@horka/app-forge 0.1.0

package/templates/core/docs-architecture/SECURITY_USER_URLS.md

@@ -0,0 +1,152 @@
+# Security — User-Supplied URLs (SSRF Defense)
+
+Any feature that makes the server fetch a URL a user typed — webhooks, callbacks, OAuth
+redirect targets, RSS/file imports, link previews, "test my endpoint" buttons — is an SSRF
+vector. An attacker who controls the URL controls where YOUR server sends requests: cloud
+metadata endpoints (instance credentials), internal databases, admin panels, the container
+host. This doc is the mandatory checklist. Skipping a step is a security bug, not a style choice.
+
+## Threat model (30 seconds)
+
+| Target | Payoff for attacker |
+|---|---|
+| `169.254.169.254` (cloud metadata) | Steals instance IAM credentials → full cloud takeover |
+| `localhost:<port>` / loopback | Hits DB, cache, admin APIs bound to loopback "safely" |
+| RFC 1918 ranges | Scans and attacks the internal network from inside |
+| `host.docker.internal` etc. | Escapes container network isolation toward the host |
+
+## The validation pipeline — exact order, no reordering
+
+Order matters: every bypass in the test-vector table below exploits a check done before
+normalization, or a blocklist consulted before the host is in canonical form.
+
+1. **Parse with a real URL parser, then normalize.** Never regex the raw string.
+   - Take `url.host` from the parser — this defuses userinfo tricks
+     (`https://trusted.example@10.0.0.1/` → host is `10.0.0.1`, not `trusted.example`).
+   - Percent-decode the host (`127.0.0.%31` → `127.0.0.1`; fully-encoded `localhost`).
+   - Lowercase. Strip IPv6 brackets and zone IDs (`fe80::1%eth0` → `fe80::1`).
+   - Reject empty/missing host.
+2. **Scheme allowlist: `https` only.** Not a denylist — `http`, `file`, `ftp`, `gopher`,
+   `dict` are all useful to attackers. Check the parsed scheme, not a string prefix.
+3. **Classify the host and reject forbidden destinations** (table below). The host may be:
+   - a dotted-quad IPv4 → check against forbidden ranges;
+   - an IPv4 in disguise — **hex** (`0x7f000001`), **octal** (`017700000001`),
+     **decimal** (`2130706433`), **dotted-octal/hex** (`0177.0.0.1`, `0x7f.0.0.1`) —
+     decode to a real IPv4, then check the ranges;
+   - an IPv6 literal → check v6 ranges; for **IPv4-mapped** (`::ffff:127.0.0.1`) extract
+     the embedded IPv4 and recurse into the IPv4 check;
+   - a hostname → blocklist literal internal names (`localhost`, `*.docker.internal`,
+     `metadata.google.internal`), then **resolve it and validate every returned A/AAAA
+     record** against the same ranges. Validating only the hostname string is not enough.
+4. **Enforce at request time (IO boundary):**
+   - hard timeout per request (≈10 s) — connect AND total;
+   - response-size cap (≈100 KB for webhook acks) — streaming-aware where the client
+     allows it, so the cap limits allocation, not just post-read processing;
+   - **no redirect following** — or re-run steps 1–3 on every `Location` before following.
+     Configure this explicitly and pin it with a test; never rely on a client's default.
+
+## Forbidden destinations
+
+| Range / host | Why |
+|---|---|
+| `0.0.0.0/8`, `127.0.0.0/8` | "this host" + loopback (any `127.x.y.z`, not just `.0.0.1`) |
+| `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16` | RFC 1918 private |
+| `100.64.0.0/10` | Carrier-grade NAT (often internal in cloud VPCs) |
+| `169.254.0.0/16` | Link-local — includes `169.254.169.254` (AWS/GCP/Azure metadata) |
+| `100.100.100.200` | Alibaba Cloud metadata |
+| `::1/128`, `::/128` | IPv6 loopback / unspecified |
+| `fc00::/7` | IPv6 unique-local (ULA) |
+| `fe80::/10` | IPv6 link-local (strip zone ID first) |
+| `::ffff:0:0/96` | IPv4-mapped — extract embedded IPv4, recurse |
+| `64:ff9b::/96` | NAT64 — extract embedded IPv4, recurse |
+| `fd00:ec2::254` | AWS metadata over IPv6 |
+| `localhost`, `*.docker.internal`, `metadata.google.internal` | Literal internal hostnames |
+
+`::ffff:8.8.8.8` and other public IPs stay **allowed** — block by classification,
+not by syntax shape.
+
+## Where it lives in the layers (see ARCHITECTURE_PRINCIPLES.md)
+
+| Brick | Layer | Rule |
+|---|---|---|
+| `UrlSecurityValidator` — parse, normalize, decode IP forms, range classification | **L3 Core Logic** | Pure functions, zero IO. `(String) → Result`. Exhaustively unit-tested against the vector table in milliseconds. |
+| `HostResolving` contract (DNS lookup interface) | **L3** (contract) | Validator takes it injected; tests use a fake resolver. |
+| `HostResolving` impl + the outbound HTTP client wrapper (timeout, size cap, redirect policy) | **L2 Data** | The one sanctioned upward arrow: L2 implements the L3 contract. |
+| Endpoint that accepts the URL (create webhook, import feed…) | **L5** | Calls the L3 validator before anything is persisted. L2 repositories store only already-validated URLs. |
+
+Two hard rules:
+- **One choke point.** Every outbound request to a user-supplied URL goes through a single
+  L2 client wrapper that applies timeout + cap + redirect policy. Per-provider copies drift.
+- **Validate at write time AND at send time.** A URL validated at creation can sit in the
+  DB for months; ranges and blocklists evolve. Re-validate before each dispatch — it's pure
+  L3 logic, it costs microseconds.
+
+> 📖 **War story:** a production team shipped webhook support with the SSRF validation
+> embedded in the L2 repository and the timeout helper copy-pasted into each provider
+> client. Symptom: security tests needed a live database to run, and one provider client
+> silently lacked the size cap. Cause: validation logic and IO enforcement were fused in L2.
+> Fix: extract the validator to L3 (pure, contract-injected resolver), route all dispatch
+> through one L2 wrapper — test suite dropped from integration-only to instant unit tests.
+
+> ⚠️ **Gotcha:** "our HTTP client doesn't follow redirects by default" written in a comment,
+> enforced nowhere. Symptom: none — until a client-library upgrade flips the default and a
+> `302` from a public URL lands on the metadata endpoint. Cause: relying on an undocumented
+> default. Fix: set the redirect policy explicitly in the L2 wrapper config and add a test
+> that asserts a redirecting stub is NOT followed.
+
+## Open-limitations register — mandatory section
+
+A security doc that lists only what it blocks is marketing. List what it does **not**
+defend; honest limits beat false confidence. The curated register below ships with this
+template and is refreshed by `update --apply` — **do not edit it in place** (your changes
+would be overwritten). When YOUR project carries an SSRF limitation specific to its design
+(a domain allowlist you added, an egress rule you rely on, a pin you couldn't implement),
+record it in the **gotchas log in `.claude/memory/PROJECT_STATE.md`** and in
+`.claude/memory/DECISIONS.md` — those files are yours and `update` never touches them.
+
+| # | Limitation | Status |
+|---|---|---|
+| 1 | **DNS rebinding (TOCTOU):** host resolves public at validation, private at request time (attacker controls a low-TTL record). Even resolve-and-validate doesn't close this — only *pinning*: connect to the exact IP you validated (resolver-level pin or custom connect), with correct TLS SNI/hostname verification. | Open unless IP-pinning is implemented. Document it either way. |
+| 2 | **Redirect re-validation:** if any redirect following is ever enabled, each hop is a fresh SSRF unless re-validated. | Closed only by no-redirect or per-hop re-validation. |
+| 3 | **Exotic IP encodings** beyond the tested set (mixed dotted-octal/hex variants differ per OS resolver). Decode-then-classify covers the known set; new forms appear. | Mitigated, not proven complete. |
+| 4 | **Validated-then-stored drift:** DB rows validated under an older blocklist. | Closed by re-validation at send time (rule above). |
+| 5 | **Outbound network egress** is application-level only. Defense in depth = also restrict egress at the network layer (no route to metadata/VPC ranges from app nodes). | Out of scope for app code; flag to ops. |
+
+## Test vectors — the unit-test table for the L3 validator
+
+Every row is one test case. All rejects must fail validation; all allows must pass.
+
+| Vector | Input | Expected |
+|---|---|---|
+| Scheme not https | `http://example.com/hook`, `file:///etc/passwd` | reject |
+| Localhost literal | `https://localhost/hook` | reject |
+| Loopback range | `https://127.0.0.1/`, `https://127.5.6.7/` | reject |
+| This-host | `https://0.0.0.0/` | reject |
+| Decimal IP | `https://2130706433/` (= 127.0.0.1) | reject |
+| Hex IP | `https://0x7f000001/` | reject |
+| Octal IP | `https://017700000001/` | reject |
+| Dotted-octal | `https://0177.0.0.1/` | reject |
+| Private v4 | `https://10.0.0.1/`, `https://172.16.0.1/`, `https://192.168.1.1/` | reject |
+| CGNAT | `https://100.64.0.1/` | reject |
+| Metadata | `https://169.254.169.254/`, `https://100.100.100.200/` | reject |
+| IPv6 loopback | `https://[::1]/`, `https://[0:0:0:0:0:0:0:1]/` | reject |
+| IPv4-mapped private | `https://[::ffff:127.0.0.1]/`, `https://[::ffff:10.0.0.1]/` | reject |
+| IPv4-mapped public | `https://[::ffff:8.8.8.8]/` | allow |
+| IPv6 ULA / link-local | `https://[fd00::1]/`, `https://[fe80::1]/` | reject |
+| Zone ID strip | `https://[fe80::1%25eth0]/` | reject |
+| AWS v6 metadata | `https://[fd00:ec2::254]/` | reject |
+| Percent-encoded octet | `https://127.0.0.%31/` | reject |
+| Percent-encoded host | `https://%6c%6f%63%61%6c%68%6f%73%74/` (= localhost) | reject |
+| Userinfo trick | `https://trusted.example@10.0.0.1/` | reject |
+| Docker host | `https://host.docker.internal/` | reject |
+| Hostname → private (fake resolver) | `https://internal.example/` → resolves `10.0.0.5` | reject |
+| Public hostname | `https://hooks.example-saas.com/T123/B456` | allow |
+| Public IP | `https://8.8.8.8/hook` | allow |
+
+For high-trust contexts (e.g. {{PROJECT_NAME}} only ever calls two known SaaS webhook
+hosts), add a **domain allowlist** on top of — never instead of — this pipeline.
+
+## References
+
+- OWASP SSRF Prevention Cheat Sheet; OWASP Top 10 A10:2021 (SSRF)
+- RFC 1918 (private IPv4), RFC 4193 (IPv6 ULA), RFC 4291 (IPv6 addressing)

package/templates/core/gitignore

@@ -0,0 +1,15 @@
+# Secrets & local env — never commit
+.env
+.env.*
+
+# Dependencies
+node_modules/
+
+# OS noise
+.DS_Store
+
+# Logs
+*.log
+
+# Claude Code local overrides (machine-specific permissions/settings)
+.claude/settings.local.json

package/templates/core/mcp.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "context7": {
+      "command": "npx",
+      "args": ["-y", "@upstash/context7-mcp"]
+    }
+  }
+}

package/templates/packs/nuxt-web/CLAUDE.md

@@ -0,0 +1,74 @@
+# {{PROJECT_NAME}} — Claude Code Operating Manual
+
+This project was scaffolded by **AppForge** (pack: Web/Nuxt): a Claude-Code-first
+architecture extracted from production apps. You (Claude) are the team lead AND the
+primary developer. Follow this manual exactly — it encodes hard-won lessons, not preferences.
+
+## Identity
+- App: **{{PROJECT_NAME}}** · Identifier: `{{BUNDLE_ID}}` · Nuxt 4 / Vue 3 / TypeScript · **SSR ON**
+- Backend: consumed through a typed SDK (the app's L2) when the product has an API — see `SDK_CONTRACT.md`.
+
+## Session protocol (MANDATORY)
+1. **Session start**: run the `restore-context` skill — read `.claude/memory/*.md` before doing anything. Never invent project facts.
+2. **Empty project / new idea**: run the `kickoff` skill — it interviews the user, writes the PRD, plans slices, then builds autonomously.
+3. **After significant work**: update `.claude/memory/PROJECT_STATE.md` (and DECISIONS/NEXT_STEPS when relevant) — `save-context` skill.
+
+## Architecture (read the docs before coding)
+The knowledge base lives in `docs-architecture/`. Read the relevant doc BEFORE touching that area:
+
+| You are about to… | Read first |
+|---|---|
+| understand the layer model (stack-agnostic) | `ARCHITECTURE_PRINCIPLES.md` |
+| plan/deliver slices, validate, update memory | `DELIVERY.md` |
+| product spans repos (API + SDK + clients) | `MULTI_REPO_CONTRACT.md` |
+| consume or ship the typed SDK | `SDK_CONTRACT.md` |
+| accept user-supplied URLs (webhooks…) | `SECURITY_USER_URLS.md` |
+| write any documentation | `DOCS_PLACEMENT.md` |
+| add caching/feature flags/auth shortcuts | `ANTI_PATTERNS.md` |
+| add/move any file, create a feature | `ARCHITECTURE.md` |
+| write any Vue/TS code, fetch data, size a component | `CONVENTIONS.md` |
+| add or change any user-facing string | `I18N.md` |
+| add a page, auth policy, meta tags, sitemap | `SEO_AND_ROUTING.md` |
+| analytics, error handling, logging, flags, deploy | `OPS_WEB.md` |
+
+Layer summary (universal contract in ARCHITECTURE_PRINCIPLES.md, Nuxt mapping in ARCHITECTURE.md):
+L0 `app/assets/css/tokens.css` + `app/utils/` · L1 `app/plugins/` (analytics/logger/flags) +
+`app/constants/` · L2 typed SDK + `app/composables/api/` · L3 `app/domain/` (pure TS — **never
+imports Vue or Nuxt**) + `app/designSystem/` (domain-blind DS modules) · L4 `app/features/` ·
+L5 `app/pages/` + `app/layouts/` + `app/stores/` + `app/middleware/`. Imports point downward only.
+
+> **What ships vs. what you add at kickoff.** The skeleton ships only the always-needed L0/L3/L5
+> floor: `app/assets/css/`, `app/utils/`, `app/domain/`, `app/designSystem/DSButton`, `app/features/`,
+> `app/pages/index.vue`, `app/app.vue`, `server/api/health.get.ts`. The rest of the map above —
+> `app/plugins/`, `app/constants/`, `app/composables/api/`, `app/stores/` (Pinia), `app/middleware/`,
+> `app/layouts/`, `error.vue` — is the **target shape**: create each directory (and add its dep, e.g.
+> `@pinia/nuxt` for stores) the slice it first earns a real file. Don't pre-create empty folders; the
+> map tells you where a thing goes when it lands, not what exists today.
+
+## Non-negotiable rules
+- **Unit tests first**: `npm run test` (vitest, seconds) before any `nuxt build`. Every test script
+  must run from a clean checkout — a script whose dependency isn't installed is testing theater.
+- **Never claim done without proof**: vitest green + `npm run build` green + (for UI) the rendered
+  page actually inspected — browser screenshot, or `curl` the SSR output and grep for the content.
+- **Data fetching**: `useAsyncData`/`useFetch` in setup by default (SSR renders real content).
+  Client-only fetching requires a written `// CLIENT-ONLY:` rationale at the call site.
+- **Design tokens only**: no hex colors, no magic px in components — everything via `var(--ds-*)`.
+- **Auth from route meta**: public pages declare `definePageMeta({ auth: false })`; the global
+  middleware default-denies. Never a name allowlist (SEO_AND_ROUTING.md has the scar).
+- **Component size cap**: 200 lines target, 300 hard — split per CONVENTIONS.md §3.
+- **Analytics through the typed catalog only**; **feature flags fail closed**;
+  **SDK imports from the package root only** (never `…/src/…`).
+- **Memory is law**: contradictions between memory files and code → code wins, then fix the memory file.
+
+## Build commands
+```bash
+npm run test     # vitest unit suite — seconds, ALWAYS first
+npm run build    # nuxt production build
+npm run dev      # eyes-on proof at http://localhost:3000
+```
+E2E: `npx playwright install` once per machine, then `npm run test:e2e`
+(boots its own dev server — see playwright.config.ts).
+
+## Git
+- Never push without explicit user approval. Feature branches; commit format `add/update/fix(scope) - description`.
+- No AI attribution in commits or file headers.

package/templates/packs/nuxt-web/app/app.vue

@@ -0,0 +1,5 @@
+<template>
+  <!-- L5 shell — keep it thin: composition only, no logic, no styling beyond layout. -->
+  <NuxtRouteAnnouncer />
+  <NuxtPage />
+</template>

package/templates/packs/nuxt-web/app/assets/css/main.css

@@ -0,0 +1,18 @@
+/* Base layer — reset + element defaults consuming L0 tokens. No component styles here. */
+*,
+*::before,
+*::after {
+  box-sizing: border-box;
+}
+
+body {
+  margin: 0;
+  font: var(--ds-font-body);
+  color: var(--ds-color-text);
+  background: var(--ds-color-bg);
+}
+
+h1 {
+  margin: 0;
+  font: var(--ds-font-heading);
+}

package/templates/packs/nuxt-web/app/assets/css/tokens.css

@@ -0,0 +1,41 @@
+/*
+ * L0 FOUNDATION — design tokens. The single source of visual truth.
+ * Components consume var(--ds-*) ONLY. A raw hex color or magic px anywhere
+ * else in the app is a bug: add a token here instead.
+ */
+:root {
+  /* color */
+  --ds-color-bg: #ffffff;
+  --ds-color-surface: #f4f5f7;
+  --ds-color-text: #16181d;
+  --ds-color-text-muted: #5c6370;
+  --ds-color-border: #d9dce1;
+  --ds-color-primary: #2952cc;
+  --ds-color-primary-hover: #1f3f9e;
+  --ds-color-on-primary: #ffffff;
+  --ds-color-danger: #c4314b;
+  --ds-color-warning: #b87708;
+  --ds-color-success: #1f7a4d;
+
+  /* spacing — 4px scale */
+  --ds-space-1: 0.25rem;
+  --ds-space-2: 0.5rem;
+  --ds-space-3: 0.75rem;
+  --ds-space-4: 1rem;
+  --ds-space-6: 1.5rem;
+  --ds-space-8: 2rem;
+
+  /* radius & borders */
+  --ds-radius-s: 4px;
+  --ds-radius-m: 8px;
+  --ds-radius-l: 16px;
+  --ds-border-width: 1px;
+
+  /* sizes */
+  --ds-size-content-max: 40rem;
+
+  /* typography */
+  --ds-font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", sans-serif;
+  --ds-font-body: 400 1rem/1.5 var(--ds-font-family);
+  --ds-font-heading: 700 1.75rem/1.2 var(--ds-font-family);
+}

package/templates/packs/nuxt-web/app/designSystem/DSButton/components/DSButton.vue

@@ -0,0 +1,70 @@
+<script setup lang="ts">
+import type { DSButtonVariant } from '../types/dsButton'
+
+// L3 Core UI — domain-blind by contract: props are primitives/UI types only.
+// If a prop ever needs a domain model, this component belongs in features/ (L4).
+const props = withDefaults(
+  defineProps<{
+    variant?: DSButtonVariant
+    disabled?: boolean
+    type?: 'button' | 'submit' | 'reset'
+  }>(),
+  { variant: 'primary', disabled: false, type: 'button' },
+)
+
+const emit = defineEmits<{ click: [event: MouseEvent] }>()
+
+function onClick(event: MouseEvent) {
+  if (props.disabled) return
+  emit('click', event)
+}
+</script>
+
+<template>
+  <button
+    class="ds-button"
+    :class="`ds-button--${props.variant}`"
+    :type="props.type"
+    :disabled="props.disabled"
+    @click="onClick"
+  >
+    <slot />
+  </button>
+</template>
+
+<style scoped>
+/* Tokens only — a raw hex value in this file is a review blocker (CONVENTIONS.md §8). */
+.ds-button {
+  font: var(--ds-font-body);
+  padding: var(--ds-space-2) var(--ds-space-4);
+  border-radius: var(--ds-radius-m);
+  border: var(--ds-border-width) solid transparent;
+  cursor: pointer;
+  transition: background-color 120ms ease, opacity 120ms ease;
+}
+
+.ds-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.ds-button--primary {
+  background: var(--ds-color-primary);
+  color: var(--ds-color-on-primary);
+}
+
+.ds-button--primary:hover:not(:disabled) {
+  background: var(--ds-color-primary-hover);
+}
+
+.ds-button--secondary {
+  background: var(--ds-color-surface);
+  color: var(--ds-color-text);
+  border-color: var(--ds-color-border);
+}
+
+.ds-button--ghost {
+  background: transparent;
+  color: var(--ds-color-primary);
+}
+</style>

package/templates/packs/nuxt-web/app/designSystem/DSButton/index.ts

@@ -0,0 +1,4 @@
+// Barrel — the ONLY public surface of this DS module. Cross-module imports go
+// through here: `import { DSButton } from '~/designSystem/DSButton'`.
+export { default as DSButton } from './components/DSButton.vue'
+export * from './types/dsButton'

package/templates/packs/nuxt-web/app/designSystem/DSButton/tests/DSButton.spec.ts

@@ -0,0 +1,34 @@
+import { mount } from '@vue/test-utils'
+import { describe, expect, it } from 'vitest'
+import { DS_BUTTON_VARIANTS, DSButton } from '../index'
+
+// Mounts standalone — no Nuxt context. DS components must stay testable this way
+// (ARCHITECTURE.md §7: fast ground truth without the browser).
+describe('DSButton', () => {
+  it('renders slot content', () => {
+    const wrapper = mount(DSButton, { slots: { default: 'Save changes' } })
+    expect(wrapper.text()).toBe('Save changes')
+  })
+
+  it('defaults to the primary variant', () => {
+    const wrapper = mount(DSButton)
+    expect(wrapper.classes()).toContain('ds-button--primary')
+  })
+
+  it.each(DS_BUTTON_VARIANTS)('applies the %s variant class', (variant) => {
+    const wrapper = mount(DSButton, { props: { variant } })
+    expect(wrapper.classes()).toContain(`ds-button--${variant}`)
+  })
+
+  it('emits click when enabled', async () => {
+    const wrapper = mount(DSButton)
+    await wrapper.trigger('click')
+    expect(wrapper.emitted('click')).toHaveLength(1)
+  })
+
+  it('swallows click when disabled', async () => {
+    const wrapper = mount(DSButton, { props: { disabled: true } })
+    await wrapper.trigger('click')
+    expect(wrapper.emitted('click')).toBeUndefined()
+  })
+})

package/templates/packs/nuxt-web/app/designSystem/DSButton/types/dsButton.ts

@@ -0,0 +1,5 @@
+// Plain .ts, never .d.ts: runtime consts and their derived types live together,
+// and .d.ts files emit no JavaScript (CONVENTIONS.md §1 gotcha).
+export const DS_BUTTON_VARIANTS = ['primary', 'secondary', 'ghost'] as const
+
+export type DSButtonVariant = (typeof DS_BUTTON_VARIANTS)[number]

package/templates/packs/nuxt-web/app/pages/index.vue

@@ -0,0 +1,36 @@
+<script setup lang="ts">
+// Route policy lives ON the route. The default-deny middleware reads this the day
+// auth lands (docs-architecture/SEO_AND_ROUTING.md §2) — the convention starts day one.
+definePageMeta({ auth: false })
+
+useSeoMeta({
+  title: '{{PROJECT_NAME}}',
+  description: '{{PROJECT_NAME}} — replace with the real value proposition.',
+})
+
+// Demo state only. Real pages fetch in setup with useAsyncData (SSR-rendered),
+// never in onMounted — see docs-architecture/CONVENTIONS.md §4.
+const clicks = ref(0)
+</script>
+
+<template>
+  <main class="home">
+    <h1>{{PROJECT_NAME}}</h1>
+    <p>Skeleton is alive. Replace this page with your first vertical slice (DELIVERY.md).</p>
+    <DSButton variant="primary" @click="clicks++">
+      Clicked {{ clicks }} times
+    </DSButton>
+  </main>
+</template>
+
+<style scoped>
+/* Tokens only — see app/assets/css/tokens.css (L0). */
+.home {
+  max-width: var(--ds-size-content-max);
+  margin: 0 auto;
+  padding: var(--ds-space-8) var(--ds-space-4);
+  display: grid;
+  gap: var(--ds-space-4);
+  justify-items: start;
+}
+</style>

package/templates/packs/nuxt-web/claude/memory/COMMANDS.md

@@ -0,0 +1,21 @@
+# {{PROJECT_NAME}} — Commands
+
+> Only commands proven to work in THIS project, with exact flags.
+
+## Daily loop (fast → slow)
+npm install                       # also runs `nuxt prepare` (generates .nuxt/ types)
+npm run test                      # vitest unit suite — seconds, ALWAYS first
+npm run build                     # production build → .output/
+npm run dev                       # dev server, http://localhost:3000
+
+## Proof commands (DELIVERY.md etiquette)
+node .output/server/index.mjs                       # run the production build locally
+curl -s http://localhost:3000/api/health           # the single health endpoint
+curl -s http://localhost:3000/ | grep -i "<h1"     # SSR proof: content present without JS
+
+## E2E (Playwright)
+npx playwright install            # once per machine — downloads browsers
+npm run test:e2e                  # boots its own dev server (webServer in playwright.config.ts)
+
+## Watch modes
+npm run test:watch                # vitest watch