string;",
+      "  exp: number;",
+      "  [key: string]: unknown;",
+      "}",
+      "",
+      "export interface TokenService {",
+      "  sign(claims: Record<string, unknown>): string;",
+      "  verify(token: string): TokenPayload | null;",
+      "  blacklist(jti: string, exp: number): void;",
+      "  isBlacklisted(jti: string): boolean;",
+      "}",
+      "",
+      '// Parse duration string to seconds: "15m" → 900, "1h" → 3600, "7d" → 604800',
+      "const parseDuration = (duration: string): number => {",
+      "  const match = duration.match(/^(\\d+)([smhd])$/);",
+      "  if (!match) return 900; // default 15 minutes",
+      "  const value = Number.parseInt(match[1], 10);",
+      "  const unit = match[2];",
+      "  const multipliers: Record<string, number> = { s: 1, m: 60, h: 3600, d: 86400 };",
+      "  return value * (multipliers[unit] ?? 60);",
+      "};",
+      "",
+      "export const createTokenService = (secret: string, expiresIn: string): TokenService => {",
+      "  const key = new TextEncoder().encode(secret);",
+      "  const expiresInSec = parseDuration(expiresIn);",
+      "",
+      "  // In-memory blacklist with auto-cleanup",
+      "  const blacklisted = new Map<string, number>();",
+      "",
+      "  // Clean expired entries every 5 minutes",
+      "  setInterval(() => {",
+      "    const now = Math.floor(Date.now() / 1000);",
+      "    for (const [jti, exp] of blacklisted) {",
+      "      if (exp < now) blacklisted.delete(jti);",
+      "    }",
+      "  }, 5 * 60 * 1000).unref();",
+      "",
+      "  return {",
+      "    sign(claims) {",
+      "      const now = Math.floor(Date.now() / 1000);",
+      "      const jti = crypto.randomUUID();",
+      "      const payload = { ...claims, jti, iat: now, exp: now + expiresInSec };",
+      "",
+      "      // HMAC-SHA256 JWT",
+      '      const header = btoa(JSON.stringify({ alg: "HS256", typ: "JWT" }))',
+      '        .replace(/=/g, "").replace(/\\+/g, "-").replace(/\\//g, "_");',
+      "",
+      "      const body = btoa(JSON.stringify(payload))",
+      '        .replace(/=/g, "").replace(/\\+/g, "-").replace(/\\//g, "_");',
+      "",
+      '      const data = header + "." + body;',
+      '      const hmac = new Bun.CryptoHasher("sha256", key);',
+      "      hmac.update(data);",
+      '      const sig = Buffer.from(hmac.digest()).toString("base64url");',
+      "",
+      '      return data + "." + sig;',
+      "    },",
+      "",
+      "    verify(token) {",
+      "      try {",
+      '        const parts = token.split(".");',
+      "        if (parts.length !== 3) return null;",
+      "",
+      "        // Verify signature",
+      '        const data = parts[0] + "." + parts[1];',
+      '        const hmac = new Bun.CryptoHasher("sha256", key);',
+      "        hmac.update(data);",
+      '        const expected = Buffer.from(hmac.digest()).toString("base64url");',
+      "",
+      "        if (expected !== parts[2]) return null;",
+      "",
+      "        // Decode payload",
+      "        const payload = JSON.parse(",
+      '          Buffer.from(parts[1], "base64url").toString()',
+      "        ) as TokenPayload;",
+      "",
+      "        // Check expiry",
+      "        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {",
+      "          return null;",
+      "        }",
+      "",
+      "        return payload;",
+      "      } catch {",
+      "        return null;",
+      "      }",
+      "    },",
+      "",
+      "    blacklist(jti, exp) {",
+      "      blacklisted.set(jti, exp);",
+      "    },",
+      "",
+      "    isBlacklisted(jti) {",
+      "      return blacklisted.has(jti);",
+      "    },",
+      "  };",
+      "};",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/utils/response.ts ───────────────────────────────────────────
+  {
+    path: "src/utils/response.ts",
+    content: `/**
+ * JSON response helper.
+ */
+export const json = (
+  body: unknown,
+  status = 200,
+  extraHeaders?: Record<string, string>,
+): Response => {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json; charset=utf-8",
+    ...extraHeaders,
+  };
+
+  return new Response(JSON.stringify(body), { status, headers });
+};
+`,
+  },
+
+  // ── tests/health.test.ts ────────────────────────────────────────────
+  {
+    path: "tests/health.test.ts",
+    content: `import { describe, expect, it } from "bun:test";
+
+describe("Health check", () => {
+  it("should return ok", async () => {
+    // Start server for test
+    const response = await fetch("http://localhost:3000/health");
+    expect(response.status).toBe(200);
+
+    const data = await response.json();
+    expect(data.status).toBe("ok");
+  });
+});
+`,
+  },
+];