@forgeailab/create-spark 0.1.1 → 0.1.3

package/packs/auth-supabase/pack.toml

@@ -0,0 +1,34 @@
+name = "auth-supabase"
+version = "1.0.0"
+category = "auth"
+description = "Supabase Auth routes, login page, and session middleware for Next.js."
+provides = ["auth"]
+requires = ["db-pg"]
+conflicts = ["auth"]
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+# NOTE: This pack is meaningfully compatible only when db-supabase is the installed db provider.
+
+[dependencies]
+runtime = ["@supabase/supabase-js", "@supabase/ssr"]
+
+[env]
+required = ["NEXT_PUBLIC_SUPABASE_URL", "NEXT_PUBLIC_SUPABASE_ANON_KEY"]
+
+[[files]]
+mode = "create"
+from = "app/auth/callback/route.ts"
+to = "app/auth/callback/route.ts"
+
+# The nextjs template ships app/(auth)/login/page.tsx as a placeholder;
+# Supabase users wire the supabase client into that template-owned file rather
+# than overwriting it from the pack.
+
+[[files]]
+mode = "create"
+from = "middleware.ts"
+to = "middleware.ts"
+
+[tasks]
+file = "tasks.yaml"

package/packs/auth-supabase/tasks.yaml

@@ -0,0 +1,10 @@
+epic: Auth
+tasks:
+  - id: AUTH-001
+    title: Configure OAuth provider in Supabase dashboard
+    acceptance:
+      - Supabase OAuth provider completes sign-in through /auth/callback
+  - id: AUTH-002
+    title: Add protected route example
+    acceptance:
+      - Anonymous users are redirected away from the protected route example

package/packs/db-postgres/files/compose/postgres.yml

@@ -0,0 +1,28 @@
+services:
+  postgres:
+    image: postgres:16
+    restart: unless-stopped
+    command:
+      - postgres
+      - -c
+      - wal_level=logical
+      - -c
+      - max_wal_senders=10
+      - -c
+      - max_replication_slots=10
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB:-app}
+      POSTGRES_USER: ${POSTGRES_USER:-app}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-app}
+    ports:
+      - "${POSTGRES_PORT:-5432}:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-app} -d ${POSTGRES_DB:-app}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  postgres_data:

package/packs/db-postgres/files/docker-compose.include.yml

@@ -0,0 +1 @@
+  - compose/postgres.yml

package/packs/db-postgres/files/docker-compose.yml

@@ -0,0 +1,6 @@
+# Spark-managed Docker Compose root.
+#
+# Each infra-providing pack appends an entry below. Service definitions live
+# in compose/*.yml fragments. Run with `docker compose up -d` — Compose 2.20+
+# resolves `include:` for you.
+include:

package/packs/db-postgres/files/drizzle.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from 'drizzle-kit';
+
+export default defineConfig({
+  schema: './lib/db/schema.ts',
+  out: './drizzle',
+  dialect: 'postgresql',
+  dbCredentials: {
+    url: process.env.DATABASE_URL ?? 'postgres://postgres:postgres@localhost:5432/postgres',
+  },
+});

package/packs/db-postgres/files/lib/db/index.ts

@@ -0,0 +1,10 @@
+import postgres from 'postgres';
+import { drizzle } from 'drizzle-orm/postgres-js';
+import * as schema from './schema';
+
+const DEFAULT_URL = 'postgres://postgres:postgres@localhost:5432/postgres';
+const url = process.env.DATABASE_URL ?? DEFAULT_URL;
+
+export const sql = postgres(url, { max: 10 });
+export const db = drizzle(sql, { schema });
+export type Db = typeof db;

package/packs/db-postgres/files/lib/db/schema.ts

@@ -0,0 +1,11 @@
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+
+export const users = pgTable('users', {
+  id: text('id').primaryKey(),
+  email: text('email').notNull().unique(),
+  name: text('name'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+});
+
+export type User = typeof users.$inferSelect;
+export type NewUser = typeof users.$inferInsert;

package/packs/db-postgres/pack.toml

@@ -0,0 +1,53 @@
+name = "db-postgres"
+version = "1.0.0"
+category = "db"
+description = "Postgres database setup with Drizzle ORM and postgres-js (Bun-compatible)."
+provides = ["db", "db-pg"]
+requires = []
+conflicts = ["db"]
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+[dependencies]
+runtime = ["drizzle-orm", "postgres"]
+dev = ["drizzle-kit"]
+
+[env]
+required = ["DATABASE_URL"]
+
+[[files]]
+mode = "create"
+from = "lib/db/index.ts"
+to = "lib/db/index.ts"
+
+[[files]]
+mode = "create"
+from = "lib/db/schema.ts"
+to = "lib/db/schema.ts"
+
+[[files]]
+mode = "create"
+from = "drizzle.config.ts"
+to = "drizzle.config.ts"
+
+# Compose root + postgres fragment. Multiple packs (db-postgres, sync-zero,
+# docker-compose-dev) each ship the same root file with `create-or-skip` —
+# whichever installs first creates it, the rest no-op. Each pack then appends
+# its own include line under a marker.
+[[files]]
+mode = "create-or-skip"
+from = "docker-compose.yml"
+to = "docker-compose.yml"
+
+[[files]]
+mode = "create"
+from = "compose/postgres.yml"
+to = "compose/postgres.yml"
+
+[[files]]
+mode = "append"
+from = "docker-compose.include.yml"
+to = "docker-compose.yml"
+
+[tasks]
+file = "tasks.yaml"

package/packs/db-postgres/tasks.yaml

@@ -0,0 +1,11 @@
+epic: Database
+tasks:
+  - id: DB-001
+    title: Run initial migration
+    acceptance:
+      - Schema applied to Postgres via `bun drizzle-kit push`
+  - id: DB-002
+    title: Provision local Postgres
+    acceptance:
+      - Postgres reachable at DATABASE_URL (docker-compose, Homebrew, or hosted)
+      - wal_level=logical set if pairing with sync-zero

package/packs/db-sqlite/files/drizzle.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from 'drizzle-kit';
+
+export default defineConfig({
+  schema: './lib/schema.ts',
+  out: './drizzle',
+  dialect: 'sqlite',
+  dbCredentials: {
+    url: process.env.DATABASE_URL ?? 'local.db',
+  },
+});

package/packs/db-sqlite/files/lib/db.ts

@@ -0,0 +1,8 @@
+import { Database } from 'bun:sqlite';
+import { drizzle } from 'drizzle-orm/bun-sqlite';
+import * as schema from './schema';
+
+const databaseUrl = process.env.DATABASE_URL ?? 'local.db';
+const sqlite = new Database(databaseUrl.replace(/^file:/u, ''));
+
+export const db = drizzle(sqlite, { schema });

package/packs/db-sqlite/files/lib/schema.ts

@@ -0,0 +1,13 @@
+import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+
+export const users = sqliteTable('users', {
+  id: integer('id').primaryKey({ autoIncrement: true }),
+  email: text('email').notNull().unique(),
+  name: text('name'),
+  createdAt: integer('created_at', { mode: 'timestamp' })
+    .notNull()
+    .$defaultFn(() => new Date()),
+});
+
+export type User = typeof users.$inferSelect;
+export type NewUser = typeof users.$inferInsert;

package/packs/db-sqlite/pack.toml

@@ -0,0 +1,34 @@
+name = "db-sqlite"
+version = "1.0.0"
+category = "db"
+description = "SQLite database setup with Drizzle ORM and Bun."
+provides = ["db"]
+requires = []
+conflicts = ["db"]
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+[dependencies]
+runtime = ["drizzle-orm"]
+dev = ["drizzle-kit"]
+
+[env]
+required = ["DATABASE_URL"]
+
+[[files]]
+mode = "create"
+from = "lib/db.ts"
+to = "lib/db.ts"
+
+[[files]]
+mode = "create"
+from = "lib/schema.ts"
+to = "lib/schema.ts"
+
+[[files]]
+mode = "create"
+from = "drizzle.config.ts"
+to = "drizzle.config.ts"
+
+[tasks]
+file = "tasks.yaml"

package/packs/db-sqlite/tasks.yaml

@@ -0,0 +1,6 @@
+epic: Database
+tasks:
+  - id: DB-001
+    title: Run initial migration
+    acceptance:
+      - Schema applied to local sqlite file

package/packs/db-supabase/files/lib/supabase/client.ts

@@ -0,0 +1,8 @@
+import { createBrowserClient } from '@supabase/ssr';
+
+export function createSupabaseBrowserClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+  );
+}

package/packs/db-supabase/files/lib/supabase/server.ts

@@ -0,0 +1,27 @@
+import { createServerClient } from '@supabase/ssr';
+import { cookies } from 'next/headers';
+
+export async function createSupabaseServerClient() {
+  const cookieStore = await cookies();
+
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return cookieStore.getAll();
+        },
+        setAll(cookiesToSet) {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) => {
+              cookieStore.set(name, value, options);
+            });
+          } catch {
+            // Server Components cannot write cookies. Middleware refreshes sessions.
+          }
+        },
+      },
+    },
+  );
+}

package/packs/db-supabase/pack.toml

@@ -0,0 +1,32 @@
+name = "db-supabase"
+version = "1.0.0"
+category = "db"
+description = "Supabase browser and server clients for Next.js."
+provides = ["db", "db-pg"]
+requires = []
+conflicts = ["db"]
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+[dependencies]
+runtime = ["@supabase/supabase-js", "@supabase/ssr"]
+
+[env]
+required = ["NEXT_PUBLIC_SUPABASE_URL", "NEXT_PUBLIC_SUPABASE_ANON_KEY"]
+optional = ["SUPABASE_SERVICE_ROLE_KEY"]
+
+[[files]]
+mode = "create"
+from = "lib/supabase/server.ts"
+to = "lib/supabase/server.ts"
+
+[[files]]
+mode = "create"
+from = "lib/supabase/client.ts"
+to = "lib/supabase/client.ts"
+
+[skills]
+copy = ["skills/supabase-patterns"]
+
+[tasks]
+file = "tasks.yaml"

package/packs/db-supabase/skills/supabase-patterns/SKILL.md

@@ -0,0 +1,82 @@
+---
+name: supabase-patterns
+description: Apply Supabase client, server, and RLS patterns in Next.js apps without leaking authorization into the browser.
+---
+
+# Skill: supabase-patterns
+
+## Goal
+
+Use Supabase as the database boundary for a Next.js app while keeping data
+access explicit, RLS-backed, and easy to review. Client code may improve user
+experience, but database authorization belongs in Postgres policies.
+
+## Client Choice
+
+- Use the browser client only inside Client Components and browser utilities.
+- Use the server client inside Server Components, Server Actions, and Route Handlers.
+- Use the service role key only in server-only code.
+- Never expose the service role key through `NEXT_PUBLIC_` variables.
+- Keep client creation in `lib/supabase/client.ts` and `lib/supabase/server.ts`.
+- Import those helpers instead of constructing clients throughout the app.
+
+## RLS Baseline
+
+- Enable RLS on every user-facing table before shipping.
+- Write one policy per action: select, insert, update, delete.
+- Start restrictive, then add policies for real workflows.
+- Prefer `auth.uid()` ownership checks for user-owned rows.
+- Prefer membership tables for team or organization access.
+- Avoid policies that only check whether a user is signed in.
+- Avoid policies that mirror UI visibility without enforcing ownership.
+
+## Schema Patterns
+
+- Add `user_id uuid references auth.users(id)` for personal records.
+- Add `organization_id` plus a membership table for multi-tenant data.
+- Use `created_at` and `updated_at` consistently.
+- Add indexes for policy predicates such as `user_id` and `organization_id`.
+- Keep public profile data separate from private account data.
+- Do not join to private tables from public views unless the policy is clear.
+
+## Server Reads And Writes
+
+- Prefer server reads when data is needed for initial page render.
+- Put writes in Server Actions or Route Handlers when they affect trusted state.
+- Re-check authorization in SQL policies, even when the server action checks it.
+- Use `select()` projections instead of fetching whole rows by default.
+- Return typed view models to Client Components.
+- Avoid passing raw Supabase errors directly into user-facing copy.
+
+## Browser Reads
+
+- Browser reads are fine for realtime lists, optimistic UI, and user-owned data.
+- Keep filters aligned with RLS policies so results are predictable.
+- Treat browser filters as performance hints, not authorization.
+- Use loading, empty, and error states for every browser query.
+- Do not fetch admin data from the browser, even behind hidden UI.
+
+## Auth And Cookies
+
+- Middleware should refresh auth cookies before protected routes read sessions.
+- Use `getUser()` or claims validation on the server before trusted actions.
+- Avoid trusting session data that only came from local storage.
+- Redirect unauthenticated users at route boundaries.
+- Keep callback routes small: exchange the code, then redirect.
+
+## Service Role Use
+
+- Reserve the service role for background jobs and admin workflows.
+- Create a separate helper for service-role clients.
+- Keep service-role operations narrow and logged.
+- Never use the service role to bypass missing user policies in normal flows.
+- If a user action needs service role access, reconsider the table design.
+
+## Review Checklist
+
+- Every exposed table has RLS enabled.
+- Every policy has a named workflow it supports.
+- Server-only keys are not imported by Client Components.
+- Client queries cannot reveal another tenant's data.
+- Seeded sample data matches the policies.
+- Error states do not expose table names or policy details.

package/packs/db-supabase/tasks.yaml

@@ -0,0 +1,6 @@
+epic: Database
+tasks:
+  - id: DB-101
+    title: Configure RLS policies
+    acceptance:
+      - RLS enabled on all user-facing tables

package/packs/deploy-vercel/files/docs/deploy.md

@@ -0,0 +1,21 @@
+# Vercel Deploy Checklist
+
+Use this checklist after installing the `deploy-vercel` pack.
+
+## Project setup
+
+- Create or link the Vercel project.
+- Confirm the project framework preset is `Next.js`.
+- Set `VERCEL_PROJECT_ID` and `VERCEL_ORG_ID` locally when using Vercel CLI automation.
+
+## Environment variables
+
+- Add every required pack environment variable to Vercel.
+- Keep preview and production values separate when credentials differ.
+- Redeploy after changing environment variables.
+
+## Preview deploys
+
+- Enable pull request preview deploys.
+- Confirm preview deploys run against non-production services.
+- Keep production-only credentials out of preview environments.

package/packs/deploy-vercel/files/vercel.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://openapi.vercel.sh/vercel.json",
+  "framework": "nextjs"
+}

package/packs/deploy-vercel/pack.toml

@@ -0,0 +1,30 @@
+name = "deploy-vercel"
+version = "1.0.0"
+category = "deploy"
+description = "Vercel deployment target for Next.js apps."
+provides = ["deploy-target"]
+requires = []
+conflicts = []
+requires_runtime = []
+compatible_scaffolds = ["nextjs"]
+
+[dependencies]
+runtime = []
+dev = []
+
+[env]
+required = []
+optional = ["VERCEL_PROJECT_ID", "VERCEL_ORG_ID"]
+
+[[files]]
+mode = "create"
+from = "vercel.json"
+to = "vercel.json"
+
+[[files]]
+mode = "create"
+from = "docs/deploy.md"
+to = "docs/deploy.md"
+
+[tasks]
+file = "tasks.yaml"

package/packs/deploy-vercel/tasks.yaml

@@ -0,0 +1,14 @@
+epic: Deploy
+tasks:
+  - id: DEPLOY-001
+    title: Configure environment variables in Vercel dashboard
+    status: Clarifying
+    acceptance:
+      - Required pack environment variables are present in the Vercel project.
+      - Preview and production values are documented when they differ.
+  - id: DEPLOY-002
+    title: Set up preview deploys for pull requests
+    status: Clarifying
+    acceptance:
+      - Pull requests create Vercel preview deployments.
+      - Preview deployments use non-production credentials where applicable.

package/packs/docker-compose-dev/files/.env.docker.example

@@ -0,0 +1,2 @@
+POSTGRES_PORT=5432
+REDIS_PORT=6379

package/packs/docker-compose-dev/files/compose/redis.yml

@@ -0,0 +1,17 @@
+services:
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    command: ["redis-server", "--appendonly", "yes"]
+    ports:
+      - "${REDIS_PORT:-6379}:6379"
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  redis_data:

package/packs/docker-compose-dev/files/docker-compose.include.yml

@@ -0,0 +1 @@
+  - compose/redis.yml

package/packs/docker-compose-dev/files/docker-compose.yml

@@ -0,0 +1,6 @@
+# Spark-managed Docker Compose root.
+#
+# Each infra-providing pack appends an entry below. Service definitions live
+# in compose/*.yml fragments. Run with `docker compose up -d` — Compose 2.20+
+# resolves `include:` for you.
+include:

package/packs/docker-compose-dev/pack.toml

@@ -0,0 +1,38 @@
+name = "docker-compose-dev"
+version = "1.0.0"
+category = "infra"
+description = "Local Redis for development via Docker Compose. Composes with db-postgres / sync-zero."
+provides = ["local-runtime"]
+requires = []
+conflicts = []
+requires_runtime = []
+compatible_scaffolds = []
+
+[env]
+optional = ["REDIS_PORT"]
+
+# Compose root + redis fragment. Other infra-providing packs (db-postgres,
+# sync-zero) follow the same pattern: each uses `create-or-skip` to bootstrap
+# the root file, then `append` to add their include line under a marker.
+[[files]]
+mode = "create-or-skip"
+from = "docker-compose.yml"
+to = "docker-compose.yml"
+
+[[files]]
+mode = "create"
+from = "compose/redis.yml"
+to = "compose/redis.yml"
+
+[[files]]
+mode = "append"
+from = "docker-compose.include.yml"
+to = "docker-compose.yml"
+
+[[files]]
+mode = "create"
+from = ".env.docker.example"
+to = ".env.docker.example"
+
+[tasks]
+file = "tasks.yaml"

package/packs/docker-compose-dev/tasks.yaml

@@ -0,0 +1,9 @@
+epic: Infrastructure
+
+tasks:
+  - id: INFRA-001
+    title: Run docker compose up -d and verify Postgres reachable on port 5432
+    status: Clarifying
+    acceptance:
+      - docker compose up -d starts Postgres and Redis containers.
+      - Postgres accepts connections on the configured local port.

package/packs/email-resend/files/app/api/email/test/route.ts

@@ -0,0 +1,38 @@
+import WelcomeEmail from "@/emails/welcome";
+import { sendEmail } from "@/lib/email";
+import { NextResponse, type NextRequest } from "next/server";
+
+export const runtime = "nodejs";
+
+type TestEmailRequest = {
+  to?: string;
+  name?: string;
+  productName?: string;
+};
+
+export async function POST(request: NextRequest) {
+  if (process.env.NODE_ENV !== "development") {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+
+  if (request.headers.get("x-spark-dev-email") !== "true") {
+    return NextResponse.json({ error: "Dev email flag is required" }, { status: 403 });
+  }
+
+  const body = (await request.json().catch(() => ({}))) as TestEmailRequest;
+
+  if (!body.to) {
+    return NextResponse.json({ error: "to is required" }, { status: 400 });
+  }
+
+  const result = await sendEmail({
+    to: body.to,
+    subject: `Welcome to ${body.productName ?? "the app"}`,
+    react: WelcomeEmail({
+      name: body.name,
+      productName: body.productName,
+    }),
+  });
+
+  return NextResponse.json({ id: result.data?.id });
+}