@expressots/cli 3.0.0 → 4.0.0-preview.2

package/bin/containerize/generators/ci-generator.js

@@ -0,0 +1,936 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCIConfig = void 0;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const chalk_1 = __importDefault(require("chalk"));
+const package_manager_commands_1 = require("../../utils/package-manager-commands");
+async function generateCIConfig(options, analysis) {
+    const cwd = process.cwd();
+    const platform = options.ciPlatform || "github";
+    const strategy = options.ciStrategy || "comprehensive";
+    console.log(chalk_1.default.yellow(`📝 Generating CI/CD configuration for ${platform}...`));
+    if (platform === "all") {
+        await generateAllPlatforms(cwd, options, analysis);
+    }
+    else {
+        await generatePlatformConfig(cwd, platform, options, analysis);
+    }
+}
+exports.generateCIConfig = generateCIConfig;
+async function generateAllPlatforms(cwd, options, analysis) {
+    const platforms = [
+        "github",
+        "gitlab",
+        "circleci",
+        "jenkins",
+        "bitbucket",
+        "azure",
+    ];
+    for (const platform of platforms) {
+        await generatePlatformConfig(cwd, platform, options, analysis);
+    }
+    console.log(chalk_1.default.green(`  ✓ Generated CI/CD configs for all platforms`));
+}
+async function generatePlatformConfig(cwd, platform, options, analysis) {
+    if (platform !== "github") {
+        printSinglePipelinePlatformWarning(platform);
+    }
+    switch (platform) {
+        case "github":
+            await generateGitHubActions(cwd, options, analysis);
+            break;
+        case "gitlab":
+            await generateGitLabCI(cwd, options, analysis);
+            break;
+        case "circleci":
+            await generateCircleCI(cwd, options, analysis);
+            break;
+        case "jenkins":
+            await generateJenkinsfile(cwd, options, analysis);
+            break;
+        case "bitbucket":
+            await generateBitbucketPipelines(cwd, options, analysis);
+            break;
+        case "azure":
+            await generateAzureDevOps(cwd, options, analysis);
+            break;
+    }
+}
+/**
+ * Warn the user that, unlike GitHub Actions (which can host any
+ * number of workflow files side-by-side), this platform only
+ * supports a single canonical pipeline config — so the file we are
+ * about to write would overwrite anything `expressots cicd init`
+ * already produced for the same platform.
+ */
+function printSinglePipelinePlatformWarning(platform) {
+    console.log(chalk_1.default.yellow(`\n⚠️  ${platform} only supports a single canonical pipeline config file.`));
+    console.log(chalk_1.default.gray("   The CD-focused output below will overwrite anything previously"));
+    console.log(chalk_1.default.gray("   generated by `expressots cicd init`. For non-GitHub platforms"));
+    console.log(chalk_1.default.gray("   prefer `cicd init` (which already includes Docker build/push/deploy).\n"));
+}
+// ==================== GITHUB ACTIONS ====================
+async function generateGitHubActions(cwd, options, analysis) {
+    const githubDir = path_1.default.join(cwd, ".github", "workflows");
+    if (!fs_1.default.existsSync(githubDir)) {
+        fs_1.default.mkdirSync(githubDir, { recursive: true });
+    }
+    const workflow = generateGitHubActionsWorkflow(options, analysis);
+    // File name `cd-docker.yml` makes the CD intent explicit and
+    // avoids visual clash with `cicd init`'s `ci.yml`.
+    fs_1.default.writeFileSync(path_1.default.join(githubDir, "cd-docker.yml"), workflow, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created .github/workflows/cd-docker.yml`));
+}
+function generateGitHubActionsWorkflow(options, analysis) {
+    const strategy = options.ciStrategy || "comprehensive";
+    const includeSecurityScans = options.includeSecurityScans !== false;
+    const includeE2E = options.includeE2E === true;
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    let workflow = `# GitHub Actions: Docker CD Pipeline
+# Generated by ExpressoTS CLI (\`expressots containerize --include-ci\`)
+#
+# Scope: continuous DELIVERY for the Docker image (build, scan,
+# push, deploy). For continuous INTEGRATION (lint, unit tests,
+# coverage) generate a complementary \`ci.yml\` via:
+#     expressots cicd init github
+
+name: Docker Build and Deploy
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: expressots-app
+  NODE_VERSION: '${nodeVersion}'
+
+jobs:
+`;
+    // Lint Job
+    workflow += `  lint:
+    name: Code Quality
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: \${{ env.NODE_VERSION }}
+          cache: '${packageManager}'
+
+      - name: Install dependencies
+        run: ${getInstallCommand(packageManager)}
+
+      - name: Run linter
+        run: ${packageManager} run lint
+
+      - name: Check formatting
+        run: ${packageManager} run format -- --check || echo "No format script found"
+        continue-on-error: true
+
+`;
+    // Test Job
+    workflow += `  test:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    needs: lint
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: \${{ env.NODE_VERSION }}
+          cache: '${packageManager}'
+
+      - name: Install dependencies
+        run: ${getInstallCommand(packageManager)}
+
+      - name: Run unit tests
+        run: ${packageManager} run test
+
+      - name: Generate coverage report
+        run: ${packageManager} run coverage || echo "No coverage script"
+        continue-on-error: true
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: \${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage/lcov.info
+          fail_ci_if_error: false
+        continue-on-error: true
+
+`;
+    // Security Scan Job
+    if (strategy === "comprehensive" || includeSecurityScans) {
+        workflow += `  security:
+    name: Security Scans
+    runs-on: ubuntu-latest
+    needs: lint
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+        continue-on-error: true
+
+      - name: Run Snyk security scan
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: \${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+        continue-on-error: true
+
+`;
+    }
+    // Build and Push Job
+    workflow += `  build:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    needs: [test${strategy === "comprehensive" || includeSecurityScans ? ", security" : ""}]
+    permissions:
+      contents: read
+      packages: write
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: \${{ secrets.DOCKER_USERNAME }}
+          password: \${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: \${{ secrets.DOCKER_USERNAME }}/\${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix={{branch}}-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: \${{ github.event_name != 'pull_request' }}
+          tags: \${{ steps.meta.outputs.tags }}
+          labels: \${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            NODE_VERSION=\${{ env.NODE_VERSION }}
+
+      - name: Scan Docker image for vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: \${{ secrets.DOCKER_USERNAME }}/\${{ env.DOCKER_IMAGE }}:latest
+          format: 'table'
+          exit-code: '0'
+        continue-on-error: true
+
+`;
+    // E2E Tests Job (if requested)
+    if (includeE2E) {
+        workflow += `  e2e:
+    name: End-to-End Tests
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name != 'pull_request'
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: \${{ secrets.DOCKER_USERNAME }}
+          password: \${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Pull Docker image
+        run: docker pull \${{ secrets.DOCKER_USERNAME }}/\${{ env.DOCKER_IMAGE }}:latest
+
+      - name: Run E2E tests
+        run: |
+          docker-compose -f docker-compose.test.yml up -d
+          ${packageManager} run test:e2e || echo "No e2e tests configured"
+          docker-compose -f docker-compose.test.yml down
+
+`;
+    }
+    // Deploy Job
+    workflow += `  deploy:
+    name: Deploy to ${options.environment || "production"}
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    environment:
+      name: ${options.environment || "production"}
+      url: https://\${{ env.DOCKER_IMAGE }}.yourdomain.com
+    
+    steps:
+      - name: Deploy notification
+        run: |
+          echo "Deploying \${{ env.DOCKER_IMAGE }} to ${options.environment || "production"}"
+          echo "Image: \${{ secrets.DOCKER_USERNAME }}/\${{ env.DOCKER_IMAGE }}:latest"
+
+      # Add your deployment steps here:
+      # - Deploy to Kubernetes
+      # - Deploy to AWS ECS
+      # - Deploy to Railway
+      # - Deploy to Fly.io
+      # - etc.
+
+      - name: Deployment placeholder
+        run: |
+          echo "⚠️  Add your deployment commands here"
+          echo "Examples:"
+          echo "  - kubectl apply -f k8s/"
+          echo "  - aws ecs update-service ..."
+          echo "  - railway up"
+`;
+    return workflow;
+}
+// ==================== GITLAB CI ====================
+async function generateGitLabCI(cwd, options, analysis) {
+    const workflow = generateGitLabCIConfig(options, analysis);
+    fs_1.default.writeFileSync(path_1.default.join(cwd, ".gitlab-ci.yml"), workflow, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created .gitlab-ci.yml`));
+}
+function generateGitLabCIConfig(options, analysis) {
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    const includeSecurityScans = options.includeSecurityScans !== false;
+    return `# GitLab CI/CD Pipeline
+# Generated by ExpressoTS CLI
+
+image: node:${nodeVersion}-alpine
+
+variables:
+  DOCKER_IMAGE: expressots-app
+  DOCKER_DRIVER: overlay2
+
+stages:
+  - lint
+  - test
+  - security
+  - build
+  - deploy
+
+cache:
+  paths:
+    - node_modules/
+    - .${packageManager}/
+
+# Lint Job
+lint:
+  stage: lint
+  script:
+    - ${getInstallCommand(packageManager)}
+    - ${packageManager} run lint
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_COMMIT_BRANCH
+
+# Test Job
+test:
+  stage: test
+  script:
+    - ${getInstallCommand(packageManager)}
+    - ${packageManager} run test
+    - ${packageManager} run coverage || true
+  coverage: '/Statements\\s*:\\s*(\\d+\\.\\d+)%/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/cobertura-coverage.xml
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_COMMIT_BRANCH
+
+${includeSecurityScans
+        ? `# Security Scan Job
+security:
+  stage: security
+  image: aquasec/trivy:latest
+  script:
+    - trivy fs --severity HIGH,CRITICAL .
+  allow_failure: true
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_COMMIT_BRANCH
+
+dependency-scanning:
+  stage: security
+  script:
+    - ${getInstallCommand(packageManager)}
+    - ${packageManager} audit --audit-level=moderate
+  allow_failure: true
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_COMMIT_BRANCH
+`
+        : ""}
+
+# Build Docker Image
+build:
+  stage: build
+  image: docker:latest
+  services:
+    - docker:dind
+  before_script:
+    - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+  script:
+    - docker build -t $DOCKER_USERNAME/$DOCKER_IMAGE:$CI_COMMIT_SHORT_SHA .
+    - docker tag $DOCKER_USERNAME/$DOCKER_IMAGE:$CI_COMMIT_SHORT_SHA $DOCKER_USERNAME/$DOCKER_IMAGE:latest
+    - docker push $DOCKER_USERNAME/$DOCKER_IMAGE:$CI_COMMIT_SHORT_SHA
+    - docker push $DOCKER_USERNAME/$DOCKER_IMAGE:latest
+  only:
+    - main
+    - develop
+
+# Deploy Job
+deploy:
+  stage: deploy
+  image: alpine:latest
+  script:
+    - echo "Deploying $DOCKER_IMAGE to ${options.environment || "production"}"
+    - echo "⚠️  Add your deployment commands here"
+  environment:
+    name: ${options.environment || "production"}
+    url: https://expressots-app.yourdomain.com
+  only:
+    - main
+`;
+}
+// ==================== CIRCLECI ====================
+async function generateCircleCI(cwd, options, analysis) {
+    const circleCIDir = path_1.default.join(cwd, ".circleci");
+    if (!fs_1.default.existsSync(circleCIDir)) {
+        fs_1.default.mkdirSync(circleCIDir, { recursive: true });
+    }
+    const config = generateCircleCIConfig(options, analysis);
+    fs_1.default.writeFileSync(path_1.default.join(circleCIDir, "config.yml"), config, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created .circleci/config.yml`));
+}
+function generateCircleCIConfig(options, analysis) {
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    return `# CircleCI Configuration
+# Generated by ExpressoTS CLI
+
+version: 2.1
+
+orbs:
+  node: circleci/node@5.1.0
+  docker: circleci/docker@2.4.0
+
+executors:
+  node-executor:
+    docker:
+      - image: cimg/node:${nodeVersion}
+
+jobs:
+  lint:
+    executor: node-executor
+    steps:
+      - checkout
+      - node/install-packages:
+          pkg-manager: ${packageManager}
+      - run:
+          name: Run linter
+          command: ${packageManager} run lint
+
+  test:
+    executor: node-executor
+    steps:
+      - checkout
+      - node/install-packages:
+          pkg-manager: ${packageManager}
+      - run:
+          name: Run tests
+          command: ${packageManager} run test
+      - run:
+          name: Generate coverage
+          command: ${packageManager} run coverage || true
+      - store_test_results:
+          path: ./coverage
+      - store_artifacts:
+          path: ./coverage
+
+  build-and-push:
+    executor: docker/docker
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: 20.10.24
+      - docker/check
+      - docker/build:
+          image: expressots-app
+          tag: latest,$CIRCLE_SHA1
+      - docker/push:
+          image: expressots-app
+          tag: latest,$CIRCLE_SHA1
+
+  deploy:
+    executor: node-executor
+    steps:
+      - checkout
+      - run:
+          name: Deploy application
+          command: |
+            echo "Deploying to ${options.environment || "production"}"
+            echo "⚠️  Add your deployment commands here"
+
+workflows:
+  version: 2
+  build-test-deploy:
+    jobs:
+      - lint
+      - test:
+          requires:
+            - lint
+      - build-and-push:
+          requires:
+            - test
+          filters:
+            branches:
+              only:
+                - main
+                - develop
+      - deploy:
+          requires:
+            - build-and-push
+          filters:
+            branches:
+              only: main
+`;
+}
+// ==================== JENKINS ====================
+async function generateJenkinsfile(cwd, options, analysis) {
+    const config = generateJenkinsfileConfig(options, analysis);
+    fs_1.default.writeFileSync(path_1.default.join(cwd, "Jenkinsfile"), config, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created Jenkinsfile`));
+}
+function generateJenkinsfileConfig(options, analysis) {
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    return `// Jenkinsfile
+// Generated by ExpressoTS CLI
+
+pipeline {
+    agent any
+    
+    environment {
+        NODE_VERSION = '${nodeVersion}'
+        DOCKER_IMAGE = 'expressots-app'
+        DOCKER_REGISTRY = credentials('docker-hub-credentials')
+    }
+    
+    stages {
+        stage('Checkout') {
+            steps {
+                checkout scm
+            }
+        }
+        
+        stage('Setup') {
+            steps {
+                sh 'node --version'
+                sh '${getInstallCommand(packageManager)}'
+            }
+        }
+        
+        stage('Lint') {
+            steps {
+                sh '${packageManager} run lint'
+            }
+        }
+        
+        stage('Test') {
+            steps {
+                sh '${packageManager} run test'
+                sh '${packageManager} run coverage || true'
+            }
+            post {
+                always {
+                    junit 'coverage/junit.xml'
+                    publishHTML([
+                        reportDir: 'coverage',
+                        reportFiles: 'index.html',
+                        reportName: 'Coverage Report'
+                    ])
+                }
+            }
+        }
+        
+        stage('Security Scan') {
+            steps {
+                sh '${packageManager} audit --audit-level=moderate || true'
+            }
+        }
+        
+        stage('Build Docker Image') {
+            when {
+                branch 'main'
+            }
+            steps {
+                script {
+                    docker.build("\${DOCKER_IMAGE}:\${BUILD_NUMBER}")
+                    docker.build("\${DOCKER_IMAGE}:latest")
+                }
+            }
+        }
+        
+        stage('Push Docker Image') {
+            when {
+                branch 'main'
+            }
+            steps {
+                script {
+                    docker.withRegistry('https://registry.hub.docker.com', 'docker-hub-credentials') {
+                        docker.image("\${DOCKER_IMAGE}:\${BUILD_NUMBER}").push()
+                        docker.image("\${DOCKER_IMAGE}:latest").push()
+                    }
+                }
+            }
+        }
+        
+        stage('Deploy') {
+            when {
+                branch 'main'
+            }
+            steps {
+                echo 'Deploying to ${options.environment || "production"}'
+                echo '⚠️  Add your deployment commands here'
+                // sh 'kubectl apply -f k8s/'
+                // sh 'helm upgrade --install myapp ./helm-chart'
+            }
+        }
+    }
+    
+    post {
+        success {
+            echo 'Pipeline completed successfully!'
+        }
+        failure {
+            echo 'Pipeline failed!'
+        }
+        always {
+            cleanWs()
+        }
+    }
+}
+`;
+}
+// ==================== BITBUCKET PIPELINES ====================
+async function generateBitbucketPipelines(cwd, options, analysis) {
+    const config = generateBitbucketPipelinesConfig(options, analysis);
+    fs_1.default.writeFileSync(path_1.default.join(cwd, "bitbucket-pipelines.yml"), config, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created bitbucket-pipelines.yml`));
+}
+function generateBitbucketPipelinesConfig(options, analysis) {
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    return `# Bitbucket Pipelines Configuration
+# Generated by ExpressoTS CLI
+
+image: node:${nodeVersion}-alpine
+
+definitions:
+  caches:
+    npm-cache: ~/.npm
+  
+  steps:
+    - step: &lint
+        name: Lint
+        caches:
+          - npm-cache
+        script:
+          - ${getInstallCommand(packageManager)}
+          - ${packageManager} run lint
+    
+    - step: &test
+        name: Test
+        caches:
+          - npm-cache
+        script:
+          - ${getInstallCommand(packageManager)}
+          - ${packageManager} run test
+          - ${packageManager} run coverage || true
+        artifacts:
+          - coverage/**
+    
+    - step: &build-docker
+        name: Build and Push Docker Image
+        services:
+          - docker
+        script:
+          - docker build -t \${DOCKER_USERNAME}/expressots-app:\${BITBUCKET_COMMIT} .
+          - docker tag \${DOCKER_USERNAME}/expressots-app:\${BITBUCKET_COMMIT} \${DOCKER_USERNAME}/expressots-app:latest
+          - echo \${DOCKER_PASSWORD} | docker login -u \${DOCKER_USERNAME} --password-stdin
+          - docker push \${DOCKER_USERNAME}/expressots-app:\${BITBUCKET_COMMIT}
+          - docker push \${DOCKER_USERNAME}/expressots-app:latest
+    
+    - step: &deploy
+        name: Deploy
+        deployment: ${options.environment || "production"}
+        script:
+          - echo "Deploying to ${options.environment || "production"}"
+          - echo "⚠️  Add your deployment commands here"
+
+pipelines:
+  default:
+    - step: *lint
+    - step: *test
+  
+  branches:
+    main:
+      - step: *lint
+      - step: *test
+      - step: *build-docker
+      - step: *deploy
+    
+    develop:
+      - step: *lint
+      - step: *test
+      - step: *build-docker
+  
+  pull-requests:
+    '**':
+      - step: *lint
+      - step: *test
+`;
+}
+// ==================== AZURE DEVOPS ====================
+async function generateAzureDevOps(cwd, options, analysis) {
+    const config = generateAzureDevOpsConfig(options, analysis);
+    fs_1.default.writeFileSync(path_1.default.join(cwd, "azure-pipelines.yml"), config, "utf-8");
+    console.log(chalk_1.default.green(`  ✓ Created azure-pipelines.yml`));
+}
+function generateAzureDevOpsConfig(options, analysis) {
+    const nodeVersion = analysis?.nodeVersion || "20";
+    const packageManager = analysis?.packageManager || "npm";
+    const includeSecurityScans = options.includeSecurityScans !== false;
+    const azureNodeVersion = nodeVersion;
+    const azurePackageManager = packageManager;
+    const azureEnv = options.environment || "production";
+    // Use string concatenation to avoid ESLint escape issues with Azure DevOps $(var) syntax
+    const vmImage = "$(vmImageName)";
+    const nodeVer = "$(nodeVersion)";
+    const sysDir = "$(System.DefaultWorkingDirectory)";
+    const dockerReg = "$(dockerRegistryServiceConnection)";
+    const dockerImg = "$(dockerImage)";
+    const buildId = "$(Build.BuildId)";
+    let content = `# Azure DevOps Pipeline
+# Generated by ExpressoTS CLI
+
+trigger:
+  branches:
+    include:
+      - main
+      - develop
+
+pr:
+  branches:
+    include:
+      - main
+
+variables:
+  nodeVersion: '${azureNodeVersion}'
+  dockerImage: 'expressots-app'
+  vmImageName: 'ubuntu-latest'
+
+stages:
+  - stage: Build
+    displayName: 'Build & Test'
+    jobs:
+      - job: Lint
+        displayName: 'Lint Code'
+        pool:
+          vmImage: ${vmImage}
+        steps:
+          - task: NodeTool@0
+            displayName: 'Install Node.js'
+            inputs:
+              versionSpec: '${nodeVer}'
+          
+          - script: ${getInstallCommand(azurePackageManager)}
+            displayName: 'Install dependencies'
+          
+          - script: ${azurePackageManager} run lint
+            displayName: 'Run linter'
+
+      - job: Test
+        displayName: 'Run Tests'
+        dependsOn: Lint
+        pool:
+          vmImage: ${vmImage}
+        steps:
+          - task: NodeTool@0
+            displayName: 'Install Node.js'
+            inputs:
+              versionSpec: '${nodeVer}'
+          
+          - script: ${getInstallCommand(azurePackageManager)}
+            displayName: 'Install dependencies'
+          
+          - script: ${azurePackageManager} run test
+            displayName: 'Run tests'
+          
+          - script: ${azurePackageManager} run coverage || true
+            displayName: 'Generate coverage'
+          
+          - task: PublishCodeCoverageResults@1
+            displayName: 'Publish code coverage'
+            inputs:
+              codeCoverageTool: 'Cobertura'
+              summaryFileLocation: '${sysDir}/coverage/cobertura-coverage.xml'
+            continueOnError: true
+
+`;
+    if (includeSecurityScans) {
+        content += `      - job: Security
+        displayName: 'Security Scan'
+        dependsOn: Lint
+        pool:
+          vmImage: ${vmImage}
+        steps:
+          - task: NodeTool@0
+            displayName: 'Install Node.js'
+            inputs:
+              versionSpec: '${nodeVer}'
+          
+          - script: ${getInstallCommand(azurePackageManager)}
+            displayName: 'Install dependencies'
+          
+          - script: ${azurePackageManager} audit --audit-level=high || true
+            displayName: 'npm audit'
+`;
+    }
+    content += `      - job: Build
+        displayName: 'Build Application'
+        dependsOn: Test
+        pool:
+          vmImage: ${vmImage}
+        steps:
+          - task: NodeTool@0
+            displayName: 'Install Node.js'
+            inputs:
+              versionSpec: '${nodeVer}'
+          
+          - script: ${getInstallCommand(azurePackageManager)}
+            displayName: 'Install dependencies'
+          
+          - script: ${azurePackageManager} run build
+            displayName: 'Build application'
+          
+          - task: PublishBuildArtifacts@1
+            displayName: 'Publish artifacts'
+            inputs:
+              pathToPublish: 'dist'
+              artifactName: 'dist'
+
+  - stage: Docker
+    displayName: 'Docker Build & Push'
+    dependsOn: Build
+    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+    jobs:
+      - job: DockerBuild
+        displayName: 'Build & Push Docker Image'
+        pool:
+          vmImage: ${vmImage}
+        steps:
+          - task: Docker@2
+            displayName: 'Build Docker image'
+            inputs:
+              containerRegistry: '${dockerReg}'
+              repository: '${dockerImg}'
+              command: 'build'
+              Dockerfile: '**/Dockerfile'
+              tags: |
+                ${buildId}
+                latest
+          
+          - task: Docker@2
+            displayName: 'Push Docker image'
+            inputs:
+              containerRegistry: '${dockerReg}'
+              repository: '${dockerImg}'
+              command: 'push'
+              tags: |
+                ${buildId}
+                latest
+
+  - stage: Deploy
+    displayName: 'Deploy'
+    dependsOn: Docker
+    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+    jobs:
+      - deployment: Deploy
+        displayName: 'Deploy to ${azureEnv}'
+        pool:
+          vmImage: ${vmImage}
+        environment: '${azureEnv}'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - script: |
+                    echo "Deploying to ${azureEnv}"
+                    echo "Add your deployment commands here"
+                  displayName: 'Deploy'
+`;
+    return content;
+}
+// ==================== HELPER FUNCTIONS ====================
+/**
+ * Local alias kept to minimize template diff churn; delegates to the
+ * shared `getCiInstallCommand` helper so the install command stays
+ * consistent with what `cicd init` emits.
+ */
+function getInstallCommand(packageManager) {
+    return (0, package_manager_commands_1.getCiInstallCommand)(packageManager);
+}
+// `getRunScriptCommand` is exposed by the shared helper module — we
+// re-export to keep call sites inside this file short. Marked as
+// "used" so eslint/tsc don't complain about the import.
+void package_manager_commands_1.getRunScriptCommand;