@idevconn/create-icore 0.3.1 → 0.4.1

package/templates/.yarnrc.yml

@@ -1,7 +1,12 @@
+approvedGitRepositories:
+  - "**"
+
 enableGlobalCache: true
 
 enableScripts: true
 
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-4.5.0.cjs
+npmMinimalAgeGate: 0
+
+yarnPath: .yarn/releases/yarn-4.15.0.cjs

package/templates/apps/microservices/auth/src/app/app.module.ts

@@ -5,7 +5,9 @@ import { createClient } from '@supabase/supabase-js';
 import * as admin from 'firebase-admin';
 import { SupabaseAuthStrategy } from '@icore/auth-supabase';
 import { FirebaseAuthStrategy, HttpIdentityToolkitClient } from '@icore/auth-firebase';
+import { FakeAuthStrategy } from '@icore/shared';
 import type { AuthStrategy } from '@icore/shared';
+import { Logger } from '@nestjs/common';
 import { AuthController } from './auth.controller';
 
 function requireEnv(cfg: ConfigService, key: string): string {
@@ -47,20 +49,28 @@ function makeFirebaseStrategy(cfg: ConfigService): AuthStrategy {
     {
       provide: 'AuthStrategy',
       useFactory: (cfg: ConfigService): AuthStrategy => {
-        const provider = requireEnv(cfg, 'AUTH_PROVIDER');
-        switch (provider) {
-          case 'supabase': {
-            const client = createClient(
-              requireEnv(cfg, 'SUPABASE_URL'),
-              requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
-              { auth: { autoRefreshToken: false, persistSession: false } },
-            );
-            return new SupabaseAuthStrategy({ client });
+        try {
+          const provider = requireEnv(cfg, 'AUTH_PROVIDER');
+          switch (provider) {
+            case 'supabase': {
+              const client = createClient(
+                requireEnv(cfg, 'SUPABASE_URL'),
+                requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
+                { auth: { autoRefreshToken: false, persistSession: false } },
+              );
+              return new SupabaseAuthStrategy({ client });
+            }
+            case 'firebase':
+              return makeFirebaseStrategy(cfg);
+            default:
+              throw new Error(`Unsupported AUTH_PROVIDER: ${provider}`);
           }
-          case 'firebase':
-            return makeFirebaseStrategy(cfg);
-          default:
-            throw new Error(`Unsupported AUTH_PROVIDER: ${provider}`);
+        } catch (err) {
+          new Logger('AuthStrategy').warn(
+            `Not configured: ${err instanceof Error ? err.message : String(err)}. ` +
+              `Requests will fail until apps/microservices/auth/.env is set.`,
+          );
+          return new FakeAuthStrategy();
         }
       },
       inject: [ConfigService],

package/templates/apps/microservices/notes/src/app/app.module.ts

@@ -5,7 +5,9 @@ import { createClient } from '@supabase/supabase-js';
 import * as admin from 'firebase-admin';
 import { SupabaseDBStrategy } from '@icore/db-supabase';
 import { FirestoreDBStrategy } from '@icore/db-firestore';
+import { FakeDBStrategy } from '@icore/shared';
 import type { DBStrategy } from '@icore/shared';
+import { Logger } from '@nestjs/common';
 import { NotesController } from './notes.controller';
 
 function requireEnv(cfg: ConfigService, key: string): string {
@@ -29,32 +31,40 @@ function requireEnv(cfg: ConfigService, key: string): string {
     {
       provide: 'DBStrategy',
       useFactory: (cfg: ConfigService): DBStrategy => {
-        const provider = requireEnv(cfg, 'DB_PROVIDER');
-        if (provider === 'supabase') {
-          const client = createClient(
-            requireEnv(cfg, 'SUPABASE_URL'),
-            requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
-            { auth: { autoRefreshToken: false, persistSession: false } },
-          );
-          return new SupabaseDBStrategy({ client });
-        }
-        if (provider === 'firestore' || provider === 'firebase') {
-          if (admin.apps.length === 0) {
-            admin.initializeApp({
-              credential: admin.credential.cert({
-                projectId: requireEnv(cfg, 'FB_ADMIN_PROJECT_ID'),
-                clientEmail: requireEnv(cfg, 'FB_ADMIN_CLIENT_EMAIL'),
-                privateKey: requireEnv(cfg, 'FB_ADMIN_PRIVATE_KEY').replace(/\\n/g, '\n'),
-              }),
+        try {
+          const provider = requireEnv(cfg, 'DB_PROVIDER');
+          if (provider === 'supabase') {
+            const client = createClient(
+              requireEnv(cfg, 'SUPABASE_URL'),
+              requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
+              { auth: { autoRefreshToken: false, persistSession: false } },
+            );
+            return new SupabaseDBStrategy({ client });
+          }
+          if (provider === 'firestore' || provider === 'firebase') {
+            if (admin.apps.length === 0) {
+              admin.initializeApp({
+                credential: admin.credential.cert({
+                  projectId: requireEnv(cfg, 'FB_ADMIN_PROJECT_ID'),
+                  clientEmail: requireEnv(cfg, 'FB_ADMIN_CLIENT_EMAIL'),
+                  privateKey: requireEnv(cfg, 'FB_ADMIN_PRIVATE_KEY').replace(/\\n/g, '\n'),
+                }),
+              });
+            }
+            return new FirestoreDBStrategy({
+              db: admin.firestore() as unknown as ConstructorParameters<
+                typeof FirestoreDBStrategy
+              >[0]['db'],
             });
           }
-          return new FirestoreDBStrategy({
-            db: admin.firestore() as unknown as ConstructorParameters<
-              typeof FirestoreDBStrategy
-            >[0]['db'],
-          });
+          throw new Error(`Unsupported DB_PROVIDER: ${provider}`);
+        } catch (err) {
+          new Logger('DBStrategy').warn(
+            `Not configured: ${err instanceof Error ? err.message : String(err)}. ` +
+              `Requests will fail until apps/microservices/notes/.env is set.`,
+          );
+          return new FakeDBStrategy();
         }
-        throw new Error(`Unsupported DB_PROVIDER: ${provider}`);
       },
       inject: [ConfigService],
     },

package/templates/apps/microservices/upload/src/app/app.module.ts

@@ -7,7 +7,9 @@ import { v2 as cloudinary } from 'cloudinary';
 import { SupabaseStorageStrategy } from '@icore/storage-supabase';
 import { FirebaseStorageStrategy } from '@icore/storage-firebase';
 import { CloudinaryStorageStrategy, type CloudinaryApiLike } from '@icore/storage-cloudinary';
+import { FakeStorageStrategy } from '@icore/shared';
 import type { StorageStrategy } from '@icore/shared';
+import { Logger } from '@nestjs/common';
 import { StorageController } from './storage.controller';
 
 function requireEnv(cfg: ConfigService, key: string): string {
@@ -95,25 +97,33 @@ function makeCloudinaryStorage(cfg: ConfigService): StorageStrategy {
     {
       provide: 'StorageStrategy',
       useFactory: (cfg: ConfigService): StorageStrategy => {
-        const provider = requireEnv(cfg, 'STORAGE_PROVIDER');
-        switch (provider) {
-          case 'supabase': {
-            const client = createClient(
-              requireEnv(cfg, 'SUPABASE_URL'),
-              requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
-              { auth: { autoRefreshToken: false, persistSession: false } },
-            );
-            return new SupabaseStorageStrategy({
-              client,
-              bucket: requireEnv(cfg, 'SUPABASE_STORAGE_BUCKET'),
-            });
+        try {
+          const provider = requireEnv(cfg, 'STORAGE_PROVIDER');
+          switch (provider) {
+            case 'supabase': {
+              const client = createClient(
+                requireEnv(cfg, 'SUPABASE_URL'),
+                requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
+                { auth: { autoRefreshToken: false, persistSession: false } },
+              );
+              return new SupabaseStorageStrategy({
+                client,
+                bucket: requireEnv(cfg, 'SUPABASE_STORAGE_BUCKET'),
+              });
+            }
+            case 'firebase':
+              return makeFirebaseStorage(cfg);
+            case 'cloudinary':
+              return makeCloudinaryStorage(cfg);
+            default:
+              throw new Error(`Unsupported STORAGE_PROVIDER: ${provider}`);
           }
-          case 'firebase':
-            return makeFirebaseStorage(cfg);
-          case 'cloudinary':
-            return makeCloudinaryStorage(cfg);
-          default:
-            throw new Error(`Unsupported STORAGE_PROVIDER: ${provider}`);
+        } catch (err) {
+          new Logger('StorageStrategy').warn(
+            `Not configured: ${err instanceof Error ? err.message : String(err)}. ` +
+              `Requests will fail until apps/microservices/upload/.env is set.`,
+          );
+          return new FakeStorageStrategy();
         }
       },
       inject: [ConfigService],

package/templates/apps/templates/client-antd/vite.config.mts

@@ -2,9 +2,16 @@
 import fs from 'node:fs';
 import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
-import { TanStackRouterVite } from '@tanstack/router-plugin/vite';
+import { tanstackRouter } from '@tanstack/router-plugin/vite';
 import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
 import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
+import {
+  commonDefines,
+  commonManualChunks,
+  commonTestConfig,
+  injectAppVersionPlugin,
+  noServerModulesPlugin,
+} from '@icore/vite-plugins';
 
 const rootPackageJsonPath = new URL('../../../package.json', import.meta.url);
 const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')) as {
@@ -14,11 +21,7 @@ const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')
 };
 
 function depVersion(name: string): string {
-  return (
-    rootPackageJson.dependencies?.[name] ??
-    rootPackageJson.devDependencies?.[name] ??
-    '?'
-  );
+  return rootPackageJson.dependencies?.[name] ?? rootPackageJson.devDependencies?.[name] ?? '?';
 }
 
 export default defineConfig(() => ({
@@ -33,22 +36,11 @@ export default defineConfig(() => ({
     host: 'localhost',
   },
   define: {
-    'import.meta.env.VITE_APP_VERSION': JSON.stringify(rootPackageJson.version),
-    // Dep versions injected at build time so routes don't need JSON imports
-    'import.meta.env.VITE_DEP_REACT': JSON.stringify(depVersion('react')),
+    ...commonDefines(rootPackageJson),
     'import.meta.env.VITE_DEP_ANTD': JSON.stringify(depVersion('antd')),
-    'import.meta.env.VITE_DEP_VITE': JSON.stringify(depVersion('vite')),
-    'import.meta.env.VITE_DEP_TANSTACK_ROUTER': JSON.stringify(
-      depVersion('@tanstack/react-router'),
-    ),
-    'import.meta.env.VITE_DEP_TANSTACK_QUERY': JSON.stringify(
-      depVersion('@tanstack/react-query'),
-    ),
-    'import.meta.env.VITE_DEP_ZUSTAND': JSON.stringify(depVersion('zustand')),
-    'import.meta.env.VITE_DEP_CASL': JSON.stringify(depVersion('@casl/ability')),
   },
   plugins: [
-    TanStackRouterVite({
+    tanstackRouter({
       target: 'react',
       autoCodeSplitting: true,
       routeFileIgnorePattern: '(__tests__|\\.test\\.(t|j)sx?$)',
@@ -56,12 +48,8 @@ export default defineConfig(() => ({
     react(),
     nxViteTsPaths(),
     nxCopyAssetsPlugin(['*.md']),
-    {
-      name: 'inject-app-version-meta',
-      transformIndexHtml(html: string) {
-        return html.replace('%APP_VERSION%', rootPackageJson.version);
-      },
-    },
+    noServerModulesPlugin(),
+    injectAppVersionPlugin(rootPackageJson),
   ],
   // Uncomment this if you are using workers.
   // worker: {
@@ -76,32 +64,12 @@ export default defineConfig(() => ({
     },
     rolldownOptions: {
       output: {
-        manualChunks: (id: string) => {
-          if (!id.includes('node_modules')) return;
-          if (id.includes('/react/') || id.includes('/react-dom/') || id.includes('scheduler'))
-            return 'vendor-react';
-          if (id.includes('@tanstack')) return 'vendor-tanstack';
-          if (id.includes('i18next') || id.includes('react-i18next')) return 'vendor-i18n';
-          if (id.includes('@casl')) return 'vendor-casl';
+        manualChunks: commonManualChunks((id) => {
           if (id.includes('/antd/') || id.includes('@ant-design') || id.includes('rc-'))
             return 'vendor-antd';
-          if (id.includes('zustand')) return 'vendor-state';
-          if (id.includes('@idevconn')) return 'vendor-idevconn';
-          return 'vendor-core';
-        },
+        }),
       },
     },
   },
-  test: {
-    name: 'client-antd',
-    watch: false,
-    globals: true,
-    environment: 'jsdom',
-    include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
-    reporters: ['default'],
-    coverage: {
-      reportsDirectory: '../../../coverage/apps/templates/client-antd',
-      provider: 'v8' as const,
-    },
-  },
+  test: commonTestConfig('client-antd', '../../../coverage/apps/templates/client-antd'),
 }));

package/templates/apps/templates/client-mui/vite.config.mts

@@ -2,9 +2,16 @@
 import fs from 'node:fs';
 import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
-import { TanStackRouterVite } from '@tanstack/router-plugin/vite';
+import { tanstackRouter } from '@tanstack/router-plugin/vite';
 import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
 import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
+import {
+  commonDefines,
+  commonManualChunks,
+  commonTestConfig,
+  injectAppVersionPlugin,
+  noServerModulesPlugin,
+} from '@icore/vite-plugins';
 
 const rootPackageJsonPath = new URL('../../../package.json', import.meta.url);
 const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')) as {
@@ -14,11 +21,7 @@ const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')
 };
 
 function depVersion(name: string): string {
-  return (
-    rootPackageJson.dependencies?.[name] ??
-    rootPackageJson.devDependencies?.[name] ??
-    '?'
-  );
+  return rootPackageJson.dependencies?.[name] ?? rootPackageJson.devDependencies?.[name] ?? '?';
 }
 
 export default defineConfig(() => ({
@@ -33,22 +36,11 @@ export default defineConfig(() => ({
     host: 'localhost',
   },
   define: {
-    'import.meta.env.VITE_APP_VERSION': JSON.stringify(rootPackageJson.version),
-    // Dep versions injected at build time so routes don't need JSON imports
-    'import.meta.env.VITE_DEP_REACT': JSON.stringify(depVersion('react')),
+    ...commonDefines(rootPackageJson),
     'import.meta.env.VITE_DEP_MUI': JSON.stringify(depVersion('@mui/material')),
-    'import.meta.env.VITE_DEP_VITE': JSON.stringify(depVersion('vite')),
-    'import.meta.env.VITE_DEP_TANSTACK_ROUTER': JSON.stringify(
-      depVersion('@tanstack/react-router'),
-    ),
-    'import.meta.env.VITE_DEP_TANSTACK_QUERY': JSON.stringify(
-      depVersion('@tanstack/react-query'),
-    ),
-    'import.meta.env.VITE_DEP_ZUSTAND': JSON.stringify(depVersion('zustand')),
-    'import.meta.env.VITE_DEP_CASL': JSON.stringify(depVersion('@casl/ability')),
   },
   plugins: [
-    TanStackRouterVite({
+    tanstackRouter({
       target: 'react',
       autoCodeSplitting: true,
       routeFileIgnorePattern: '(__tests__|\\.test\\.(t|j)sx?$)',
@@ -56,12 +48,8 @@ export default defineConfig(() => ({
     react(),
     nxViteTsPaths(),
     nxCopyAssetsPlugin(['*.md']),
-    {
-      name: 'inject-app-version-meta',
-      transformIndexHtml(html: string) {
-        return html.replace('%APP_VERSION%', rootPackageJson.version);
-      },
-    },
+    noServerModulesPlugin(),
+    injectAppVersionPlugin(rootPackageJson),
   ],
   // Uncomment this if you are using workers.
   // worker: {
@@ -76,32 +64,12 @@ export default defineConfig(() => ({
     },
     rolldownOptions: {
       output: {
-        manualChunks: (id: string) => {
-          if (!id.includes('node_modules')) return;
-          if (id.includes('/react/') || id.includes('/react-dom/') || id.includes('scheduler'))
-            return 'vendor-react';
-          if (id.includes('@tanstack')) return 'vendor-tanstack';
-          if (id.includes('i18next') || id.includes('react-i18next')) return 'vendor-i18n';
-          if (id.includes('@casl')) return 'vendor-casl';
+        manualChunks: commonManualChunks((id) => {
           if (id.includes('@mui')) return 'vendor-mui';
           if (id.includes('@emotion')) return 'vendor-emotion';
-          if (id.includes('zustand')) return 'vendor-state';
-          if (id.includes('@idevconn')) return 'vendor-idevconn';
-          return 'vendor-core';
-        },
+        }),
       },
     },
   },
-  test: {
-    name: 'client-mui',
-    watch: false,
-    globals: true,
-    environment: 'jsdom',
-    include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
-    reporters: ['default'],
-    coverage: {
-      reportsDirectory: '../../../coverage/apps/templates/client-mui',
-      provider: 'v8' as const,
-    },
-  },
+  test: commonTestConfig('client-mui', '../../../coverage/apps/templates/client-mui'),
 }));

package/templates/apps/templates/client-shadcn/vite.config.mts

@@ -3,9 +3,16 @@ import fs from 'node:fs';
 import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
 import tailwindcss from '@tailwindcss/vite';
-import { TanStackRouterVite } from '@tanstack/router-plugin/vite';
+import { tanstackRouter } from '@tanstack/router-plugin/vite';
 import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
 import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
+import {
+  commonDefines,
+  commonManualChunks,
+  commonTestConfig,
+  injectAppVersionPlugin,
+  noServerModulesPlugin,
+} from '@icore/vite-plugins';
 
 const rootPackageJsonPath = new URL('../../../package.json', import.meta.url);
 const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')) as {
@@ -15,11 +22,7 @@ const rootPackageJson = JSON.parse(fs.readFileSync(rootPackageJsonPath, 'utf-8')
 };
 
 function depVersion(name: string): string {
-  return (
-    rootPackageJson.dependencies?.[name] ??
-    rootPackageJson.devDependencies?.[name] ??
-    '?'
-  );
+  return rootPackageJson.dependencies?.[name] ?? rootPackageJson.devDependencies?.[name] ?? '?';
 }
 
 export default defineConfig(() => ({
@@ -34,22 +37,11 @@ export default defineConfig(() => ({
     host: 'localhost',
   },
   define: {
-    'import.meta.env.VITE_APP_VERSION': JSON.stringify(rootPackageJson.version),
-    // Dep versions injected at build time so routes don't need JSON imports
-    'import.meta.env.VITE_DEP_REACT': JSON.stringify(depVersion('react')),
-    'import.meta.env.VITE_DEP_VITE': JSON.stringify(depVersion('vite')),
+    ...commonDefines(rootPackageJson),
     'import.meta.env.VITE_DEP_TAILWINDCSS': JSON.stringify(depVersion('tailwindcss')),
-    'import.meta.env.VITE_DEP_TANSTACK_ROUTER': JSON.stringify(
-      depVersion('@tanstack/react-router'),
-    ),
-    'import.meta.env.VITE_DEP_TANSTACK_QUERY': JSON.stringify(
-      depVersion('@tanstack/react-query'),
-    ),
-    'import.meta.env.VITE_DEP_ZUSTAND': JSON.stringify(depVersion('zustand')),
-    'import.meta.env.VITE_DEP_CASL': JSON.stringify(depVersion('@casl/ability')),
   },
   plugins: [
-    TanStackRouterVite({
+    tanstackRouter({
       target: 'react',
       autoCodeSplitting: true,
       routeFileIgnorePattern: '(__tests__|\\.test\\.(t|j)sx?$)',
@@ -58,12 +50,8 @@ export default defineConfig(() => ({
     tailwindcss(),
     nxViteTsPaths(),
     nxCopyAssetsPlugin(['*.md']),
-    {
-      name: 'inject-app-version-meta',
-      transformIndexHtml(html: string) {
-        return html.replace('%APP_VERSION%', rootPackageJson.version);
-      },
-    },
+    noServerModulesPlugin(),
+    injectAppVersionPlugin(rootPackageJson),
   ],
   // Uncomment this if you are using workers.
   // worker: {
@@ -78,31 +66,11 @@ export default defineConfig(() => ({
     },
     rolldownOptions: {
       output: {
-        manualChunks: (id: string) => {
-          if (!id.includes('node_modules')) return;
-          if (id.includes('/react/') || id.includes('/react-dom/') || id.includes('scheduler'))
-            return 'vendor-react';
-          if (id.includes('@tanstack')) return 'vendor-tanstack';
-          if (id.includes('i18next') || id.includes('react-i18next')) return 'vendor-i18n';
-          if (id.includes('@casl')) return 'vendor-casl';
+        manualChunks: commonManualChunks((id) => {
           if (id.includes('lucide-react') || id.includes('@radix-ui')) return 'vendor-ui';
-          if (id.includes('zustand')) return 'vendor-state';
-          if (id.includes('@idevconn')) return 'vendor-idevconn';
-          return 'vendor-core';
-        },
+        }),
       },
     },
   },
-  test: {
-    name: 'client-shadcn',
-    watch: false,
-    globals: true,
-    environment: 'jsdom',
-    include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
-    reporters: ['default'],
-    coverage: {
-      reportsDirectory: '../../../coverage/apps/templates/client-shadcn',
-      provider: 'v8' as const,
-    },
-  },
+  test: commonTestConfig('client-shadcn', '../../../coverage/apps/templates/client-shadcn'),
 }));

package/templates/libs/shared/package.json

@@ -5,6 +5,16 @@
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "require": "./src/index.js",
+      "types": "./src/index.d.ts"
+    },
+    "./client": {
+      "require": "./src/client.js",
+      "types": "./src/client.d.ts"
+    }
+  },
   "dependencies": {
     "@casl/ability": "^7.0.0",
     "@nestjs/microservices": "^11.0.0",

package/templates/libs/shared/src/__tests__/cross-boundary.unit.test.ts

@@ -0,0 +1,121 @@
+/**
+ * Cross-boundary dependency guard.
+ *
+ * Rule 1 — CLIENT boundary: no file reachable from @icore/shared/client
+ *          may import @nestjs/* (server-only).
+ *
+ * Rule 2 — SERVER boundary: no file under apps/microservices/** or
+ *          libs/*-client/** (NestJS modules) may import react or other
+ *          browser-only packages.
+ *
+ * These are static source-level checks — they run fast in Vitest without
+ * needing a full build.
+ */
+import { readdir, readFile, stat } from 'node:fs/promises';
+import { join, resolve } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+const ROOT = resolve(__dirname, '../../../../..');
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+async function walkTs(dir: string): Promise<string[]> {
+  const files: string[] = [];
+  let entries: Awaited<ReturnType<typeof readdir>>;
+  try {
+    entries = await readdir(dir, { withFileTypes: true });
+  } catch {
+    return files;
+  }
+  for (const e of entries) {
+    const full = join(dir, e.name);
+    if (e.isDirectory() && e.name !== 'node_modules' && e.name !== '__tests__') {
+      files.push(...(await walkTs(full)));
+    } else if (e.isFile() && /\.(ts|tsx)$/.test(e.name) && !e.name.endsWith('.d.ts')) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+
+async function importsIn(file: string): Promise<string[]> {
+  const src = await readFile(file, 'utf8');
+  const matches = [...src.matchAll(/from\s+['"]([^'"]+)['"]/g)];
+  return matches.map((m) => m[1] ?? '');
+}
+
+// ── Rule 1: client boundary ────────────────────────────────────────────────
+
+describe('client boundary — no @nestjs/* in browser-safe exports', () => {
+  const CLIENT_ROOTS = [
+    join(ROOT, 'libs/shared/src/client.ts'),
+    join(ROOT, 'libs/shared/src/abilities'),
+    join(ROOT, 'libs/shared/src/types'),
+    join(ROOT, 'libs/template-shared/src'),
+  ];
+
+  it('no @nestjs/* import found in client-side source files', async () => {
+    const violations: string[] = [];
+
+    for (const root of CLIENT_ROOTS) {
+      const s = await stat(root).catch(() => null);
+      if (!s) continue;
+      const files = s.isFile() ? [root] : await walkTs(root);
+
+      for (const file of files) {
+        const imports = await importsIn(file);
+        for (const imp of imports) {
+          if (/^(@nestjs\/|firebase-admin|bullmq|ioredis)/.test(imp)) {
+            violations.push(`${file.replace(ROOT + '/', '')}  →  ${imp}`);
+          }
+        }
+      }
+    }
+
+    expect(
+      violations,
+      `Server-only imports found in client code:\n${violations.join('\n')}`,
+    ).toEqual([]);
+  });
+});
+
+// ── Rule 2: server boundary ────────────────────────────────────────────────
+
+describe('server boundary — no browser-only packages in NestJS modules', () => {
+  const SERVER_ROOTS = [
+    join(ROOT, 'apps/microservices'),
+    join(ROOT, 'libs/auth-client/src'),
+    join(ROOT, 'libs/upload-client/src'),
+    join(ROOT, 'libs/notes-client/src'),
+    join(ROOT, 'libs/payment-client/src'),
+    join(ROOT, 'libs/jobs-client/src'),
+  ];
+
+  // Regex matches the start of a bare import specifier
+  const BROWSER_ONLY =
+    /^(react(-dom|-router)?|@tanstack\/react-|antd|@mui\/|@radix-ui\/|lucide-react|sonner|@ant-design\/)/;
+
+  it('no browser-only import found in server-side source files', async () => {
+    const violations: string[] = [];
+
+    for (const root of SERVER_ROOTS) {
+      const s = await stat(root).catch(() => null);
+      if (!s) continue;
+      const files = s.isFile() ? [root] : await walkTs(root);
+
+      for (const file of files) {
+        const imports = await importsIn(file);
+        for (const imp of imports) {
+          if (BROWSER_ONLY.test(imp)) {
+            violations.push(`${file.replace(ROOT + '/', '')}  →  ${imp}`);
+          }
+        }
+      }
+    }
+
+    expect(
+      violations,
+      `Browser-only imports found in server code:\n${violations.join('\n')}`,
+    ).toEqual([]);
+  });
+});

package/templates/libs/shared/src/client.ts

@@ -0,0 +1,5 @@
+// Browser-safe subset of @icore/shared.
+// Import from '@icore/shared/client' in client-side code to avoid pulling
+// in NestJS / Node.js-only modules (transport, strategies, contracts).
+export * from './abilities';
+export * from './types';