@etus/bhono-app 0.1.4 → 0.1.6

package/templates/base/scripts/init.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # BHono - Development Environment Setup
-# This script bootstraps dependencies, configures Cloudflare bindings,
+# Bootstraps dependencies, configures Cloudflare bindings,
 # seeds the local D1 (sqlite) database, and starts the dev server.
 
 set -euo pipefail
@@ -19,6 +19,10 @@ cd "$ROOT_DIR"
 UPDATE_PACKAGES=0
 SKIP_DEV=0
 SKIP_PROVISION=0
+SKIP_SEED=0
+DEV_PORT=""
+GOOGLE_CLIENT_ID_ARG=""
+GOOGLE_CLIENT_SECRET_ARG=""
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
@@ -31,6 +35,54 @@ while [[ $# -gt 0 ]]; do
     --no-provision)
       SKIP_PROVISION=1
       ;;
+    --skip-seed)
+      SKIP_SEED=1
+      ;;
+    --port)
+      DEV_PORT="$2"
+      shift
+      ;;
+    --port=*)
+      DEV_PORT="${1#*=}"
+      ;;
+    --google-id)
+      GOOGLE_CLIENT_ID_ARG="$2"
+      shift
+      ;;
+    --google-id=*)
+      GOOGLE_CLIENT_ID_ARG="${1#*=}"
+      ;;
+    --google-secret)
+      GOOGLE_CLIENT_SECRET_ARG="$2"
+      shift
+      ;;
+    --google-secret=*)
+      GOOGLE_CLIENT_SECRET_ARG="${1#*=}"
+      ;;
+    --help|-h)
+      echo ""
+      echo "BHono - Development Environment Setup"
+      echo ""
+      echo "Usage: ./scripts/init.sh [OPTIONS]"
+      echo ""
+      echo "Options:"
+      echo "  --port PORT           Set dev server port (default: 8787)"
+      echo "  --google-id ID        Set Google OAuth Client ID"
+      echo "  --google-secret SEC   Set Google OAuth Client Secret"
+      echo "  --no-provision        Skip Cloudflare resource provisioning"
+      echo "  --skip-dev            Don't start dev server after setup"
+      echo "  --skip-seed           Skip database seeding"
+      echo "  --update              Update dependencies"
+      echo "  --help, -h            Show this help message"
+      echo ""
+      echo "Examples:"
+      echo "  ./scripts/init.sh"
+      echo "  ./scripts/init.sh --port 3000"
+      echo "  ./scripts/init.sh --port 8787 --google-id 'xxx.apps.googleusercontent.com' --google-secret 'GOCSPX-xxx'"
+      echo "  CLOUDFLARE_ACCOUNT_ID=xxx ./scripts/init.sh"
+      echo ""
+      exit 0
+      ;;
     *)
       echo -e "${YELLOW}Ignoring unknown argument: $1${NC}"
       ;;
@@ -38,6 +90,9 @@ while [[ $# -gt 0 ]]; do
   shift
  done
 
+# Set default port if not specified
+DEV_PORT="${DEV_PORT:-8787}"
+
 log_info() { echo -e "${BLUE}$*${NC}"; }
 log_ok() { echo -e "${GREEN}$*${NC}"; }
 log_warn() { echo -e "${YELLOW}$*${NC}"; }
@@ -110,6 +165,38 @@ fi
 
 log_ok "Project name: $PROJECT_NAME"
 
+# ============================================================================
+# FIX PROJECT NAME IN ALL CONFIG FILES (handles "." issue from bhono-app)
+# ============================================================================
+log_info "Fixing project name in config files..."
+
+# Fix package.json if name is "." or empty
+if [[ -f package.json ]]; then
+  PROJECT_NAME="$PROJECT_NAME" node -e "
+    const fs = require('fs');
+    const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+    if (pkg.name === '.' || pkg.name === '' || !pkg.name) {
+      pkg.name = process.env.PROJECT_NAME;
+      fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2));
+      console.log('  Fixed package.json name');
+    }
+  " 2>/dev/null || true
+fi
+
+# Fix etus.config.json if name is "." or empty
+if [[ -f etus.config.json ]]; then
+  PROJECT_NAME="$PROJECT_NAME" node -e "
+    const fs = require('fs');
+    const data = JSON.parse(fs.readFileSync('etus.config.json', 'utf8'));
+    if (data.name === '.' || data.name === '' || !data.name) {
+      data.name = process.env.PROJECT_NAME;
+      data.domain = process.env.PROJECT_NAME + '.com';
+      fs.writeFileSync('etus.config.json', JSON.stringify(data, null, 2));
+      console.log('  Fixed etus.config.json name');
+    }
+  " 2>/dev/null || true
+fi
+
 # Ensure wrangler.json exists
 if [[ ! -f config/wrangler.json ]]; then
   log_err "Missing config/wrangler.json"
@@ -147,9 +234,120 @@ if (!data.name || data.name.includes('{{projectName}}')) {
 fs.writeFileSync(path, JSON.stringify(data, null, 2));
 NODE
 
+# ============================================================================
+# FIX VITE.CONFIG.TS (configPath + server port)
+# ============================================================================
+log_info "Checking vite.config.ts..."
+
+if [[ -f vite.config.ts ]]; then
+  VITE_UPDATED=0
+
+  # Add configPath to cloudflare plugin if not present
+  if ! grep -q "configPath:" vite.config.ts; then
+    sed -i.bak 's/cloudflare()/cloudflare({\n      configPath: ".\\/config\\/wrangler.json",\n    })/g' vite.config.ts
+    rm -f vite.config.ts.bak
+    VITE_UPDATED=1
+    log_ok "  Added configPath to cloudflare plugin"
+  fi
+
+  # Add server port if not present
+  if ! grep -q "server:" vite.config.ts; then
+    sed -i.bak "s/export default defineConfig({/export default defineConfig({\n  server: {\n    port: $DEV_PORT,\n  },/g" vite.config.ts
+    rm -f vite.config.ts.bak
+    VITE_UPDATED=1
+    log_ok "  Added server port $DEV_PORT"
+  fi
+
+  [[ "$VITE_UPDATED" -eq 0 ]] && log_ok "  vite.config.ts already configured"
+fi
+
+# ============================================================================
+# CREATE/UPDATE CONFIG/.DEV.VARS
+# ============================================================================
+log_info "Checking config/.dev.vars..."
+
+# Determine Google OAuth credentials
+GOOGLE_ID="${GOOGLE_CLIENT_ID_ARG:-seu-google-client-id}"
+GOOGLE_SECRET="${GOOGLE_CLIENT_SECRET_ARG:-seu-google-client-secret}"
+
+if [[ ! -f config/.dev.vars ]]; then
+  # Generate a random JWT secret
+  JWT_RAND=$(openssl rand -hex 16 2>/dev/null || node -e "console.log(require('crypto').randomBytes(16).toString('hex'))")
+
+  cat > config/.dev.vars << EOF
+# Environment
+ENVIRONMENT=development
+APP_URL=http://localhost:$DEV_PORT
+
+# JWT Configuration (IMPORTANTE: mínimo 32 caracteres)
+JWT_SECRET=super-secret-jwt-key-with-at-least-32-chars-${JWT_RAND}
+JWT_EXPIRY_MINUTES=15
+
+# Google OAuth
+GOOGLE_CLIENT_ID=$GOOGLE_ID
+GOOGLE_CLIENT_SECRET=$GOOGLE_SECRET
+GOOGLE_REDIRECT_URI=http://localhost:$DEV_PORT/auth/callback
+
+# Refresh Token
+REFRESH_TOKEN_EXPIRY_DAYS=30
+
+# SendGrid (opcional para desenvolvimento)
+SENDGRID_API_KEY=your-sendgrid-api-key
+SENDGRID_FROM_EMAIL=noreply@example.com
+EOF
+  log_ok "  config/.dev.vars created"
+
+  if [[ "$GOOGLE_ID" == "seu-google-client-id" ]]; then
+    log_warn "  IMPORTANTE: Edite config/.dev.vars com suas credenciais Google OAuth!"
+  else
+    log_ok "  Google OAuth credentials configured"
+  fi
+else
+  # Update Google credentials if provided via arguments
+  if [[ -n "$GOOGLE_CLIENT_ID_ARG" ]]; then
+    sed -i.bak "s|GOOGLE_CLIENT_ID=.*|GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID_ARG|g" config/.dev.vars
+    rm -f config/.dev.vars.bak
+    log_ok "  Updated GOOGLE_CLIENT_ID"
+  fi
+  if [[ -n "$GOOGLE_CLIENT_SECRET_ARG" ]]; then
+    sed -i.bak "s|GOOGLE_CLIENT_SECRET=.*|GOOGLE_CLIENT_SECRET=$GOOGLE_CLIENT_SECRET_ARG|g" config/.dev.vars
+    rm -f config/.dev.vars.bak
+    log_ok "  Updated GOOGLE_CLIENT_SECRET"
+  fi
+
+  # Ensure APP_URL is set for local development
+  if ! grep -q "APP_URL=http://localhost" config/.dev.vars; then
+    echo "" >> config/.dev.vars
+    echo "# Added by init.sh" >> config/.dev.vars
+    echo "APP_URL=http://localhost:$DEV_PORT" >> config/.dev.vars
+    log_ok "  Added APP_URL to config/.dev.vars"
+  fi
+
+  # Update redirect URI if port changed
+  if ! grep -q "GOOGLE_REDIRECT_URI=http://localhost:$DEV_PORT" config/.dev.vars; then
+    sed -i.bak "s|GOOGLE_REDIRECT_URI=http://localhost:[0-9]*|GOOGLE_REDIRECT_URI=http://localhost:$DEV_PORT|g" config/.dev.vars
+    rm -f config/.dev.vars.bak
+  fi
+fi
+
+# ============================================================================
+# UPDATE .GITIGNORE FOR SECURITY
+# ============================================================================
+log_info "Checking .gitignore..."
+
+if [[ -f .gitignore ]]; then
+  if ! grep -q "config/.dev.vars" .gitignore; then
+    echo "config/.dev.vars" >> .gitignore
+    log_ok "  Added config/.dev.vars to .gitignore"
+  fi
+fi
+
 WRANGLER="pnpm exec wrangler"
+WRANGLER_CONFIG="$WRANGLER --config config/wrangler.json"
+WRANGLER_AVAILABLE=1
 if ! $WRANGLER --version >/dev/null 2>&1; then
-  log_warn "Wrangler not available. Ensure dependencies are installed."
+  WRANGLER_AVAILABLE=0
+  log_warn "Wrangler not available. Cloudflare steps will be skipped."
 fi
 
 # Resolve names from wrangler.json
@@ -158,6 +356,8 @@ if [[ -z "$DB_NAME" ]]; then
   DB_NAME="${PROJECT_NAME}-db"
 fi
 
+DB_BINDING=$(node -e "const c=require('./config/wrangler.json'); console.log((c.d1_databases&&c.d1_databases[0]&&c.d1_databases[0].binding)||'DB');")
+
 R2_BUCKET=$(node -e "const c=require('./config/wrangler.json'); console.log((c.r2_buckets&&c.r2_buckets[0]&&c.r2_buckets[0].bucket_name)||'');")
 if [[ -z "$R2_BUCKET" ]]; then
   R2_BUCKET="${PROJECT_NAME}-storage"
@@ -171,7 +371,7 @@ KV_ID=$(node -e "const c=require('./config/wrangler.json'); console.log((c.kv_na
 if [[ "$D1_ID" == "TO_BE_PROVISIONED" ]]; then D1_ID=""; fi
 if [[ "$KV_ID" == "TO_BE_PROVISIONED" ]]; then KV_ID=""; fi
 
-if [[ "$SKIP_PROVISION" -eq 0 ]]; then
+if [[ "$SKIP_PROVISION" -eq 0 && "$WRANGLER_AVAILABLE" -eq 1 ]]; then
   if $WRANGLER whoami >/dev/null 2>&1; then
     log_info "Provisioning Cloudflare resources (D1, KV, R2)..."
 
@@ -239,47 +439,84 @@ NODE
 log_info "Generating Cloudflare types..."
 pnpm cf-typegen >/dev/null 2>&1 || log_warn "Skipping cf-typegen (wrangler not configured)"
 
-# Ensure local D1 exists and update drizzle config
+# Ensure local D1 exists
 log_info "Preparing local D1 database..."
-$WRANGLER d1 execute "$DB_NAME" --local --command "SELECT 1;" >/dev/null 2>&1 || true
+if [[ "$WRANGLER_AVAILABLE" -eq 1 ]]; then
+  $WRANGLER_CONFIG d1 execute "$DB_NAME" --local --command "SELECT 1;" >/dev/null 2>&1 || log_warn "Local D1 init failed (continuing)."
+fi
 
-D1_ID_FROM_CONFIG=$(node -e "const c=require('./config/wrangler.json'); console.log((c.d1_databases&&c.d1_databases[0]&&c.d1_databases[0].database_id)||'');")
-if [[ -n "$D1_ID_FROM_CONFIG" ]]; then
-  LOCAL_DB_PATH=".wrangler/state/v3/d1/miniflare-D1DatabaseObject/${D1_ID_FROM_CONFIG}.sqlite"
-  DRIZZLE_DB_URL="../${LOCAL_DB_PATH}"
+# Apply schema.sql and seed
+DB_BOOTSTRAP_OK=0
+SEED_OK=0
 
-  if [[ -f config/drizzle.config.ts ]]; then
-    DRIZZLE_DB_URL="$DRIZZLE_DB_URL" node - <<'NODE'
-const fs = require('fs');
-const path = 'config/drizzle.config.ts';
-const nextUrl = process.env.DRIZZLE_DB_URL;
-let content = fs.readFileSync(path, 'utf8');
-const pattern = /url:\s*['"][^'"]*\.sqlite['"]/;
-if (pattern.test(content)) {
-  content = content.replace(pattern, `url: '${nextUrl}'`);
-} else {
-  // Fallback: append url if not found
-  content = content.replace('dbCredentials: {', `dbCredentials: {\n    url: '${nextUrl}',`);
-}
-fs.writeFileSync(path, content);
-NODE
-    log_ok "Updated config/drizzle.config.ts with local DB path."
+if [[ "$WRANGLER_AVAILABLE" -eq 1 ]]; then
+  log_info "Applying schema.sql to local D1..."
+  if pnpm db:schema:local >/tmp/bhono-db-schema.log 2>&1; then
+    DB_BOOTSTRAP_OK=1
+  else
+    log_warn "Schema apply failed."
+    tail -n 20 /tmp/bhono-db-schema.log || true
   fi
 else
-  log_warn "D1 id not found in wrangler.json. Skipping drizzle config update."
+  log_warn "Wrangler not available. Skipping schema apply."
 fi
 
-# Push schema (no migrations) and seed
-log_info "Pushing schema to local D1..."
-pnpm db:push >/dev/null 2>&1 || log_warn "Schema push skipped (check drizzle config and local D1)."
+if [[ "$SKIP_SEED" -eq 0 ]]; then
+  if [[ "$WRANGLER_AVAILABLE" -eq 1 ]]; then
+    log_info "Seeding local D1..."
+    if pnpm db:seed:local >/tmp/bhono-seed.log 2>&1; then
+      SEED_OK=1
+    else
+      log_warn "Seed apply failed."
+      tail -n 20 /tmp/bhono-seed.log || true
+    fi
+  else
+    log_warn "Wrangler not available. Skipping seed apply."
+  fi
+else
+  log_warn "Skipping seed step (--skip-seed)."
+fi
 
-log_info "Generating seed data..."
-pnpm db:seed >/dev/null
+rm -f /tmp/bhono-db-schema.log /tmp/bhono-seed.log >/dev/null 2>&1 || true
+
+# ============================================================================
+# SYNC DATABASES (handle plugin hash mismatch)
+# ============================================================================
+# The Cloudflare Vite plugin creates SQLite with a hash based on config,
+# not the database_id. We need to sync all databases after seeding.
+log_info "Synchronizing database files..."
+
+SQLITE_DIR=".wrangler/state/v3/d1/miniflare-D1DatabaseObject"
+if [[ -d "$SQLITE_DIR" ]]; then
+  SQLITE_FILES=$(find "$SQLITE_DIR" -name "*.sqlite" -not -name "*-shm" -not -name "*-wal" 2>/dev/null || true)
+  if [[ -n "$SQLITE_FILES" ]]; then
+    # Find the database with actual tables (largest file usually has data)
+    MAIN_DB=$(ls -S $SQLITE_FILES 2>/dev/null | head -1)
+
+    if [[ -n "$MAIN_DB" ]]; then
+      # Check if main DB has tables
+      HAS_TABLES=$(sqlite3 "$MAIN_DB" ".tables" 2>/dev/null | wc -w || echo "0")
+
+      if [[ "$HAS_TABLES" -gt 0 ]]; then
+        for DB in $SQLITE_FILES; do
+          if [[ "$DB" != "$MAIN_DB" ]]; then
+            cp "$MAIN_DB" "$DB" 2>/dev/null || true
+          fi
+        done
+        log_ok "  Synced $(echo "$SQLITE_FILES" | wc -l | tr -d ' ') database files"
+      else
+        log_warn "  Main database has no tables. Skipping sync."
+      fi
+    fi
+  fi
+fi
 
-log_info "Seeding local D1..."
-$WRANGLER d1 execute "$DB_NAME" --local --file=seed.sql >/dev/null 2>&1 || log_warn "Seed failed (check local D1)."
+if [[ "$DB_BOOTSTRAP_OK" -eq 1 && ( "$SEED_OK" -eq 1 || "$SKIP_SEED" -eq 1 ) ]]; then
+  log_ok "Local D1 ready with schema${SKIP_SEED:+ (seed skipped)}."
+else
+  log_warn "Local D1 setup incomplete. Review warnings above."
+fi
 
-log_ok "Local D1 ready with seed data."
 log_info "Seed data is defined in src/server/db/seed.ts (customize as needed)."
 
 if [[ "$SKIP_DEV" -eq 0 ]]; then

package/templates/base/src/client/hooks/use-auth.ts

@@ -27,7 +27,12 @@ export function useAuth() {
     queryKey: ['auth', 'me'],
     queryFn: fetchMe,
     retry: false,
+    // Balance between reducing API calls and detecting expired sessions
     staleTime: 1000 * 60 * 5, // 5 minutes
+    gcTime: 1000 * 60 * 30, // 30 minutes
+    refetchOnMount: false, // Avoid redundant calls on component mount
+    refetchOnWindowFocus: true, // Re-check when user returns to tab (industry standard)
+    refetchOnReconnect: true, // Re-check after network reconnection
   })
 
   const logoutMutation = useMutation({

package/templates/base/src/client/routes/_authenticated/dashboard.tsx

@@ -82,7 +82,7 @@ function DashboardPage() {
           </CardHeader>
           <CardContent>
             <p className="text-sm text-muted-foreground">
-              Built with Drizzle ORM for type-safe database queries.
+              Built with SQL-first access to Cloudflare D1.
             </p>
           </CardContent>
         </Card>

package/templates/base/src/client/routes/index.tsx

@@ -100,7 +100,7 @@ function HomePage() {
               <TechBadge name="Hono" />
               <TechBadge name="React" />
               <TechBadge name="TypeScript" />
-              <TechBadge name="Drizzle" />
+              <TechBadge name="SQL" />
               <TechBadge name="Tailwind" />
               <TechBadge name="Cloudflare" />
             </div>

package/templates/base/src/server/db/client.ts

@@ -1,12 +1,10 @@
 // src/server/db/client.ts
-import { drizzle } from 'drizzle-orm/d1'
-import * as schema from './schema'
 
 export function createDb(d1: D1Database) {
-  return drizzle(d1, { schema })
+  return d1
 }
 
-export type Database = ReturnType<typeof createDb>
+export type Database = D1Database
 
 // For use in middleware - db instance per request
-export type DbInstance = Database
+export type DbInstance = D1Database

package/templates/base/src/server/db/records.ts

@@ -0,0 +1,81 @@
+// src/server/db/records.ts
+
+export type UserStatus = 'active' | 'inactive'
+
+export interface UserRecord {
+  id: string
+  googleId: string
+  email: string
+  name: string
+  avatarUrl: string | null
+  status: UserStatus
+  providerIds: string[]
+  isSuperAdmin: boolean
+  createdAt: string
+  updatedAt: string
+  deletedAt: string | null
+  createdById?: string | null
+  updatedById?: string | null
+  deletedById?: string | null
+}
+
+export interface AccountRecord {
+  id: string
+  name: string
+  description: string | null
+  domain: string | null
+  createdAt: string
+  updatedAt: string
+  deletedAt: string | null
+}
+
+export interface UserAccountRecord {
+  userId: string
+  accountId: string
+  role: string
+}
+
+export interface RefreshTokenRecord {
+  id: string
+  userId: string
+  tokenHash: string
+  expiresAt: number
+  createdAt: number
+  revokedAt: number | null
+}
+
+export interface InvitationRecord {
+  id: string
+  accountId: string
+  email: string
+  role: string
+  token: string
+  invitedById: string
+  expiresAt: string
+  acceptedAt: string | null
+  createdAt: string
+}
+
+export type AuditAction =
+  | 'INSERT'
+  | 'UPDATE'
+  | 'DELETE'
+  | 'LOGIN'
+  | 'LOGOUT'
+  | 'SIGNUP'
+  | 'TOKEN_REFRESH'
+  | 'LOGIN_FAILED'
+
+export interface AuditLogRecord {
+  id: string
+  transactionId: string
+  accountId: string | null
+  userId: string | null
+  entity: string
+  entityId: string
+  action: AuditAction
+  changes: Record<string, unknown> | null
+  ipAddress: string | null
+  userAgent: string | null
+  timestamp: string
+}

package/templates/base/src/server/db/seed.ts

@@ -4,7 +4,7 @@
 // Run with: npm run db:seed
 //
 // The generated SQL can be executed via wrangler:
-// npx wrangler d1 execute DB --local --file=seed.sql
+// pnpm db:seed:local
 
 import { generateStrongPassword } from '../lib/password'
 
@@ -243,7 +243,8 @@ function printSummary(): void {
   console.log('\n🔐 Sample Strong Password:', generateStrongPassword())
 
   console.log('\n✅ Run the following command to seed the local database:')
-  console.log('   npx wrangler d1 execute {{projectName}}-db --local --file=seed.sql\n')
+  console.log('   pnpm db:seed:local')
+  console.log('   # or: wrangler --config config/wrangler.json d1 execute <db-name> --local --file=seed.sql\n')
 }
 
 // ============================================================================

package/templates/base/src/server/db/sql.ts

@@ -0,0 +1,96 @@
+// src/server/db/sql.ts
+
+export type SqlValue =
+  | string
+  | number
+  | boolean
+  | null
+  | undefined
+  | bigint
+  | Uint8Array
+  | ArrayBuffer
+  | Date
+
+export type SqlParams = SqlValue[]
+
+export type SqlRow = Record<string, unknown>
+export type RowMapper<T> = (row: SqlRow) => T
+
+function normalizeValue(value: SqlValue): unknown {
+  if (value === undefined) return null
+  if (value instanceof Date) return value.toISOString()
+  if (typeof value === 'boolean') return value ? 1 : 0
+  return value
+}
+
+function normalizeParams(params?: SqlParams): unknown[] {
+  return (params ?? []).map((value) => normalizeValue(value))
+}
+
+function prepareStatement(db: D1Database, statement: string, params?: SqlParams): D1PreparedStatement {
+  const prepared = db.prepare(statement)
+  const normalized = normalizeParams(params)
+  return normalized.length > 0 ? prepared.bind(...normalized) : prepared
+}
+
+export async function queryAll<T = SqlRow>(
+  db: D1Database,
+  statement: string,
+  params?: SqlParams,
+  mapper?: RowMapper<T>
+): Promise<T[]> {
+  const prepared = prepareStatement(db, statement, params)
+  const result = await prepared.all<SqlRow>()
+  const rows = result.results ?? []
+  return mapper ? rows.map(mapper) : (rows as T[])
+}
+
+export async function queryOne<T = SqlRow>(
+  db: D1Database,
+  statement: string,
+  params?: SqlParams,
+  mapper?: RowMapper<T>
+): Promise<T | null> {
+  const prepared = prepareStatement(db, statement, params)
+  const row = await prepared.first<SqlRow>()
+  if (!row) return null
+  return mapper ? mapper(row) : (row as T)
+}
+
+export async function queryValue<T = unknown>(
+  db: D1Database,
+  statement: string,
+  params?: SqlParams,
+  column?: string
+): Promise<T | null> {
+  const row = await queryOne<SqlRow>(db, statement, params)
+  if (!row) return null
+  if (column) return (row[column] as T) ?? null
+  const firstKey = Object.keys(row)[0]
+  if (!firstKey) return null
+  return row[firstKey] as T
+}
+
+export async function execute(
+  db: D1Database,
+  statement: string,
+  params?: SqlParams
+): Promise<D1Result<unknown>> {
+  const prepared = prepareStatement(db, statement, params)
+  return prepared.run()
+}
+
+export interface BatchStatement {
+  statement: string
+  params?: SqlParams
+}
+
+export async function executeBatch(
+  db: D1Database,
+  statements: BatchStatement[]
+): Promise<D1Result<unknown>[]> {
+  const preparedStatements = statements.map((item) =>
+    prepareStatement(db, item.statement, item.params)
+  )
+  return db.batch(preparedStatements)
+}

package/templates/base/src/server/index.ts

@@ -54,8 +54,22 @@ app.use('*', secureHeaders())
 // 7. Rate limiting - global limit of 100 requests per minute
 app.use('*', rateLimit())
 
-// 8. Stricter rate limiting for auth endpoints (10 requests per minute)
-app.use('/auth/*', authRateLimit())
+// 8. Stricter rate limiting for auth LOGIN endpoints only (10 requests per minute)
+// These are the endpoints vulnerable to brute force attacks
+// Note: /auth/me, /auth/refresh, /auth/logout use the global rate limit (100 req/min)
+// because they are session verification/maintenance, not login attempts
+// Create auth rate limiter instance once (not per-request)
+const loginRateLimiter = authRateLimit()
+
+app.use('/auth/*', async (c, next) => {
+  const path = c.req.path
+  // Only apply strict rate limit to login-related endpoints (brute force protection)
+  if (path === '/auth/login' || path === '/auth/callback') {
+    return loginRateLimiter(c, next)
+  }
+  // Other auth endpoints (/auth/me, /auth/refresh, /auth/logout) use global rate limit
+  return next()
+})
 
 // 9. Database middleware - create db instance per request
 app.use('*', async (c, next) => {