@forgeailab/create-spark 0.1.1 → 0.1.3

package/packs/email-resend/files/emails/welcome.tsx

@@ -0,0 +1,66 @@
+import {
+  Body,
+  Container,
+  Head,
+  Heading,
+  Html,
+  Preview,
+  Section,
+  Text,
+} from "@react-email/components";
+
+export type WelcomeEmailProps = {
+  name?: string;
+  productName?: string;
+};
+
+export default function WelcomeEmail({
+  name = "there",
+  productName = "the app",
+}: WelcomeEmailProps) {
+  return (
+    <Html>
+      <Head />
+      <Preview>Welcome to {productName}</Preview>
+      <Body style={body}>
+        <Container style={container}>
+          <Section>
+            <Heading style={heading}>Welcome, {name}</Heading>
+            <Text style={paragraph}>
+              Your account is ready. You can now continue setting up {productName}.
+            </Text>
+            <Text style={paragraph}>
+              Keep this email as a simple delivery check while the product email
+              system is being wired up.
+            </Text>
+          </Section>
+        </Container>
+      </Body>
+    </Html>
+  );
+}
+
+const body = {
+  backgroundColor: "#f6f7f9",
+  color: "#111827",
+  fontFamily: "Arial, sans-serif",
+};
+
+const container = {
+  backgroundColor: "#ffffff",
+  margin: "40px auto",
+  padding: "32px",
+  maxWidth: "560px",
+};
+
+const heading = {
+  fontSize: "24px",
+  lineHeight: "32px",
+  margin: "0 0 16px",
+};
+
+const paragraph = {
+  fontSize: "16px",
+  lineHeight: "24px",
+  margin: "0 0 16px",
+};

package/packs/email-resend/files/lib/email.ts

@@ -0,0 +1,40 @@
+import type { ReactElement } from "react";
+import { Resend } from "resend";
+
+function requireEnv(name: string): string {
+  const value = process.env[name];
+
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${name}`);
+  }
+
+  return value;
+}
+
+export const resend = new Resend(requireEnv("RESEND_API_KEY"));
+
+export type SendEmailInput = {
+  to: string | string[];
+  subject: string;
+  from?: string;
+  replyTo?: string | string[];
+  react?: ReactElement;
+  html?: string;
+  text?: string;
+};
+
+export async function sendEmail(input: SendEmailInput) {
+  if (!input.react && !input.html && !input.text) {
+    throw new Error("sendEmail requires react, html, or text content");
+  }
+
+  return resend.emails.send({
+    from: input.from ?? process.env.RESEND_FROM ?? "App <onboarding@resend.dev>",
+    to: input.to,
+    subject: input.subject,
+    replyTo: input.replyTo,
+    react: input.react,
+    html: input.html,
+    text: input.text,
+  });
+}

package/packs/email-resend/pack.toml

@@ -0,0 +1,34 @@
+name = "email-resend"
+version = "1.0.0"
+category = "email"
+description = "Resend client wrapper, React Email welcome template, and dev test route."
+provides = ["email"]
+requires = []
+conflicts = []
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+[dependencies]
+runtime = ["resend", "react-email", "@react-email/components"]
+
+[env]
+required = ["RESEND_API_KEY"]
+optional = ["RESEND_FROM"]
+
+[[files]]
+mode = "create"
+from = "lib/email.ts"
+to = "lib/email.ts"
+
+[[files]]
+mode = "create"
+from = "emails/welcome.tsx"
+to = "emails/welcome.tsx"
+
+[[files]]
+mode = "create"
+from = "app/api/email/test/route.ts"
+to = "app/api/email/test/route.ts"
+
+[tasks]
+file = "tasks.yaml"

package/packs/email-resend/tasks.yaml

@@ -0,0 +1,9 @@
+epic: Email
+
+tasks:
+  - id: EMAIL-001
+    title: Verify sender domain in Resend dashboard
+    status: Clarifying
+    acceptance:
+      - Resend sender domain is verified for the production domain.
+      - RESEND_FROM uses the verified sender domain.

package/packs/example/pack.toml

@@ -0,0 +1,69 @@
+# Documentation-only example pack manifest.
+# Real installable pack names must match /^[a-z][a-z0-9-]*$/.
+name = "example"
+
+# Semver version for this pack.
+version = "1.0.0"
+
+# Catalog grouping. This example demonstrates a database capability.
+category = "db"
+
+# One-line human summary shown by future catalog commands.
+description = "Example database pack covering every manifest field."
+
+# Capabilities this pack adds to the project.
+provides = ["db"]
+
+# Capabilities that must already exist or be installed in the same plan.
+requires = []
+
+# Capabilities that cannot coexist with this pack.
+conflicts = ["db"]
+
+# Template capabilities required from the active scaffold.
+requires_runtime = ["server"]
+
+# Named scaffold restriction. Empty or missing means no named restriction.
+compatible_scaffolds = ["nextjs"]
+
+# Runtime and development npm dependencies to install with Bun.
+[dependencies]
+runtime = ["example-db@^1.0.0"]
+dev = ["example-db-cli@^1.0.0"]
+
+# Environment variables used by this pack.
+[env]
+required = ["EXAMPLE_DATABASE_URL"]
+optional = ["EXAMPLE_DATABASE_POOL_SIZE"]
+
+# Create mode writes a new file and refuses to overwrite an existing target.
+[[files]]
+mode = "create"
+from = "lib/example-db.ts"
+to = "lib/example-db.ts"
+
+# Append mode inserts a marked block once and stays idempotent on re-run.
+[[files]]
+mode = "append"
+from = "env.example"
+to = ".env.example"
+
+# merge-json mode deep-merges JSON with deterministic key ordering.
+[[files]]
+mode = "merge-json"
+from = "package.patch.json"
+to = "package.json"
+
+# Template mode renders Handlebars-style variables from spark.config.json.
+[[files]]
+mode = "template"
+from = "lib/example-client.ts.hbs"
+to = "lib/example-client.ts"
+
+# Skills copied into .claude/skills and mirrored into .codex/skills.
+[skills]
+copy = ["skills/example-db-patterns"]
+
+# Board tasks seeded into .ai/board.md during installation.
+[tasks]
+file = "tasks.yaml"

package/packs/payments-stripe/files/app/api/billing-portal/route.ts

@@ -0,0 +1,24 @@
+import { stripe } from "@/lib/stripe";
+import { NextResponse, type NextRequest } from "next/server";
+
+export const runtime = "nodejs";
+
+type PortalRequest = {
+  customerId?: string;
+  returnUrl?: string;
+};
+
+export async function POST(request: NextRequest) {
+  const body = (await request.json().catch(() => ({}))) as PortalRequest;
+
+  if (!body.customerId) {
+    return NextResponse.json({ error: "customerId is required" }, { status: 400 });
+  }
+
+  const session = await stripe.billingPortal.sessions.create({
+    customer: body.customerId,
+    return_url: body.returnUrl ?? `${request.nextUrl.origin}/billing`,
+  });
+
+  return NextResponse.redirect(session.url, 303);
+}

package/packs/payments-stripe/files/app/api/checkout/route.ts

@@ -0,0 +1,58 @@
+import { stripe } from "@/lib/stripe";
+import { NextResponse, type NextRequest } from "next/server";
+
+export const runtime = "nodejs";
+
+type CheckoutRequest = {
+  priceId?: string;
+  customerId?: string;
+  customerEmail?: string;
+  successUrl?: string;
+  cancelUrl?: string;
+  metadata?: Record<string, string>;
+};
+
+function isMetadata(value: unknown): value is Record<string, string> {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    !Array.isArray(value) &&
+    Object.values(value).every((entry) => typeof entry === "string")
+  );
+}
+
+export async function POST(request: NextRequest) {
+  const body = (await request.json().catch(() => ({}))) as CheckoutRequest;
+
+  if (!body.priceId) {
+    return NextResponse.json({ error: "priceId is required" }, { status: 400 });
+  }
+
+  if (!body.customerId && !body.customerEmail) {
+    return NextResponse.json(
+      { error: "customerId or customerEmail is required" },
+      { status: 400 },
+    );
+  }
+
+  const origin = request.nextUrl.origin;
+  const metadata = isMetadata(body.metadata) ? body.metadata : undefined;
+
+  const session = await stripe.checkout.sessions.create({
+    mode: "subscription",
+    customer: body.customerId,
+    customer_email: body.customerId ? undefined : body.customerEmail,
+    line_items: [
+      {
+        price: body.priceId,
+        quantity: 1,
+      },
+    ],
+    allow_promotion_codes: true,
+    success_url: body.successUrl ?? `${origin}/billing/success?session_id={CHECKOUT_SESSION_ID}`,
+    cancel_url: body.cancelUrl ?? `${origin}/billing`,
+    metadata,
+  });
+
+  return NextResponse.json({ id: session.id, url: session.url });
+}

package/packs/payments-stripe/files/app/api/webhooks/stripe/route.ts

@@ -0,0 +1,84 @@
+import { stripe } from "@/lib/stripe";
+import { headers } from "next/headers";
+import { NextResponse, type NextRequest } from "next/server";
+import type Stripe from "stripe";
+
+export const runtime = "nodejs";
+
+async function hasProcessedStripeEvent(_eventId: string): Promise<boolean> {
+  // Replace with a durable lookup in the app database before going live.
+  return false;
+}
+
+async function markStripeEventProcessed(_eventId: string): Promise<void> {
+  // Replace with an atomic insert keyed by Stripe event id before going live.
+}
+
+async function handleCheckoutCompleted(session: Stripe.Checkout.Session): Promise<void> {
+  console.log("Stripe checkout completed", {
+    customer: session.customer,
+    subscription: session.subscription,
+  });
+}
+
+async function handleSubscriptionUpdated(subscription: Stripe.Subscription): Promise<void> {
+  console.log("Stripe subscription updated", {
+    customer: subscription.customer,
+    status: subscription.status,
+  });
+}
+
+async function handleSubscriptionDeleted(subscription: Stripe.Subscription): Promise<void> {
+  console.log("Stripe subscription deleted", {
+    customer: subscription.customer,
+    status: subscription.status,
+  });
+}
+
+async function dispatchStripeEvent(event: Stripe.Event): Promise<void> {
+  switch (event.type) {
+    case "checkout.session.completed":
+      await handleCheckoutCompleted(event.data.object as Stripe.Checkout.Session);
+      break;
+    case "customer.subscription.created":
+    case "customer.subscription.updated":
+      await handleSubscriptionUpdated(event.data.object as Stripe.Subscription);
+      break;
+    case "customer.subscription.deleted":
+      await handleSubscriptionDeleted(event.data.object as Stripe.Subscription);
+      break;
+    default:
+      console.log(`Unhandled Stripe event: ${event.type}`);
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const body = await request.text();
+  const signature = (await headers()).get("stripe-signature");
+
+  if (!signature) {
+    return NextResponse.json({ error: "Missing stripe-signature header" }, { status: 400 });
+  }
+
+  let event: Stripe.Event;
+
+  try {
+    event = stripe.webhooks.constructEvent(
+      body,
+      signature,
+      process.env.STRIPE_WEBHOOK_SECRET ?? "",
+    );
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Invalid Stripe signature";
+    return NextResponse.json({ error: message }, { status: 400 });
+  }
+
+  if (await hasProcessedStripeEvent(event.id)) {
+    return NextResponse.json({ received: true, duplicate: true });
+  }
+
+  await dispatchStripeEvent(event);
+  await markStripeEventProcessed(event.id);
+
+  return NextResponse.json({ received: true });
+}

package/packs/payments-stripe/files/lib/stripe.ts

@@ -0,0 +1,60 @@
+import {
+  createStripeClient,
+  createCheckoutSession as createStripeCheckoutSession,
+  createBillingPortalSession as createStripeBillingPortalSession,
+  verifyWebhookSignature as verifyStripeWebhookSignature,
+} from '@forgeailab/spark-stripe-helpers';
+
+function requireEnv(name: string): string {
+  const value = process.env[name];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${name}`);
+  }
+  return value;
+}
+
+export const stripe = createStripeClient(requireEnv('STRIPE_SECRET_KEY'), {
+  appInfo: { name: 'spark payments-stripe' },
+});
+
+export function getStripePublishableKey(): string {
+  return requireEnv('NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY');
+}
+
+export type CheckoutInput = {
+  origin: string;
+  priceId: string;
+  customerEmail?: string;
+  customerId?: string;
+  successUrl?: string;
+  cancelUrl?: string;
+  metadata?: Record<string, string>;
+};
+
+export async function createCheckoutSession(input: CheckoutInput) {
+  return createStripeCheckoutSession(stripe, {
+    priceId: input.priceId,
+    customerId: input.customerId,
+    customerEmail: input.customerEmail,
+    successUrl:
+      input.successUrl ?? `${input.origin}/billing/success?session_id={CHECKOUT_SESSION_ID}`,
+    cancelUrl: input.cancelUrl ?? `${input.origin}/billing`,
+    metadata: input.metadata,
+  });
+}
+
+export type PortalInput = { customerId: string; returnUrl: string };
+
+export async function createBillingPortalSession(input: PortalInput) {
+  return createStripeBillingPortalSession(stripe, input);
+}
+
+export type WebhookInput = { payload: string; signature: string; secret?: string };
+
+export function verifyWebhookSignature(input: WebhookInput) {
+  return verifyStripeWebhookSignature(stripe, {
+    payload: input.payload,
+    signatureHeader: input.signature,
+    secret: input.secret ?? requireEnv('STRIPE_WEBHOOK_SECRET'),
+  });
+}

package/packs/payments-stripe/pack.toml

@@ -0,0 +1,49 @@
+name = "payments-stripe"
+version = "1.0.0"
+category = "payments"
+description = "Stripe Checkout, customer portal, and webhook handlers for subscriptions."
+provides = ["payments"]
+requires = ["db", "auth"]
+conflicts = ["payments"]
+requires_runtime = ["server"]
+compatible_scaffolds = ["nextjs"]
+
+[runtime_package]
+package = "@forgeailab/spark-stripe-helpers"
+version = "^0.1"
+
+[dependencies]
+runtime = ["@stripe/stripe-js"]
+
+[env]
+required = [
+  "STRIPE_SECRET_KEY",
+  "STRIPE_WEBHOOK_SECRET",
+  "NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY",
+]
+
+[[files]]
+mode = "create"
+from = "lib/stripe.ts"
+to = "lib/stripe.ts"
+
+[[files]]
+mode = "create"
+from = "app/api/checkout/route.ts"
+to = "app/api/checkout/route.ts"
+
+[[files]]
+mode = "create"
+from = "app/api/webhooks/stripe/route.ts"
+to = "app/api/webhooks/stripe/route.ts"
+
+[[files]]
+mode = "create"
+from = "app/api/billing-portal/route.ts"
+to = "app/api/billing-portal/route.ts"
+
+[skills]
+copy = ["skills/stripe-patterns"]
+
+[tasks]
+file = "tasks.yaml"

package/packs/payments-stripe/skills/stripe-patterns/SKILL.md

@@ -0,0 +1,93 @@
+---
+name: stripe-patterns
+description: Build Stripe subscription flows with Checkout, Billing Portal, and signed webhooks. Use when implementing or reviewing billing behavior after the payments-stripe pack is installed.
+allowed-tools:
+  - Read
+  - Write
+  - Edit
+  - Bash
+---
+
+# Skill: stripe-patterns
+
+## Goal
+
+Ship a small, reliable subscription billing slice: Checkout creates the initial
+subscription, Billing Portal handles plan and payment-method changes, and
+webhooks update the app database as the billing source of truth changes.
+
+## Recommended model
+
+Opus 4.7 or GPT-5.5 for pricing and lifecycle decisions. Sonnet 4.6 or GPT-5
+family executor for routine route and UI wiring.
+
+## Inputs
+
+Read these before changing billing code:
+
+- `.ai/product-spec.md` for the monetization promise and non-goals
+- `.ai/architecture.md` for the chosen auth and database providers
+- `.ai/board.md` for the exact billing task and acceptance criteria
+- `lib/stripe.ts` for shared Stripe client setup
+- `app/api/webhooks/stripe/route.ts` for event handling
+
+If the spec does not say what users buy or what paid access unlocks, stop and
+ask. Do not invent pricing rules inside implementation.
+
+## Subscription Model
+
+- Treat Stripe as the source of truth for payment state.
+- Treat the app database as a query cache for product access decisions.
+- Store Stripe customer id on the app user or organization record.
+- Store subscription id, price id, status, current period dates, and cancel flag.
+- Grant access from database state, not from client-side checkout responses.
+- Prefer Stripe Checkout for first purchase and Billing Portal for later changes.
+- Keep product and price creation in the Stripe dashboard unless the board says
+  the product catalog must be managed in-app.
+
+## Webhook Rules
+
+- Verify signatures with `STRIPE_WEBHOOK_SECRET` and the raw request body.
+- Process webhooks idempotently by storing Stripe event ids in the database.
+- Use an atomic insert or unique index for event id de-duplication.
+- Acknowledge duplicate events with success, not an error.
+- Update access on `checkout.session.completed`,
+  `customer.subscription.updated`, and `customer.subscription.deleted`.
+- Add invoice event handling only when the product spec needs grace periods,
+  failed payment messaging, or invoice history.
+
+## Checkout Rules
+
+- Never accept price amounts from the browser.
+- Accept only Stripe price ids that the server has allowlisted or loaded from
+  trusted configuration.
+- Create or reuse exactly one Stripe customer for each billable account.
+- Send stable metadata, such as user id or organization id, on Checkout Sessions.
+- Redirect only to same-origin success and cancel URLs unless explicitly needed.
+
+## Customer Portal Rules
+
+- Require an authenticated user before creating a portal session.
+- Resolve the Stripe customer id from the database, not from request body trust.
+- Use the portal for payment method changes, cancellations, and plan changes
+  unless custom billing UX is required by the board.
+
+## Common Pitfalls
+
+- Do not mark a user paid immediately after `checkout.sessions.create`.
+- Do not parse JSON before webhook signature verification.
+- Do not skip webhook idempotency because Stripe retries events.
+- Do not trust `customerEmail` as identity; it is only a checkout convenience.
+- Do not create a new customer on every checkout attempt.
+- Do not build custom plan management before Billing Portal is exhausted.
+
+## Verification
+
+Use Stripe CLI forwarding for local webhook tests:
+
+```bash
+stripe listen --forward-to localhost:3000/api/webhooks/stripe
+```
+
+Then create a Checkout Session, complete the test payment, and confirm the app
+database changes only after the signed webhook is processed.

package/packs/payments-stripe/tasks.yaml

@@ -0,0 +1,16 @@
+epic: Payments
+
+tasks:
+  - id: PAY-001
+    title: Configure products + prices in Stripe dashboard
+    status: Clarifying
+    acceptance:
+      - Stripe dashboard has at least one active subscription product and recurring price.
+      - The selected price ID is available to the checkout flow.
+
+  - id: PAY-002
+    title: Test webhook signing locally with stripe listen
+    status: Clarifying
+    acceptance:
+      - Local webhook forwarding reaches app/api/webhooks/stripe.
+      - A signed test event is accepted and unsigned payloads are rejected.

package/packs/sync-zero/files/components/ZeroProvider.tsx

@@ -0,0 +1,3 @@
+'use client';
+
+export { ZeroProvider } from '@forgeailab/spark-sync-zero';

package/packs/sync-zero/files/compose/zero-cache.yml

@@ -0,0 +1,26 @@
+services:
+  zero-cache:
+    image: rocicorp/zero:latest
+    restart: unless-stopped
+    environment:
+      ZERO_UPSTREAM_DB: ${ZERO_UPSTREAM_DB}
+      ZERO_CVR_DB: ${ZERO_CVR_DB:-${ZERO_UPSTREAM_DB}_cvr}
+      ZERO_CHANGE_DB: ${ZERO_CHANGE_DB:-${ZERO_UPSTREAM_DB}_change}
+      ZERO_REPLICA_FILE: /zero/replica.db
+      ZERO_AUTH_SECRET: ${ZERO_AUTH_SECRET}
+      ZERO_ADMIN_PASSWORD: ${ZERO_ADMIN_PASSWORD:-change-me}
+      ZERO_PUSH_URL: ${ZERO_PUSH_URL:-http://host.docker.internal:3000/api/zero/mutate}
+      ZERO_LOG_LEVEL: ${ZERO_LOG_LEVEL:-info}
+      ZERO_NUM_SYNC_WORKERS: "1"
+    ports:
+      - "${ZERO_PORT:-4848}:4848"
+    volumes:
+      - zero_data:/zero
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    depends_on:
+      postgres:
+        condition: service_healthy
+
+volumes:
+  zero_data:

package/packs/sync-zero/files/docker-compose.include.yml

@@ -0,0 +1 @@
+  - compose/zero-cache.yml

package/packs/sync-zero/files/docker-compose.yml

@@ -0,0 +1,6 @@
+# Spark-managed Docker Compose root.
+#
+# Each infra-providing pack appends an entry below. Service definitions live
+# in compose/*.yml fragments. Run with `docker compose up -d` — Compose 2.20+
+# resolves `include:` for you.
+include:

package/packs/sync-zero/files/lib/zero/client.ts

@@ -0,0 +1,18 @@
+'use client';
+
+import { createZeroClient as createSparkZeroClient } from '@forgeailab/spark-sync-zero';
+import type { ZeroOptions } from '@forgeailab/spark-sync-zero';
+import { schema } from './schema';
+
+const DEFAULT_ZERO_URL = 'http://localhost:4848';
+
+export function createZeroOptions(): ZeroOptions {
+  return {
+    cacheURL: process.env.NEXT_PUBLIC_ZERO_URL ?? DEFAULT_ZERO_URL,
+    schema,
+  };
+}
+
+export function createZeroClient(options: ZeroOptions = createZeroOptions()) {
+  return createSparkZeroClient(options);
+}