@enderworld/onlyapi 1.5.1 → 1.7.0

package/src/cli/template.ts

@@ -0,0 +1,1191 @@
+/**
+ * Minimal project template — generated by `onlyapi init`.
+ *
+ * Produces a clean project that boots a working API with:
+ *   - Health check
+ *   - Auth (register / login / logout)
+ *   - User profile (me)
+ *   - SQLite database (zero-config)
+ *   - JWT authentication
+ *   - CORS + rate limiting
+ *   - Pretty startup banner + colored request logging
+ *   - Simple router with route table
+ */
+
+export interface TemplateFile {
+  readonly path: string;
+  readonly content: string;
+}
+
+export const generateTemplate = (projectName: string): TemplateFile[] => [
+  // ── package.json ────────────────────────────────────────────────────
+  {
+    path: "package.json",
+    content: `{
+  "name": ${JSON.stringify(projectName)},
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "bun --watch src/main.ts",
+    "start": "NODE_ENV=production bun src/main.ts",
+    "check": "tsc --noEmit",
+    "test": "bun test",
+    "lint": "bunx @biomejs/biome check src/"
+  },
+  "dependencies": {
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^1.9.4",
+    "@types/bun": "^1.2.2",
+    "typescript": "^5.7.3"
+  }
+}
+`,
+  },
+
+  // ── tsconfig.json ───────────────────────────────────────────────────
+  {
+    path: "tsconfig.json",
+    content: `{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ESNext"],
+    "types": ["bun-types"],
+    "strict": true,
+    "noImplicitAny": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "outDir": "dist",
+    "rootDir": "."
+  },
+  "include": ["src/**/*.ts", "tests/**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}
+`,
+  },
+
+  // ── biome.json ──────────────────────────────────────────────────────
+  {
+    path: "biome.json",
+    content: `{
+  "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json",
+  "organizeImports": { "enabled": true },
+  "linter": {
+    "enabled": true,
+    "rules": { "recommended": true }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100
+  }
+}
+`,
+  },
+
+  // ── .env.example ────────────────────────────────────────────────────
+  {
+    path: ".env.example",
+    content: `# Environment
+NODE_ENV=development
+PORT=3000
+HOST=0.0.0.0
+
+# Security
+JWT_SECRET=change-me-to-a-64-char-random-string
+JWT_EXPIRES_IN=15m
+
+# Logging
+LOG_LEVEL=debug
+
+# Database
+DATABASE_PATH=data/app.sqlite
+`,
+  },
+
+  // ── .gitignore ──────────────────────────────────────────────────────
+  {
+    path: ".gitignore",
+    content: `node_modules/
+dist/
+data/
+.env
+*.sqlite
+*.log
+`,
+  },
+
+  // ── .dockerignore ───────────────────────────────────────────────────
+  {
+    path: ".dockerignore",
+    content: `node_modules/
+dist/
+data/
+.env
+.git/
+*.md
+`,
+  },
+
+  // ── Dockerfile ──────────────────────────────────────────────────────
+  {
+    path: "Dockerfile",
+    content: `FROM oven/bun:1.3-alpine AS builder
+WORKDIR /app
+COPY package.json bun.lock* ./
+RUN bun install --frozen-lockfile
+COPY tsconfig.json ./
+COPY src/ src/
+RUN bun run check
+RUN mkdir -p /app/data
+
+FROM oven/bun:1.3-alpine
+WORKDIR /app
+COPY --from=builder /app/src/ src/
+COPY --from=builder /app/node_modules/ node_modules/
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/tsconfig.json ./
+COPY --from=builder /app/data/ data/
+RUN addgroup -S app && adduser -S app -G app && chown -R app:app /app
+USER app
+EXPOSE 3000
+ENV NODE_ENV=production
+ENV HOST=0.0.0.0
+ENV PORT=3000
+CMD ["bun", "src/main.ts"]
+`,
+  },
+
+  // ── README.md ───────────────────────────────────────────────────────
+  {
+    path: "README.md",
+    content: `# ${projectName}
+
+Built with [onlyApi](https://github.com/lysari/onlyapi) — zero-dependency REST API on Bun.
+
+## Quick Start
+
+\`\`\`bash
+bun run dev        # Start dev server (hot-reload)
+bun test           # Run tests
+bun run check      # Type-check
+\`\`\`
+
+## API Endpoints
+
+| Method | Path                    | Description       | Auth |
+|--------|-------------------------|-------------------|------|
+| GET    | /health                 | Health check      | No   |
+| POST   | /api/v1/auth/register   | Register          | No   |
+| POST   | /api/v1/auth/login      | Login             | No   |
+| POST   | /api/v1/auth/logout     | Logout            | Yes  |
+| GET    | /api/v1/users/me        | Get profile       | Yes  |
+| PATCH  | /api/v1/users/me        | Update profile    | Yes  |
+| DELETE | /api/v1/users/me        | Delete account    | Yes  |
+
+## Project Structure
+
+\`\`\`
+src/
+  main.ts              # Entry point — wires everything together
+  config.ts            # Environment config with validation
+  database.ts          # SQLite setup + migrations
+  logger.ts            # Colored structured logger
+  router.ts            # Lightweight router with route table
+  server.ts            # HTTP server, CORS, rate limiting
+  handlers/
+    auth.handler.ts    # Register, login, logout
+    health.handler.ts  # Health check
+    user.handler.ts    # User profile CRUD
+  middleware/
+    auth.ts            # JWT authentication guard
+  services/
+    auth.service.ts    # Auth business logic
+    user.service.ts    # User business logic
+  utils/
+    password.ts        # Argon2id hashing
+    token.ts           # JWT sign/verify
+    response.ts        # JSON response helpers
+\`\`\`
+
+## Environment Variables
+
+| Variable       | Default              | Description             |
+|----------------|----------------------|-------------------------|
+| PORT           | 3000                 | Server port             |
+| HOST           | 0.0.0.0              | Bind address            |
+| JWT_SECRET     | —                    | **Required** JWT secret |
+| JWT_EXPIRES_IN | 15m                  | Token expiration        |
+| DATABASE_PATH  | data/app.sqlite      | SQLite file path        |
+| LOG_LEVEL      | debug                | info / debug / warn     |
+| NODE_ENV       | development          | development / production|
+
+## Docker
+
+\`\`\`bash
+docker build -t ${projectName} .
+docker run -e JWT_SECRET="your-secret-here" -p 3000:3000 ${projectName}
+\`\`\`
+`,
+  },
+
+  // ── src/logger.ts ───────────────────────────────────────────────────
+  {
+    path: "src/logger.ts",
+    content: [
+      "/**",
+      " * Colored structured logger — zero dependencies.",
+      " */",
+      "",
+      'type LogLevel = "debug" | "info" | "warn" | "error";',
+      "",
+      "const LEVELS: Record<LogLevel, number> = { debug: 0, info: 1, warn: 2, error: 3 };",
+      "",
+      "// ANSI colors",
+      'const esc = (c: string) => "\\x1b[" + c + "m";',
+      'const reset = esc("0");',
+      'const bold = (s: string) => esc("1") + s + reset;',
+      'const dim = (s: string) => esc("2") + s + reset;',
+      'const green = (s: string) => esc("32") + s + reset;',
+      'const yellow = (s: string) => esc("33") + s + reset;',
+      'const red = (s: string) => esc("31") + s + reset;',
+      'const cyan = (s: string) => esc("36") + s + reset;',
+      'const gray = (s: string) => esc("90") + s + reset;',
+      'const white = (s: string) => esc("97") + s + reset;',
+      'const magenta = (s: string) => esc("35") + s + reset;',
+      'const blue = (s: string) => esc("34") + s + reset;',
+      "",
+      "const timestamp = (): string => {",
+      "  const d = new Date();",
+      '  const h = String(d.getHours()).padStart(2, "0");',
+      '  const m = String(d.getMinutes()).padStart(2, "0");',
+      '  const s = String(d.getSeconds()).padStart(2, "0");',
+      '  const ms = String(d.getMilliseconds()).padStart(3, "0");',
+      '  return h + ":" + m + ":" + s + "." + ms;',
+      "};",
+      "",
+      "const badge = (level: LogLevel): string => {",
+      "  switch (level) {",
+      '    case "debug": return gray("DBG");',
+      '    case "info":  return green("INF");',
+      '    case "warn":  return yellow("WRN");',
+      '    case "error": return red("ERR");',
+      "  }",
+      "};",
+      "",
+      "export interface Logger {",
+      "  debug(msg: string, extra?: Record<string, unknown>): void;",
+      "  info(msg: string, extra?: Record<string, unknown>): void;",
+      "  warn(msg: string, extra?: Record<string, unknown>): void;",
+      "  error(msg: string, extra?: Record<string, unknown>): void;",
+      "}",
+      "",
+      'export const createLogger = (minLevel: LogLevel = "debug"): Logger => {',
+      "  const threshold = LEVELS[minLevel];",
+      "",
+      "  const log = (level: LogLevel, msg: string, extra?: Record<string, unknown>) => {",
+      "    if (LEVELS[level] < threshold) return;",
+      '    let line = "  " + badge(level) + " " + dim(timestamp()) + " " + msg;',
+      "    if (extra) {",
+      "      const parts = Object.entries(extra)",
+      '        .map(([k, v]) => gray(k + "=") + white(String(v)));',
+      '      line += " " + parts.join(" ");',
+      "    }",
+      "    console.log(line);",
+      "  };",
+      "",
+      "  return {",
+      '    debug: (msg, extra) => log("debug", msg, extra),',
+      '    info:  (msg, extra) => log("info", msg, extra),',
+      '    warn:  (msg, extra) => log("warn", msg, extra),',
+      '    error: (msg, extra) => log("error", msg, extra),',
+      "  };",
+      "};",
+      "",
+      "// ── Request logging ─────────────────────────────────────────────────",
+      "",
+      "const methodColor = (method: string): string => {",
+      "  switch (method) {",
+      '    case "GET":    return green(bold(method.padEnd(7)));',
+      '    case "POST":   return cyan(bold(method.padEnd(7)));',
+      '    case "PATCH":  return yellow(bold(method.padEnd(7)));',
+      '    case "PUT":    return yellow(bold(method.padEnd(7)));',
+      '    case "DELETE": return red(bold(method.padEnd(7)));',
+      "    default:       return white(bold(method.padEnd(7)));",
+      "  }",
+      "};",
+      "",
+      "const statusColor = (status: number): string => {",
+      "  if (status < 300) return green(String(status));",
+      "  if (status < 400) return cyan(String(status));",
+      "  if (status < 500) return yellow(String(status));",
+      "  return red(String(status));",
+      "};",
+      "",
+      "export const formatRequest = (",
+      "  method: string,",
+      "  path: string,",
+      "  status: number,",
+      "  durationMs: number,",
+      "  ip: string,",
+      "): string => {",
+      '  const arrow = gray("←");',
+      '  const dur = dim(durationMs.toFixed(2) + "ms");',
+      "  return (",
+      '    "  " + arrow + " " +',
+      '    dim(timestamp()) + "  " +',
+      '    methodColor(method) + " " +',
+      '    statusColor(status) + " " +',
+      '    path + " " +',
+      '    dur + "  " +',
+      '    gray("ip=" + ip)',
+      "  );",
+      "};",
+      "",
+      "// ── Startup banner ──────────────────────────────────────────────────",
+      "",
+      "export { bold, cyan, dim, gray, green, magenta, blue, white, yellow, red };",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/router.ts ───────────────────────────────────────────────────
+  {
+    path: "src/router.ts",
+    content: [
+      "/**",
+      " * Lightweight router with O(1) static route lookup.",
+      " */",
+      "",
+      "type Handler = (req: Request, params?: Record<string, string>) => Promise<Response> | Response;",
+      "",
+      "interface Route {",
+      "  method: string;",
+      "  path: string;",
+      "  handler: Handler;",
+      "  auth: boolean;",
+      "  description: string;",
+      "}",
+      "",
+      "export interface Router {",
+      "  add(method: string, path: string, handler: Handler, opts?: { auth?: boolean; description?: string }): void;",
+      "  match(method: string, path: string): { handler: Handler; auth: boolean } | null;",
+      "  routes(): ReadonlyArray<{ method: string; path: string; auth: boolean; description: string }>;",
+      "}",
+      "",
+      "export const createRouter = (): Router => {",
+      "  const table = new Map<string, Route>();",
+      "  const list: Route[] = [];",
+      "",
+      "  return {",
+      "    add(method, path, handler, opts = {}) {",
+      '      const key = method + " " + path;',
+      '      const route: Route = { method, path, handler, auth: opts.auth ?? false, description: opts.description ?? "" };',
+      "      table.set(key, route);",
+      "      list.push(route);",
+      "    },",
+      "",
+      "    match(method, path) {",
+      '      const route = table.get(method + " " + path);',
+      "      if (route) return { handler: route.handler, auth: route.auth };",
+      "      return null;",
+      "    },",
+      "",
+      "    routes() {",
+      "      return list.map(r => ({ method: r.method, path: r.path, auth: r.auth, description: r.description }));",
+      "    },",
+      "  };",
+      "};",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/main.ts ─────────────────────────────────────────────────────
+  {
+    path: "src/main.ts",
+    content: [
+      'import { loadConfig } from "./config.js";',
+      'import { createDatabase } from "./database.js";',
+      'import { createLogger, bold, cyan, dim, gray, green, white, magenta, blue, yellow } from "./logger.js";',
+      'import { createRouter } from "./router.js";',
+      'import { createAuthService } from "./services/auth.service.js";',
+      'import { createUserService } from "./services/user.service.js";',
+      'import { createServer } from "./server.js";',
+      'import { createPasswordHasher } from "./utils/password.js";',
+      'import { createTokenService } from "./utils/token.js";',
+      "",
+      "const startTime = performance.now();",
+      "",
+      "// ── Config ──────────────────────────────────────────────────────────",
+      "const config = loadConfig();",
+      "const log = createLogger(config.logLevel);",
+      "",
+      "// ── Database ────────────────────────────────────────────────────────",
+      "const db = createDatabase(config.databasePath, log);",
+      "",
+      "// ── Services ────────────────────────────────────────────────────────",
+      "const passwordHasher = createPasswordHasher();",
+      "const tokenService = createTokenService(config.jwt.secret, config.jwt.expiresIn);",
+      "const authService = createAuthService(db, passwordHasher, tokenService);",
+      "const userService = createUserService(db, passwordHasher);",
+      "",
+      "// ── Router ──────────────────────────────────────────────────────────",
+      "const router = createRouter();",
+      "",
+      'import { authHandlers } from "./handlers/auth.handler.js";',
+      'import { healthHandler } from "./handlers/health.handler.js";',
+      'import { userHandlers } from "./handlers/user.handler.js";',
+      "",
+      "const auth = authHandlers(authService);",
+      "const health = healthHandler();",
+      "const users = userHandlers(userService);",
+      "",
+      "// Public",
+      'router.add("GET",  "/health",                health.check,     { description: "Health check" });',
+      'router.add("POST", "/api/v1/auth/register",  auth.register,    { description: "Register user" });',
+      'router.add("POST", "/api/v1/auth/login",     auth.login,       { description: "Login" });',
+      "",
+      "// Protected",
+      'router.add("POST",   "/api/v1/auth/logout",  auth.logout,      { auth: true, description: "Logout" });',
+      'router.add("GET",    "/api/v1/users/me",     users.getProfile, { auth: true, description: "Get profile" });',
+      'router.add("PATCH",  "/api/v1/users/me",     users.updateProfile, { auth: true, description: "Update profile" });',
+      'router.add("DELETE", "/api/v1/users/me",     users.deleteAccount, { auth: true, description: "Delete account" });',
+      "",
+      "// ── Server ──────────────────────────────────────────────────────────",
+      "const server = createServer({ config, router, tokenService, log });",
+      "",
+      "// ── Startup banner ──────────────────────────────────────────────────",
+      "const bootMs = performance.now() - startTime;",
+      "",
+      'const envBadge = config.nodeEnv === "production"',
+      '  ? "\\x1b[42m\\x1b[30m PRODUCTION \\x1b[0m"',
+      '  : "\\x1b[46m\\x1b[30m DEVELOPMENT \\x1b[0m";',
+      "",
+      'console.log("");',
+      'console.log(bold(cyan("  ┌─────────────────────────────────────────┐")));',
+      'console.log(bold(cyan("  │")) + "                                           " + bold(cyan("│")));',
+      `console.log(bold(cyan("  │")) + "   " + bold(white("⚡ " + ${JSON.stringify(projectName)})) + "                      " + bold(cyan("│")));`,
+      'console.log(bold(cyan("  │")) + "   " + dim(gray("Built with onlyApi")) + "                  " + bold(cyan("│")));',
+      'console.log(bold(cyan("  │")) + "                                           " + bold(cyan("│")));',
+      'console.log(bold(cyan("  └─────────────────────────────────────────┘")));',
+      'console.log("");',
+      'console.log("  " + envBadge + "  " + dim("booted in") + " " + bold(green(bootMs.toFixed(0) + "ms")));',
+      'console.log("");',
+      'console.log("  " + bold(white("→")) + " " + dim("Local:") + "    " + bold(cyan("http://localhost:" + config.port)));',
+      'console.log("  " + bold(white("→")) + " " + dim("Network:") + "  " + bold(cyan("http://" + config.host + ":" + config.port)));',
+      'console.log("  " + bold(white("→")) + " " + dim("SQLite:") + "   " + dim(config.databasePath));',
+      'console.log("");',
+      "",
+      "// Process info",
+      'console.log("  " + gray("├─") + " " + dim("PID") + "           " + white(String(process.pid)));',
+      'console.log("  " + gray("├─") + " " + dim("Runtime") + "       " + magenta("Bun " + Bun.version));',
+      'console.log("  " + gray("├─") + " " + dim("TypeScript") + "    " + blue("strict"));',
+      'console.log("  " + gray("├─") + " " + dim("Rate limit") + "    " + white(config.rateLimitMax + " req/" + (config.rateLimitWindowMs / 1000) + "s"));',
+      'console.log("  " + gray("└─") + " " + dim("Log level") + "     " + white(config.logLevel));',
+      'console.log("");',
+      "",
+      "// Route table",
+      "const allRoutes = router.routes();",
+      'console.log("  " + bold(white("Routes")) + " " + dim("(" + allRoutes.length + ")"));',
+      'console.log("  " + gray("─".repeat(60)));',
+      "for (const r of allRoutes) {",
+      '  const lock = r.auth ? yellow("🔒") : "  ";',
+      "  const mc = (() => {",
+      "    switch (r.method) {",
+      '      case "GET":    return green(bold(r.method.padEnd(7)));',
+      '      case "POST":   return cyan(bold(r.method.padEnd(7)));',
+      '      case "PATCH":  return yellow(bold(r.method.padEnd(7)));',
+      '      case "DELETE": return "\\x1b[31m\\x1b[1m" + r.method.padEnd(7) + "\\x1b[0m";',
+      "      default:       return white(bold(r.method.padEnd(7)));",
+      "    }",
+      "  })();",
+      '  console.log("  " + lock + " " + mc + " " + r.path.padEnd(30) + " " + dim(gray(r.description)));',
+      "}",
+      'console.log("  " + gray("─".repeat(60)));',
+      'console.log("");',
+      'console.log("  " + dim("press Ctrl+C to stop"));',
+      'console.log("");',
+      "",
+      "// ── Graceful shutdown ─────────────────────────────────────────────",
+      "const shutdown = () => {",
+      '  log.info("Shutting down...");',
+      "  server.stop();",
+      "  db.close();",
+      "  process.exit(0);",
+      "};",
+      "",
+      'process.on("SIGINT", shutdown);',
+      'process.on("SIGTERM", shutdown);',
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/config.ts ───────────────────────────────────────────────────
+  {
+    path: "src/config.ts",
+    content: `import { z } from "zod";
+
+const configSchema = z.object({
+  port: z.coerce.number().default(3000),
+  host: z.string().default("0.0.0.0"),
+  nodeEnv: z.enum(["development", "production"]).default("development"),
+  jwt: z.object({
+    secret: z.string().min(32, "JWT_SECRET must be at least 32 characters"),
+    expiresIn: z.string().default("15m"),
+  }),
+  databasePath: z.string().default("data/app.sqlite"),
+  logLevel: z.enum(["debug", "info", "warn", "error"]).default("debug"),
+  corsOrigins: z.string().default("*"),
+  rateLimitMax: z.coerce.number().default(100),
+  rateLimitWindowMs: z.coerce.number().default(60_000),
+});
+
+export type AppConfig = z.infer<typeof configSchema>;
+
+export const loadConfig = (): AppConfig => {
+  const result = configSchema.safeParse({
+    port: Bun.env.PORT,
+    host: Bun.env.HOST,
+    nodeEnv: Bun.env.NODE_ENV,
+    jwt: {
+      secret: Bun.env.JWT_SECRET,
+      expiresIn: Bun.env.JWT_EXPIRES_IN,
+    },
+    databasePath: Bun.env.DATABASE_PATH,
+    logLevel: Bun.env.LOG_LEVEL,
+    corsOrigins: Bun.env.CORS_ORIGINS,
+    rateLimitMax: Bun.env.RATE_LIMIT_MAX_REQUESTS,
+    rateLimitWindowMs: Bun.env.RATE_LIMIT_WINDOW_MS,
+  });
+
+  if (!result.success) {
+    const errors = result.error.issues
+      .map((i) => \`  ✗ \${i.path.join(".")} → \${i.message}\`)
+      .join("\\n");
+
+    console.error(\`\\n  CONFIG ERROR   Invalid configuration\\n\\n\${errors}\\n\`);
+    console.error("  Hint: Copy .env.example to .env and set the required values:\\n");
+    console.error("  $ cp .env.example .env\\n");
+    process.exit(1);
+  }
+
+  return result.data;
+};
+`,
+  },
+
+  // ── src/database.ts ─────────────────────────────────────────────────
+  {
+    path: "src/database.ts",
+    content: [
+      'import { Database } from "bun:sqlite";',
+      'import { existsSync, mkdirSync } from "node:fs";',
+      'import { dirname } from "node:path";',
+      'import type { Logger } from "./logger.js";',
+      "",
+      "export const createDatabase = (dbPath: string, log: Logger): Database => {",
+      "  const dir = dirname(dbPath);",
+      "  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });",
+      "",
+      "  const db = new Database(dbPath, { create: true });",
+      "",
+      '  db.exec("PRAGMA journal_mode = WAL");',
+      '  db.exec("PRAGMA synchronous = NORMAL");',
+      '  db.exec("PRAGMA foreign_keys = ON");',
+      "",
+      "  migrate(db, log, dbPath);",
+      "  return db;",
+      "};",
+      "",
+      "const migrate = (db: Database, log: Logger, dbPath: string): void => {",
+      "  db.exec(`",
+      "    CREATE TABLE IF NOT EXISTS users (",
+      "      id         TEXT PRIMARY KEY,",
+      "      email      TEXT NOT NULL UNIQUE,",
+      "      password   TEXT NOT NULL,",
+      "      name       TEXT NOT NULL DEFAULT '',",
+      "      role       TEXT NOT NULL DEFAULT 'user',",
+      "      created_at TEXT NOT NULL DEFAULT (datetime('now')),",
+      "      updated_at TEXT NOT NULL DEFAULT (datetime('now'))",
+      "    )",
+      "  `);",
+      "",
+      "  db.exec(`",
+      "    CREATE TABLE IF NOT EXISTS token_blacklist (",
+      "      token_id   TEXT PRIMARY KEY,",
+      "      expires_at TEXT NOT NULL",
+      "    )",
+      "  `);",
+      "",
+      '  log.info("SQLite database ready", { path: dbPath });',
+      "};",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/server.ts ───────────────────────────────────────────────────
+  {
+    path: "src/server.ts",
+    content: [
+      'import type { AppConfig } from "./config.js";',
+      'import type { Logger } from "./logger.js";',
+      'import { formatRequest } from "./logger.js";',
+      'import type { Router } from "./router.js";',
+      'import type { TokenService } from "./utils/token.js";',
+      'import { authenticate } from "./middleware/auth.js";',
+      'import { json } from "./utils/response.js";',
+      "",
+      "interface ServerDeps {",
+      "  config: AppConfig;",
+      "  router: Router;",
+      "  tokenService: TokenService;",
+      "  log: Logger;",
+      "}",
+      "",
+      "export const createServer = (deps: ServerDeps) => {",
+      "  const { config, router, tokenService, log } = deps;",
+      "",
+      "  // ── Rate limiting (in-memory) ──────────────────────────────────",
+      "  const hits = new Map<string, { count: number; resetAt: number }>();",
+      "",
+      "  const isRateLimited = (ip: string): boolean => {",
+      "    const now = Date.now();",
+      "    const entry = hits.get(ip);",
+      "    if (!entry || now > entry.resetAt) {",
+      "      hits.set(ip, { count: 1, resetAt: now + config.rateLimitWindowMs });",
+      "      return false;",
+      "    }",
+      "    entry.count++;",
+      "    return entry.count > config.rateLimitMax;",
+      "  };",
+      "",
+      "  // ── CORS headers ───────────────────────────────────────────────",
+      "  const corsHeaders = (origin: string | null): Record<string, string> => {",
+      '    const allowed = config.corsOrigins === "*" || (origin && config.corsOrigins.includes(origin));',
+      "    return {",
+      '      "Access-Control-Allow-Origin": allowed ? (origin ?? "*") : "",',
+      '      "Access-Control-Allow-Methods": "GET, POST, PATCH, DELETE, OPTIONS",',
+      '      "Access-Control-Allow-Headers": "Content-Type, Authorization",',
+      '      "Access-Control-Max-Age": "86400",',
+      "    };",
+      "  };",
+      "",
+      "  // ── Server ─────────────────────────────────────────────────────",
+      "  const server = Bun.serve({",
+      "    port: config.port,",
+      "    hostname: config.host,",
+      "",
+      "    async fetch(req) {",
+      "      const start = performance.now();",
+      "      const url = new URL(req.url);",
+      "      const { pathname } = url;",
+      "      const method = req.method;",
+      '      const origin = req.headers.get("origin");',
+      '      const ip = server.requestIP(req)?.address ?? "unknown";',
+      "",
+      "      // CORS preflight",
+      '      if (method === "OPTIONS") {',
+      "        return new Response(null, { status: 204, headers: corsHeaders(origin) });",
+      "      }",
+      "",
+      "      // Rate limiting",
+      "      if (isRateLimited(ip)) {",
+      "        const dur = performance.now() - start;",
+      "        console.log(formatRequest(method, pathname, 429, dur, ip));",
+      '        return json({ error: "Too many requests" }, 429, corsHeaders(origin));',
+      "      }",
+      "",
+      "      try {",
+      "        const match = router.match(method, pathname);",
+      "",
+      "        if (!match) {",
+      "          const dur = performance.now() - start;",
+      "          console.log(formatRequest(method, pathname, 404, dur, ip));",
+      '          return json({ error: "Not found" }, 404, corsHeaders(origin));',
+      "        }",
+      "",
+      "        // Auth check",
+      "        if (match.auth) {",
+      "          const authResult = await authenticate(req, tokenService);",
+      "          if (!authResult.ok) {",
+      "            const dur = performance.now() - start;",
+      "            console.log(formatRequest(method, pathname, 401, dur, ip));",
+      "            return json({ error: authResult.error }, 401, corsHeaders(origin));",
+      "          }",
+      "          // Inject userId into request via header",
+      '          req.headers.set("x-user-id", authResult.userId);',
+      "        }",
+      "",
+      "        const response = await match.handler(req);",
+      "",
+      "        // Add CORS headers",
+      "        const headers = corsHeaders(origin);",
+      "        for (const [k, v] of Object.entries(headers)) {",
+      "          response.headers.set(k, v);",
+      "        }",
+      "",
+      "        const dur = performance.now() - start;",
+      "        console.log(formatRequest(method, pathname, response.status, dur, ip));",
+      "        return response;",
+      "      } catch (err) {",
+      '        log.error("Unhandled error", { path: pathname, error: String(err) });',
+      "        const dur = performance.now() - start;",
+      "        console.log(formatRequest(method, pathname, 500, dur, ip));",
+      '        return json({ error: "Internal server error" }, 500, corsHeaders(origin));',
+      "      }",
+      "    },",
+      "  });",
+      "",
+      "  return server;",
+      "};",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/handlers/health.handler.ts ──────────────────────────────────
+  {
+    path: "src/handlers/health.handler.ts",
+    content: `import { json } from "../utils/response.js";
+
+export const healthHandler = () => ({
+  check: (): Response =>
+    json({ status: "ok", uptime: process.uptime() }),
+});
+`,
+  },
+
+  // ── src/handlers/auth.handler.ts ────────────────────────────────────
+  {
+    path: "src/handlers/auth.handler.ts",
+    content: `import type { AuthService } from "../services/auth.service.js";
+import { json } from "../utils/response.js";
+import { z } from "zod";
+
+const registerSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1).optional(),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string(),
+});
+
+export const authHandlers = (authService: AuthService) => ({
+  register: async (req: Request): Promise<Response> => {
+    const body = registerSchema.safeParse(await req.json());
+    if (!body.success) return json({ error: body.error.issues }, 400);
+
+    const result = await authService.register(body.data);
+    if (!result.ok) return json({ error: result.error }, 409);
+
+    return json({ data: result.data }, 201);
+  },
+
+  login: async (req: Request): Promise<Response> => {
+    const body = loginSchema.safeParse(await req.json());
+    if (!body.success) return json({ error: body.error.issues }, 400);
+
+    const result = await authService.login(body.data.email, body.data.password);
+    if (!result.ok) return json({ error: result.error }, 401);
+
+    return json({ data: result.data });
+  },
+
+  logout: async (req: Request): Promise<Response> => {
+    const header = req.headers.get("authorization") ?? "";
+    const token = header.replace("Bearer ", "");
+
+    await authService.logout(token);
+    return json({ data: { message: "Logged out" } });
+  },
+});
+`,
+  },
+
+  // ── src/handlers/user.handler.ts ────────────────────────────────────
+  {
+    path: "src/handlers/user.handler.ts",
+    content: [
+      'import type { UserService } from "../services/user.service.js";',
+      'import { json } from "../utils/response.js";',
+      'import { z } from "zod";',
+      "",
+      "const updateSchema = z.object({",
+      "  name: z.string().min(1).optional(),",
+      "  email: z.string().email().optional(),",
+      "});",
+      "",
+      "export const userHandlers = (userService: UserService) => ({",
+      "  getProfile: async (req: Request): Promise<Response> => {",
+      '    const userId = req.headers.get("x-user-id") ?? "";',
+      "    const user = userService.findById(userId);",
+      '    if (!user) return json({ error: "User not found" }, 404);',
+      "",
+      "    const { password: _, ...profile } = user;",
+      "    return json({ data: profile });",
+      "  },",
+      "",
+      "  updateProfile: async (req: Request): Promise<Response> => {",
+      '    const userId = req.headers.get("x-user-id") ?? "";',
+      "    const body = updateSchema.safeParse(await req.json());",
+      "    if (!body.success) return json({ error: body.error.issues }, 400);",
+      "",
+      "    const updated = userService.update(userId, body.data);",
+      '    if (!updated) return json({ error: "User not found" }, 404);',
+      "",
+      "    const { password: _, ...profile } = updated;",
+      "    return json({ data: profile });",
+      "  },",
+      "",
+      "  deleteAccount: async (req: Request): Promise<Response> => {",
+      '    const userId = req.headers.get("x-user-id") ?? "";',
+      "    const deleted = userService.delete(userId);",
+      '    if (!deleted) return json({ error: "User not found" }, 404);',
+      "",
+      '    return json({ data: { message: "Account deleted" } });',
+      "  },",
+      "});",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/middleware/auth.ts ──────────────────────────────────────────
+  {
+    path: "src/middleware/auth.ts",
+    content: `import type { TokenService } from "../utils/token.js";
+
+type AuthResult =
+  | { ok: true; userId: string }
+  | { ok: false; error: string };
+
+export const authenticate = async (
+  req: Request,
+  tokenService: TokenService,
+): Promise<AuthResult> => {
+  const header = req.headers.get("authorization");
+  if (!header?.startsWith("Bearer ")) {
+    return { ok: false, error: "Missing or invalid Authorization header" };
+  }
+
+  const token = header.slice(7);
+  const payload = tokenService.verify(token);
+
+  if (!payload) {
+    return { ok: false, error: "Invalid or expired token" };
+  }
+
+  if (tokenService.isBlacklisted(payload.jti)) {
+    return { ok: false, error: "Token has been revoked" };
+  }
+
+  return { ok: true, userId: payload.sub };
+};
+`,
+  },
+
+  // ── src/services/auth.service.ts ────────────────────────────────────
+  {
+    path: "src/services/auth.service.ts",
+    content: `import type { Database } from "bun:sqlite";
+import type { PasswordHasher } from "../utils/password.js";
+import type { TokenService } from "../utils/token.js";
+
+type Result<T> = { ok: true; data: T } | { ok: false; error: string };
+
+interface RegisterInput {
+  email: string;
+  password: string;
+  name?: string;
+}
+
+export interface AuthService {
+  register(input: RegisterInput): Promise<Result<{ id: string; email: string; token: string }>>;
+  login(email: string, password: string): Promise<Result<{ token: string; user: { id: string; email: string; name: string } }>>;
+  logout(token: string): Promise<void>;
+}
+
+export const createAuthService = (
+  db: Database,
+  passwordHasher: PasswordHasher,
+  tokenService: TokenService,
+): AuthService => ({
+  async register(input) {
+    const existing = db.query("SELECT id FROM users WHERE email = ?").get(input.email);
+    if (existing) return { ok: false, error: "Email already registered" };
+
+    const id = crypto.randomUUID();
+    const hashedPassword = await passwordHasher.hash(input.password);
+
+    db.query("INSERT INTO users (id, email, password, name) VALUES (?, ?, ?, ?)").run(
+      id, input.email, hashedPassword, input.name ?? "",
+    );
+
+    const token = tokenService.sign({ sub: id, email: input.email, role: "user" });
+    return { ok: true, data: { id, email: input.email, token } };
+  },
+
+  async login(email, password) {
+    const user = db
+      .query("SELECT id, email, password, name, role FROM users WHERE email = ?")
+      .get(email) as { id: string; email: string; password: string; name: string; role: string } | null;
+
+    if (!user) return { ok: false, error: "Invalid credentials" };
+
+    const valid = await passwordHasher.verify(user.password, password);
+    if (!valid) return { ok: false, error: "Invalid credentials" };
+
+    const token = tokenService.sign({ sub: user.id, email: user.email, role: user.role });
+    return {
+      ok: true,
+      data: { token, user: { id: user.id, email: user.email, name: user.name } },
+    };
+  },
+
+  async logout(token) {
+    const payload = tokenService.verify(token);
+    if (payload?.jti) {
+      tokenService.blacklist(payload.jti, payload.exp);
+    }
+  },
+});
+`,
+  },
+
+  // ── src/services/user.service.ts ────────────────────────────────────
+  {
+    path: "src/services/user.service.ts",
+    content: [
+      'import type { Database } from "bun:sqlite";',
+      'import type { PasswordHasher } from "../utils/password.js";',
+      "",
+      "interface User {",
+      "  id: string;",
+      "  email: string;",
+      "  password: string;",
+      "  name: string;",
+      "  role: string;",
+      "  created_at: string;",
+      "  updated_at: string;",
+      "}",
+      "",
+      "export interface UserService {",
+      "  findById(id: string): User | null;",
+      "  update(id: string, data: { name?: string; email?: string }): User | null;",
+      "  delete(id: string): boolean;",
+      "}",
+      "",
+      "export const createUserService = (db: Database, _passwordHasher: PasswordHasher): UserService => ({",
+      "  findById(id) {",
+      '    return db.query("SELECT * FROM users WHERE id = ?").get(id) as User | null;',
+      "  },",
+      "",
+      "  update(id, data) {",
+      "    const fields: string[] = [];",
+      "    const values: unknown[] = [];",
+      "",
+      "    if (data.name !== undefined) {",
+      '      fields.push("name = ?");',
+      "      values.push(data.name);",
+      "    }",
+      "    if (data.email !== undefined) {",
+      '      fields.push("email = ?");',
+      "      values.push(data.email);",
+      "    }",
+      "",
+      "    if (fields.length === 0) return this.findById(id);",
+      "",
+      "    fields.push(\"updated_at = datetime('now')\");",
+      "    values.push(id);",
+      "",
+      '    db.query("UPDATE users SET " + fields.join(", ") + " WHERE id = ?").run(...values);',
+      "    return this.findById(id);",
+      "  },",
+      "",
+      "  delete(id) {",
+      '    const result = db.query("DELETE FROM users WHERE id = ?").run(id);',
+      "    return result.changes > 0;",
+      "  },",
+      "});",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/utils/password.ts ───────────────────────────────────────────
+  {
+    path: "src/utils/password.ts",
+    content: `/**
+ * Password hashing using Bun's built-in Argon2id.
+ */
+export interface PasswordHasher {
+  hash(password: string): Promise<string>;
+  verify(hash: string, password: string): Promise<boolean>;
+}
+
+export const createPasswordHasher = (): PasswordHasher => ({
+  async hash(password) {
+    return Bun.password.hash(password, { algorithm: "argon2id" });
+  },
+
+  async verify(hash, password) {
+    return Bun.password.verify(password, hash);
+  },
+});
+`,
+  },
+
+  // ── src/utils/token.ts ──────────────────────────────────────────────
+  {
+    path: "src/utils/token.ts",
+    content: [
+      "/**",
+      " * JWT token service using Bun's native HMAC-SHA256.",
+      " */",
+      "",
+      "export interface TokenPayload {",
+      "  sub: string;",
+      "  jti: string;",
+      "  exp: number;",
+      "  [key: string]: unknown;",
+      "}",
+      "",
+      "export interface TokenService {",
+      "  sign(claims: Record<string, unknown>): string;",
+      "  verify(token: string): TokenPayload | null;",
+      "  blacklist(jti: string, exp: number): void;",
+      "  isBlacklisted(jti: string): boolean;",
+      "}",
+      "",
+      '// Parse duration string to seconds: "15m" → 900, "1h" → 3600, "7d" → 604800',
+      "const parseDuration = (duration: string): number => {",
+      "  const match = duration.match(/^(\\d+)([smhd])$/);",
+      "  if (!match) return 900; // default 15 minutes",
+      "  const value = Number.parseInt(match[1], 10);",
+      "  const unit = match[2];",
+      "  const multipliers: Record<string, number> = { s: 1, m: 60, h: 3600, d: 86400 };",
+      "  return value * (multipliers[unit] ?? 60);",
+      "};",
+      "",
+      "export const createTokenService = (secret: string, expiresIn: string): TokenService => {",
+      "  const key = new TextEncoder().encode(secret);",
+      "  const expiresInSec = parseDuration(expiresIn);",
+      "",
+      "  // In-memory blacklist with auto-cleanup",
+      "  const blacklisted = new Map<string, number>();",
+      "",
+      "  // Clean expired entries every 5 minutes",
+      "  setInterval(() => {",
+      "    const now = Math.floor(Date.now() / 1000);",
+      "    for (const [jti, exp] of blacklisted) {",
+      "      if (exp < now) blacklisted.delete(jti);",
+      "    }",
+      "  }, 5 * 60 * 1000).unref();",
+      "",
+      "  return {",
+      "    sign(claims) {",
+      "      const now = Math.floor(Date.now() / 1000);",
+      "      const jti = crypto.randomUUID();",
+      "      const payload = { ...claims, jti, iat: now, exp: now + expiresInSec };",
+      "",
+      "      // HMAC-SHA256 JWT",
+      '      const header = btoa(JSON.stringify({ alg: "HS256", typ: "JWT" }))',
+      '        .replace(/=/g, "").replace(/\\+/g, "-").replace(/\\//g, "_");',
+      "",
+      "      const body = btoa(JSON.stringify(payload))",
+      '        .replace(/=/g, "").replace(/\\+/g, "-").replace(/\\//g, "_");',
+      "",
+      '      const data = header + "." + body;',
+      '      const hmac = new Bun.CryptoHasher("sha256", key);',
+      "      hmac.update(data);",
+      '      const sig = Buffer.from(hmac.digest()).toString("base64url");',
+      "",
+      '      return data + "." + sig;',
+      "    },",
+      "",
+      "    verify(token) {",
+      "      try {",
+      '        const parts = token.split(".");',
+      "        if (parts.length !== 3) return null;",
+      "",
+      "        // Verify signature",
+      '        const data = parts[0] + "." + parts[1];',
+      '        const hmac = new Bun.CryptoHasher("sha256", key);',
+      "        hmac.update(data);",
+      '        const expected = Buffer.from(hmac.digest()).toString("base64url");',
+      "",
+      "        if (expected !== parts[2]) return null;",
+      "",
+      "        // Decode payload",
+      "        const payload = JSON.parse(",
+      '          Buffer.from(parts[1], "base64url").toString()',
+      "        ) as TokenPayload;",
+      "",
+      "        // Check expiry",
+      "        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {",
+      "          return null;",
+      "        }",
+      "",
+      "        return payload;",
+      "      } catch {",
+      "        return null;",
+      "      }",
+      "    },",
+      "",
+      "    blacklist(jti, exp) {",
+      "      blacklisted.set(jti, exp);",
+      "    },",
+      "",
+      "    isBlacklisted(jti) {",
+      "      return blacklisted.has(jti);",
+      "    },",
+      "  };",
+      "};",
+      "",
+    ].join("\n"),
+  },
+
+  // ── src/utils/response.ts ───────────────────────────────────────────
+  {
+    path: "src/utils/response.ts",
+    content: `/**
+ * JSON response helper.
+ */
+export const json = (
+  body: unknown,
+  status = 200,
+  extraHeaders?: Record<string, string>,
+): Response => {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json; charset=utf-8",
+    ...extraHeaders,
+  };
+
+  return new Response(JSON.stringify(body), { status, headers });
+};
+`,
+  },
+
+  // ── tests/health.test.ts ────────────────────────────────────────────
+  {
+    path: "tests/health.test.ts",
+    content: `import { describe, expect, it } from "bun:test";
+
+describe("Health check", () => {
+  it("should return ok", async () => {
+    const response = await fetch("http://localhost:3000/health");
+    expect(response.status).toBe(200);
+
+    const data = await response.json();
+    expect(data.status).toBe("ok");
+  });
+});
+`,
+  },
+];