@idevconn/create-icore 0.5.0 → 0.5.2

package/dist/index.js

@@ -1,3 +1,8 @@
+// src/lib/options.ts
+function pmRun(pm, script) {
+  return pm === "npm" ? `npm run ${script}` : `${pm} ${script}`;
+}
+
 // src/lib/scaffold.ts
 import { copyFile, mkdir, readdir, readFile, stat, writeFile, rm } from "fs/promises";
 import { readFileSync } from "fs";
@@ -35,6 +40,10 @@ async function rewriteRootPackageJson(targetDir, opts) {
   pkg["version"] = "0.0.1";
   pkg["private"] = true;
   delete pkg.description;
+  if (opts.transport === "nats") {
+    const deps = pkg["dependencies"] ??= {};
+    deps["nats"] = "^2.29.3";
+  }
   if (opts.packageManager !== "yarn") {
     delete pkg.packageManager;
   }
@@ -91,9 +100,9 @@ async function writeNotesEnv(targetDir, opts) {
 async function writeGatewayEnv(targetDir, opts) {
   const envExample = join(targetDir, "apps/api/.env.example");
   const env = await readFile(envExample, "utf8");
-  let next = env.replace(/^AUTH_TRANSPORT=.*$/m, `AUTH_TRANSPORT=${opts.transport}`).replace(/^UPLOAD_TRANSPORT=.*$/m, `UPLOAD_TRANSPORT=${opts.transport}`);
+  let next = env.replace(/^AUTH_TRANSPORT=.*$/m, `AUTH_TRANSPORT=${opts.transport}`).replace(/^UPLOAD_TRANSPORT=.*$/m, `UPLOAD_TRANSPORT=${opts.transport}`).replace(/^NOTES_TRANSPORT=.*$/m, `NOTES_TRANSPORT=${opts.transport}`).replace(/^PAYMENT_TRANSPORT=.*$/m, `PAYMENT_TRANSPORT=${opts.transport}`);
   if (opts.transport !== "tcp") {
-    next = next.replace(/^# (AUTH_(?:REDIS|NATS)_URL=)/m, "$1").replace(/^# (UPLOAD_(?:REDIS|NATS)_URL=)/m, "$1");
+    next = next.replace(/^# (AUTH_(?:REDIS|NATS)_URL=)/m, "$1").replace(/^# (UPLOAD_(?:REDIS|NATS)_URL=)/m, "$1").replace(/^# (NOTES_(?:REDIS|NATS)_URL=)/m, "$1").replace(/^# (PAYMENT_(?:REDIS|NATS)_URL=)/m, "$1");
   }
   await writeFile(join(targetDir, "apps/api/.env"), next);
 }
@@ -106,6 +115,17 @@ async function writeRootEnv(targetDir, opts) {
   ];
   await writeFile(join(targetDir, ".env"), lines.join("\n"));
 }
+async function stripGatewayTransport(targetDir, prefix) {
+  const gatewayEnv = join(targetDir, "apps/api/.env");
+  try {
+    const env = await readFile(gatewayEnv, "utf8");
+    const next = env.split("\n").filter(
+      (line) => !line.startsWith(`${prefix}_`) && !line.startsWith(`# ${prefix}_`) && !line.includes(`${prefix} MS transport`)
+    ).join("\n");
+    await writeFile(gatewayEnv, next);
+  } catch {
+  }
+}
 async function writeClientEnv(targetDir) {
   const envExample = join(targetDir, "apps/client/.env.example");
   try {
@@ -190,6 +210,7 @@ async function removePaymentStack(targetDir) {
     "@icore/payment-client",
     "@idevconn/payment"
   ]);
+  await stripGatewayTransport(targetDir, "PAYMENT");
 }
 async function removeNotesStack(targetDir) {
   for (const p2 of [
@@ -211,6 +232,7 @@ async function removeNotesStack(targetDir) {
   } catch {
   }
   await stripDeps(join(targetDir, "apps/api/package.json"), ["@icore/notes-client"]);
+  await stripGatewayTransport(targetDir, "NOTES");
   const tsconfigPath = join(targetDir, "tsconfig.base.json");
   try {
     const src = await readFile(tsconfigPath, "utf8");
@@ -267,15 +289,17 @@ async function stripTsconfigPath(targetDir, alias) {
 }
 async function removeUnusedAuthStrategies(targetDir, authProvider) {
   const modulePath = join(targetDir, "apps/microservices/auth/src/app/app.module.ts");
+  const AUTH_BRANCH = /if \(provider === 'supabase'\) return makeSupabaseAuth\(cfg\);\n\s*return makeFirebaseAuth\(cfg\);/m;
   if (authProvider === "supabase") {
     await rm(join(targetDir, "libs/auth-strategies/firebase"), { recursive: true, force: true });
     await stripDeps(join(targetDir, "apps/microservices/auth/package.json"), [
-      "@icore/auth-firebase"
+      "@icore/auth-firebase",
+      "@icore/firebase-admin"
     ]);
     await stripTsconfigPath(targetDir, "@icore/auth-firebase");
     try {
       const src = await readFile(modulePath, "utf8");
-      const next = src.replace(/^import \* as admin from 'firebase-admin';\n/m, "").replace(/^import \{[^}]*FirebaseAuthStrategy[^}]*\} from '@icore\/auth-firebase';\n/m, "").replace(/^function makeFirebaseStrategy\b[\s\S]*?\n^}\n/m, "").replace(/(?<=\n) *case 'firebase':\n *return makeFirebaseStrategy\(cfg\);\n/, "");
+      const next = src.replace(/^import \{[^}]*\} from '@icore\/firebase-admin';\n/m, "").replace(/^import \{[^}]*FirebaseAuthStrategy[^}]*\} from '@icore\/auth-firebase';\n/m, "").replace(/^ {2}firebase: \[[^\]]*\],\n/m, "").replace(/\nfunction makeFirebaseAuth[\s\S]*?\n}\n/m, "").replace(AUTH_BRANCH, "return makeSupabaseAuth(cfg);");
       await writeFile(modulePath, next);
     } catch {
     }
@@ -288,10 +312,7 @@ async function removeUnusedAuthStrategies(targetDir, authProvider) {
     await stripTsconfigPath(targetDir, "@icore/auth-supabase");
     try {
       const src = await readFile(modulePath, "utf8");
-      const next = src.replace(/^import \{ createClient \} from '@supabase\/supabase-js';\n/m, "").replace(/^import \{[^}]*SupabaseAuthStrategy[^}]*\} from '@icore\/auth-supabase';\n/m, "").replace(
-        /\n {10}case 'supabase': \{[\s\S]*?return new SupabaseAuthStrategy\(\{ client \}\);\n {10}\}\n/m,
-        ""
-      );
+      const next = src.replace(/^import \{ createClient \} from '@supabase\/supabase-js';\n/m, "").replace(/^import \{[^}]*SupabaseAuthStrategy[^}]*\} from '@icore\/auth-supabase';\n/m, "").replace(/\nfunction makeSupabaseAuth[\s\S]*?\n}\n/m, "").replace(AUTH_BRANCH, "return makeFirebaseAuth(cfg);");
       await writeFile(modulePath, next);
     } catch {
     }
@@ -303,7 +324,8 @@ async function removeUnusedStorageStrategies(targetDir, uploadProvider) {
   if (uploadProvider !== "firebase") {
     await rm(join(targetDir, "libs/storage-strategies/firebase"), { recursive: true, force: true });
     await stripDeps(join(targetDir, "apps/microservices/upload/package.json"), [
-      "@icore/storage-firebase"
+      "@icore/storage-firebase",
+      "@icore/firebase-admin"
     ]);
     await stripTsconfigPath(targetDir, "@icore/storage-firebase");
   }
@@ -327,26 +349,26 @@ async function removeUnusedStorageStrategies(targetDir, uploadProvider) {
   try {
     let src = await readFile(modulePath, "utf8");
     if (uploadProvider !== "firebase") {
-      src = src.replace(/^import \* as admin from 'firebase-admin';\n/m, "").replace(
+      src = src.replace(/^import \{[^}]*\} from '@icore\/firebase-admin';\n/m, "").replace(
         /^import \{[^}]*FirebaseStorageStrategy[^}]*\} from '@icore\/storage-firebase';\n/m,
         ""
-      ).replace(/^function makeFirebaseStorage\b[\s\S]*?\n^}\n/m, "").replace(/(?<=\n) *case 'firebase':\n *return makeFirebaseStorage\(cfg\);\n/, "");
+      ).replace(/^ {2}firebase: \[[^\]]*\],\n/m, "").replace(/\nfunction makeFirebaseStorage[\s\S]*?\n}\n/m, "");
     }
     if (uploadProvider !== "cloudinary") {
       src = src.replace(/^import \{ v2 as cloudinary \} from 'cloudinary';\n/m, "").replace(
         /^import \{[^}]*CloudinaryStorageStrategy[^}]*\} from '@icore\/storage-cloudinary';\n/m,
         ""
-      ).replace(/^function makeCloudinaryStorage\b[\s\S]*?\n^}\n/m, "").replace(/(?<=\n) *case 'cloudinary':\n *return makeCloudinaryStorage\(cfg\);\n/, "");
+      ).replace(/\nfunction makeCloudinaryStorage[\s\S]*?\n}\n/m, "");
     }
     if (uploadProvider !== "supabase") {
       src = src.replace(/^import \{ createClient \} from '@supabase\/supabase-js';\n/m, "").replace(
         /^import \{[^}]*SupabaseStorageStrategy[^}]*\} from '@icore\/storage-supabase';\n/m,
         ""
-      ).replace(
-        /\n {10}case 'supabase': \{[\s\S]*?bucket: requireEnv\(cfg, 'SUPABASE_STORAGE_BUCKET'\),\n {12}\}\);\n {10}\}\n/m,
-        ""
-      );
+      ).replace(/\nfunction makeSupabaseStorage[\s\S]*?\n}\n/m, "");
     }
+    const STORAGE_BRANCH = /if \(provider === 'supabase'\) return makeSupabaseStorage\(cfg\);\n\s*if \(provider === 'firebase'\) return makeFirebaseStorage\(cfg\);\n\s*return makeCloudinaryStorage\(cfg\);/m;
+    const chosenReturn = `return make${uploadProvider.charAt(0).toUpperCase() + uploadProvider.slice(1)}Storage(cfg);`;
+    src = src.replace(STORAGE_BRANCH, chosenReturn);
     await writeFile(modulePath, src);
   } catch {
   }
@@ -356,14 +378,15 @@ async function removeUnusedDbStrategies(targetDir, dbProvider) {
   if (dbProvider === "supabase") {
     await rm(join(targetDir, "libs/db-strategies/firestore"), { recursive: true, force: true });
     await stripDeps(join(targetDir, "apps/microservices/notes/package.json"), [
-      "@icore/db-firestore"
+      "@icore/db-firestore",
+      "@icore/firebase-admin"
     ]);
     await stripTsconfigPath(targetDir, "@icore/db-firestore");
     try {
       const src = await readFile(modulePath, "utf8");
-      const next = src.replace(/^import \* as admin from 'firebase-admin';\n/m, "").replace(/^import \{[^}]*FirestoreDBStrategy[^}]*\} from '@icore\/db-firestore';\n/m, "").replace(
-        /\n {8}if \(provider === 'firestore'[\s\S]*?return new FirestoreDBStrategy\(\{[\s\S]*?\}\);\n {8}\}\n/m,
-        ""
+      const next = src.replace(/^import \{[^}]*\} from '@icore\/firebase-admin';\n/m, "").replace(/^import \{[^}]*FirestoreDBStrategy[^}]*\} from '@icore\/db-firestore';\n/m, "").replace(/^ {2}firestore: \[[^\]]*\],\n/m, "").replace(/^ {2}firebase: \[[^\]]*\],\n/m, "").replace(/\nfunction makeFirestoreDB[\s\S]*?\n}\n/m, "").replace(
+        /if \(provider === 'supabase'\) return makeSupabaseDB\(cfg\);\n\s*return makeFirestoreDB\(cfg\);/m,
+        "return makeSupabaseDB(cfg);"
       );
       await writeFile(modulePath, next);
     } catch {
@@ -377,15 +400,19 @@ async function removeUnusedDbStrategies(targetDir, dbProvider) {
     await stripTsconfigPath(targetDir, "@icore/db-supabase");
     try {
       const src = await readFile(modulePath, "utf8");
-      const next = src.replace(/^import \{ createClient \} from '@supabase\/supabase-js';\n/m, "").replace(/^import \{[^}]*SupabaseDBStrategy[^}]*\} from '@icore\/db-supabase';\n/m, "").replace(
-        /\n {8}if \(provider === 'supabase'\) \{[\s\S]*?return new SupabaseDBStrategy\(\{ client \}\);\n {8}\}\n/m,
-        ""
+      const next = src.replace(/^import \{ createClient \} from '@supabase\/supabase-js';\n/m, "").replace(/^import \{[^}]*SupabaseDBStrategy[^}]*\} from '@icore\/db-supabase';\n/m, "").replace(/\nfunction makeSupabaseDB[\s\S]*?\n}\n/m, "").replace(
+        /if \(provider === 'supabase'\) return makeSupabaseDB\(cfg\);\n\s*return makeFirestoreDB\(cfg\);/m,
+        "return makeFirestoreDB(cfg);"
       );
       await writeFile(modulePath, next);
     } catch {
     }
   }
 }
+async function removeFirebaseAdminLib(targetDir) {
+  await rm(join(targetDir, "libs/firebase-admin"), { recursive: true, force: true });
+  await stripTsconfigPath(targetDir, "@icore/firebase-admin");
+}
 async function removeUploadStack(targetDir) {
   const paths = [
     "apps/microservices/upload",
@@ -498,17 +525,45 @@ async function scaffold(opts, templatesDir) {
   await removeUnusedAuthStrategies(opts.targetDir, opts.authProvider);
   await removeUnusedStorageStrategies(opts.targetDir, opts.upload);
   await removeUnusedDbStrategies(opts.targetDir, opts.dbProvider);
+  const firebaseUsed = opts.authProvider === "firebase" || opts.dbProvider === "firebase" || opts.upload === "firebase";
+  if (!firebaseUsed) await removeFirebaseAdminLib(opts.targetDir);
   if (opts.packageManager === "yarn") {
     await writeFile(join(opts.targetDir, "yarn.lock"), "");
+  } else {
+    await rm(join(opts.targetDir, ".yarn"), { recursive: true, force: true });
+    await rm(join(opts.targetDir, ".yarnrc.yml"), { force: true });
   }
+  await patchGitignoreForPm(opts.targetDir, opts.packageManager);
   await writeAiFiles(opts.targetDir, opts);
   if (opts.install) runInstall(opts.targetDir, opts.packageManager);
   if (opts.initGit) gitInit(opts.targetDir, opts.projectName);
 }
+async function patchGitignoreForPm(targetDir, pm) {
+  const giPath = join(targetDir, ".gitignore");
+  try {
+    let src = await readFile(giPath, "utf8");
+    src = src.replace(/^# Build artifacts.*\ntools\/create-icore\/templates\/\s*\n/m, "");
+    if (pm !== "yarn") {
+      src = src.replace(/^\.yarn\/\*\s*\n/m, "").replace(/^!\.yarn\/patches\s*\n/m, "").replace(/^!\.yarn\/plugins\s*\n/m, "").replace(/^!\.yarn\/releases\s*\n/m, "").replace(/^!\.yarn\/sdks\s*\n/m, "").replace(/^!\.yarn\/versions\s*\n/m, "").replace(/^\.pnp\.\*\s*\n/m, "");
+    }
+    if (pm === "pnpm") {
+      if (!src.includes(".pnpm-debug.log")) {
+        src += "\n# pnpm\n.pnpm-debug.log*\n";
+      }
+    }
+    if (pm === "npm") {
+      if (!src.includes("npm-debug.log")) {
+        src += "\n# npm\nnpm-debug.log*\n";
+      }
+    }
+    await writeFile(giPath, src);
+  } catch {
+  }
+}
 async function writeAiFiles(targetDir, opts) {
   const pm = opts.packageManager;
   const nx = pm === "npm" ? "npx nx" : `${pm} nx`;
-  const devCmd = `${pm} dev`;
+  const devCmd = pmRun(pm, "dev");
   const activeMSes = ["auth (port 4001)"];
   if (opts.upload !== "none") activeMSes.push(`upload (port 4002)`);
   if (opts.payment !== "none") activeMSes.push(`payment (port 4003)`);
@@ -918,5 +973,6 @@ Re-run with @latest to refresh:
 }
 export {
   collectOptions,
+  pmRun,
   scaffold
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@idevconn/create-icore",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Bootstrap a new project from the iCore scaffold (Nx + NestJS + React + Vite + shadcn/Tailwind, swappable auth + storage providers).",
   "license": "Apache-2.0",
   "author": "iDEVconn",
@@ -56,6 +56,8 @@
     "test:watch": "vitest",
     "lint": "eslint src",
     "typecheck": "tsc --noEmit",
+    "smoke": "npm run build && node scripts/snapshot-templates.mjs && node scripts/smoke-scaffold.mjs --mode=link --projects=shared,firebase-admin,auth,upload,notes,api",
+    "smoke:run": "npm run build && node scripts/snapshot-templates.mjs && node scripts/smoke-scaffold.mjs --mode=install --run --projects=shared,firebase-admin,auth,upload,notes,api --services=api,auth,upload,notes",
     "prepublishOnly": "node scripts/snapshot-templates.mjs && npm run typecheck && npm run test && npm run build"
   },
   "dependencies": {

package/templates/apps/api/.env.example

@@ -15,5 +15,19 @@ UPLOAD_PORT=4002
 # UPLOAD_REDIS_URL=redis://localhost:6379
 # UPLOAD_NATS_URL=nats://localhost:4222
 
+# Notes MS transport — must match apps/microservices/notes/.env
+NOTES_TRANSPORT=tcp
+NOTES_HOST=127.0.0.1
+NOTES_PORT=4004
+# NOTES_REDIS_URL=redis://localhost:6379
+# NOTES_NATS_URL=nats://localhost:4222
+
+# Payment MS transport — must match apps/microservices/payment/.env
+PAYMENT_TRANSPORT=tcp
+PAYMENT_HOST=127.0.0.1
+PAYMENT_PORT=4003
+# PAYMENT_REDIS_URL=redis://localhost:6379
+# PAYMENT_NATS_URL=nats://localhost:4222
+
 # Per-request multipart file size cap (KB). Default 5120 (5 MB) when unset.
 MAX_FILE_SIZE_KB=5120

package/templates/apps/microservices/auth/package.json

@@ -5,8 +5,8 @@
   "dependencies": {
     "@icore/auth-firebase": "*",
     "@icore/auth-supabase": "*",
+    "@icore/firebase-admin": "*",
     "@icore/shared": "*",
-    "firebase-admin": "^13.0.0",
     "@nestjs/common": "^11.1.24",
     "@nestjs/config": "^4.0.4",
     "@nestjs/core": "^11.1.24",

package/templates/apps/microservices/auth/src/app/app.module.ts

@@ -1,13 +1,12 @@
 import { join } from 'node:path';
-import { Module } from '@nestjs/common';
+import { Module, Logger } from '@nestjs/common';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { createClient } from '@supabase/supabase-js';
-import * as admin from 'firebase-admin';
 import { SupabaseAuthStrategy } from '@icore/auth-supabase';
 import { FirebaseAuthStrategy, HttpIdentityToolkitClient } from '@icore/auth-firebase';
+import { getFirebaseAdmin, FIREBASE_ADMIN_REQUIRED_ENV } from '@icore/firebase-admin';
 import { FakeAuthStrategy, missingEnv, formatEnvBanner } from '@icore/shared';
 import type { AuthStrategy } from '@icore/shared';
-import { Logger } from '@nestjs/common';
 import { AuthController } from './auth.controller';
 
 const ENV_PATH = 'apps/microservices/auth/.env';
@@ -15,33 +14,28 @@ const ENV_PATH = 'apps/microservices/auth/.env';
 // Env vars each provider needs (besides AUTH_PROVIDER itself).
 const REQUIRED_ENV: Record<string, string[]> = {
   supabase: ['SUPABASE_URL', 'SUPABASE_SERVICE_ROLE_KEY'],
-  firebase: [
-    'FB_ADMIN_PROJECT_ID',
-    'FB_ADMIN_CLIENT_EMAIL',
-    'FB_ADMIN_PRIVATE_KEY',
-    'FIREBASE_WEB_API_KEY',
-  ],
+  firebase: [...FIREBASE_ADMIN_REQUIRED_ENV, 'FIREBASE_WEB_API_KEY'],
 };
 
 function requireEnv(cfg: ConfigService, key: string): string {
   return cfg.getOrThrow<string>(key);
 }
 
-function makeFirebaseStrategy(cfg: ConfigService): AuthStrategy {
-  const projectId = requireEnv(cfg, 'FB_ADMIN_PROJECT_ID');
-  if (admin.apps.length === 0) {
-    admin.initializeApp({
-      credential: admin.credential.cert({
-        projectId,
-        clientEmail: requireEnv(cfg, 'FB_ADMIN_CLIENT_EMAIL'),
-        privateKey: requireEnv(cfg, 'FB_ADMIN_PRIVATE_KEY').replace(/\\n/g, '\n'),
-      }),
-    });
-  }
+function makeSupabaseAuth(cfg: ConfigService): AuthStrategy {
+  const client = createClient(
+    requireEnv(cfg, 'SUPABASE_URL'),
+    requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
+    { auth: { autoRefreshToken: false, persistSession: false } },
+  );
+  return new SupabaseAuthStrategy({ client });
+}
+
+function makeFirebaseAuth(cfg: ConfigService): AuthStrategy {
+  const app = getFirebaseAdmin(cfg);
   const identityToolkit = new HttpIdentityToolkitClient(requireEnv(cfg, 'FIREBASE_WEB_API_KEY'));
   return new FirebaseAuthStrategy({
     identityToolkit,
-    adminAuth: admin.auth(),
+    adminAuth: app.auth(),
   });
 }
 
@@ -83,15 +77,8 @@ function makeFirebaseStrategy(cfg: ConfigService): AuthStrategy {
         if (!keys || missing.length > 0) return fallback();
 
         try {
-          if (provider === 'supabase') {
-            const client = createClient(
-              requireEnv(cfg, 'SUPABASE_URL'),
-              requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
-              { auth: { autoRefreshToken: false, persistSession: false } },
-            );
-            return new SupabaseAuthStrategy({ client });
-          }
-          return makeFirebaseStrategy(cfg);
+          if (provider === 'supabase') return makeSupabaseAuth(cfg);
+          return makeFirebaseAuth(cfg);
         } catch (err) {
           // Vars present but invalid (e.g. placeholder URL the SDK rejects).
           return fallback(err instanceof Error ? err.message : String(err));

package/templates/apps/microservices/auth/src/main.ts

@@ -1,28 +1,11 @@
 import { Logger } from '@nestjs/common';
 import { NestFactory } from '@nestjs/core';
 import { MicroserviceOptions } from '@nestjs/microservices';
-import { buildTransportMS } from '@icore/shared';
+import { bootstrapMicroservice, buildTransportMS } from '@icore/shared';
 import { AppModule } from './app/app.module';
 
-async function bootstrap() {
-  const app = await NestFactory.createMicroservice<MicroserviceOptions>(
-    AppModule,
-    buildTransportMS('AUTH'),
-  );
-  await app.listen();
-}
-
-bootstrap()
-  .then(() => {
-    const logger = new Logger('Auth-Bootstrap');
-    logger.log(
-      `Auth MS Bootstrap completed: transport=${process.env.AUTH_TRANSPORT ?? 'tcp'} host=${process.env.AUTH_HOST ?? '127.0.0.1'} port=${process.env.AUTH_PORT ?? '4001'}`,
-    );
-  })
-  .catch((err) => {
-    new Logger('Auth-Bootstrap').error(
-      'Auth MS bootstrap failed',
-      err instanceof Error ? err.stack : err,
-    );
-    process.exit(1);
-  });
+void bootstrapMicroservice(
+  'AUTH',
+  () => NestFactory.createMicroservice<MicroserviceOptions>(AppModule, buildTransportMS('AUTH')),
+  new Logger('Auth-Bootstrap'),
+);

package/templates/apps/microservices/jobs/src/app/redis-connection.ts

@@ -0,0 +1,35 @@
+import { Logger } from '@nestjs/common';
+import IORedis from 'ioredis';
+import { formatEnvBanner } from '@icore/shared';
+
+/**
+ * Creates an IORedis connection that NEVER crashes the process when Redis is
+ * unreachable. Without an 'error' handler, ioredis emits an unhandled 'error'
+ * event → Node exits. Here we log one boxed banner and let ioredis keep
+ * retrying in the background, so the jobs MS stays up and connects once Redis
+ * is available (honours the "never crash on missing infra" rule).
+ */
+export function createJobsRedis(url: string, logger: Logger): IORedis {
+  const connection = new IORedis(url, {
+    maxRetriesPerRequest: null,
+    retryStrategy: (times) => Math.min(times * 200, 5000),
+  });
+
+  let warned = false;
+  connection.on('error', (err: Error) => {
+    if (warned) return;
+    warned = true;
+    logger.warn(
+      formatEnvBanner({
+        service: 'jobs MS',
+        provider: 'redis',
+        missing: [],
+        envPath: 'apps/microservices/jobs/.env (JOBS_REDIS_URL)',
+        reason: `${err.message} — retrying in the background until Redis is up at ${url}`,
+        headline: `⚠  jobs MS — Redis unreachable (workers idle until it's up)`,
+      }),
+    );
+  });
+
+  return connection;
+}

package/templates/apps/microservices/jobs/src/app/workers/cleanup.worker.ts

@@ -2,6 +2,7 @@ import { Injectable, Logger, type OnModuleDestroy, type OnModuleInit } from '@ne
 import { ConfigService } from '@nestjs/config';
 import { Worker, type Job } from 'bullmq';
 import IORedis from 'ioredis';
+import { createJobsRedis } from '../redis-connection';
 import type { CleanupJob } from '@icore/shared';
 
 @Injectable()
@@ -15,7 +16,7 @@ export class CleanupWorker implements OnModuleInit, OnModuleDestroy {
   onModuleInit(): void {
     const url = this.cfg.get<string>('JOBS_REDIS_URL') ?? 'redis://localhost:6379';
     const concurrency = Number(this.cfg.get<string>('JOBS_WORKER_CONCURRENCY') ?? '5');
-    this.connection = new IORedis(url, { maxRetriesPerRequest: null });
+    this.connection = createJobsRedis(url, this.logger);
     this.worker = new Worker<CleanupJob>(
       'cleanup',
       async (job: Job<CleanupJob>) => {

package/templates/apps/microservices/jobs/src/app/workers/email.worker.ts

@@ -2,6 +2,7 @@ import { Injectable, Logger, type OnModuleDestroy, type OnModuleInit } from '@ne
 import { ConfigService } from '@nestjs/config';
 import { Worker, type Job } from 'bullmq';
 import IORedis from 'ioredis';
+import { createJobsRedis } from '../redis-connection';
 import type { EmailJob } from '@icore/shared';
 
 @Injectable()
@@ -15,7 +16,7 @@ export class EmailWorker implements OnModuleInit, OnModuleDestroy {
   onModuleInit(): void {
     const url = this.cfg.get<string>('JOBS_REDIS_URL') ?? 'redis://localhost:6379';
     const concurrency = Number(this.cfg.get<string>('JOBS_WORKER_CONCURRENCY') ?? '5');
-    this.connection = new IORedis(url, { maxRetriesPerRequest: null });
+    this.connection = createJobsRedis(url, this.logger);
     this.worker = new Worker<EmailJob>(
       'email',
       async (job: Job<EmailJob>) => {

package/templates/apps/microservices/jobs/src/app/workers/image-process.worker.ts

@@ -2,6 +2,7 @@ import { Injectable, Logger, type OnModuleDestroy, type OnModuleInit } from '@ne
 import { ConfigService } from '@nestjs/config';
 import { Worker, type Job } from 'bullmq';
 import IORedis from 'ioredis';
+import { createJobsRedis } from '../redis-connection';
 import type { ImageProcessJob } from '@icore/shared';
 
 @Injectable()
@@ -15,7 +16,7 @@ export class ImageProcessWorker implements OnModuleInit, OnModuleDestroy {
   onModuleInit(): void {
     const url = this.cfg.get<string>('JOBS_REDIS_URL') ?? 'redis://localhost:6379';
     const concurrency = Number(this.cfg.get<string>('JOBS_WORKER_CONCURRENCY') ?? '5');
-    this.connection = new IORedis(url, { maxRetriesPerRequest: null });
+    this.connection = createJobsRedis(url, this.logger);
     this.worker = new Worker<ImageProcessJob>(
       'image-process',
       async (job: Job<ImageProcessJob>) => {

package/templates/apps/microservices/notes/src/app/app.module.ts

@@ -1,13 +1,12 @@
 import { join } from 'node:path';
-import { Module } from '@nestjs/common';
+import { Module, Logger } from '@nestjs/common';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { createClient } from '@supabase/supabase-js';
-import * as admin from 'firebase-admin';
 import { SupabaseDBStrategy } from '@icore/db-supabase';
 import { FirestoreDBStrategy } from '@icore/db-firestore';
+import { getFirebaseAdmin, FIREBASE_ADMIN_REQUIRED_ENV } from '@icore/firebase-admin';
 import { FakeDBStrategy, missingEnv, formatEnvBanner } from '@icore/shared';
 import type { DBStrategy } from '@icore/shared';
-import { Logger } from '@nestjs/common';
 import { NotesController } from './notes.controller';
 
 const ENV_PATH = 'apps/microservices/notes/.env';
@@ -15,14 +14,30 @@ const ENV_PATH = 'apps/microservices/notes/.env';
 // DB_PROVIDER accepts supabase | firestore | firebase (latter two are Firestore).
 const REQUIRED_ENV: Record<string, string[]> = {
   supabase: ['SUPABASE_URL', 'SUPABASE_SERVICE_ROLE_KEY'],
-  firestore: ['FB_ADMIN_PROJECT_ID', 'FB_ADMIN_CLIENT_EMAIL', 'FB_ADMIN_PRIVATE_KEY'],
-  firebase: ['FB_ADMIN_PROJECT_ID', 'FB_ADMIN_CLIENT_EMAIL', 'FB_ADMIN_PRIVATE_KEY'],
+  firestore: [...FIREBASE_ADMIN_REQUIRED_ENV],
+  firebase: [...FIREBASE_ADMIN_REQUIRED_ENV],
 };
 
 function requireEnv(cfg: ConfigService, key: string): string {
   return cfg.getOrThrow<string>(key);
 }
 
+function makeSupabaseDB(cfg: ConfigService): DBStrategy {
+  const client = createClient(
+    requireEnv(cfg, 'SUPABASE_URL'),
+    requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
+    { auth: { autoRefreshToken: false, persistSession: false } },
+  );
+  return new SupabaseDBStrategy({ client });
+}
+
+function makeFirestoreDB(cfg: ConfigService): DBStrategy {
+  const app = getFirebaseAdmin(cfg);
+  return new FirestoreDBStrategy({
+    db: app.firestore() as unknown as ConstructorParameters<typeof FirestoreDBStrategy>[0]['db'],
+  });
+}
+
 @Module({
   imports: [
     ConfigModule.forRoot({
@@ -59,28 +74,8 @@ function requireEnv(cfg: ConfigService, key: string): string {
         if (!keys || missing.length > 0) return fallback();
 
         try {
-          if (provider === 'supabase') {
-            const client = createClient(
-              requireEnv(cfg, 'SUPABASE_URL'),
-              requireEnv(cfg, 'SUPABASE_SERVICE_ROLE_KEY'),
-              { auth: { autoRefreshToken: false, persistSession: false } },
-            );
-            return new SupabaseDBStrategy({ client });
-          }
-          if (admin.apps.length === 0) {
-            admin.initializeApp({
-              credential: admin.credential.cert({
-                projectId: requireEnv(cfg, 'FB_ADMIN_PROJECT_ID'),
-                clientEmail: requireEnv(cfg, 'FB_ADMIN_CLIENT_EMAIL'),
-                privateKey: requireEnv(cfg, 'FB_ADMIN_PRIVATE_KEY').replace(/\\n/g, '\n'),
-              }),
-            });
-          }
-          return new FirestoreDBStrategy({
-            db: admin.firestore() as unknown as ConstructorParameters<
-              typeof FirestoreDBStrategy
-            >[0]['db'],
-          });
+          if (provider === 'supabase') return makeSupabaseDB(cfg);
+          return makeFirestoreDB(cfg);
         } catch (err) {
           return fallback(err instanceof Error ? err.message : String(err));
         }

package/templates/apps/microservices/notes/src/main.ts

@@ -1,28 +1,11 @@
 import { Logger } from '@nestjs/common';
 import { NestFactory } from '@nestjs/core';
 import { MicroserviceOptions } from '@nestjs/microservices';
-import { buildTransportMS } from '@icore/shared';
+import { bootstrapMicroservice, buildTransportMS } from '@icore/shared';
 import { AppModule } from './app/app.module';
 
-async function bootstrap() {
-  const app = await NestFactory.createMicroservice<MicroserviceOptions>(
-    AppModule,
-    buildTransportMS('NOTES'),
-  );
-  await app.listen();
-}
-
-bootstrap()
-  .then(() => {
-    const logger = new Logger('Notes-Bootstrap');
-    logger.log(
-      `Notes MS Bootstrap completed: transport=${process.env.NOTES_TRANSPORT ?? 'tcp'} host=${process.env.NOTES_HOST ?? '127.0.0.1'} port=${process.env.NOTES_PORT ?? '4004'}`,
-    );
-  })
-  .catch((err) => {
-    new Logger('Notes-Bootstrap').error(
-      'Notes MS bootstrap failed',
-      err instanceof Error ? err.stack : err,
-    );
-    process.exit(1);
-  });
+void bootstrapMicroservice(
+  'NOTES',
+  () => NestFactory.createMicroservice<MicroserviceOptions>(AppModule, buildTransportMS('NOTES')),
+  new Logger('Notes-Bootstrap'),
+);

package/templates/apps/microservices/payment/src/app/app.module.ts

@@ -40,17 +40,19 @@ const REQUIRED_ENV: Record<string, string[]> = {
             envPath: ENV_PATH,
             headline: `⚠  payment MS — ${provider} credentials missing (payments will fail)`,
           });
-          // Prod: fail fast. Dev: warn — PayPal is lazy, so the MS still boots
-          // and only payment calls fail until creds are set.
+          // Prod: fail fast. Dev: warn + register an EMPTY strategy map so the
+          // MS boots (PaypalStrategy's constructor throws on blank creds, so we
+          // must not instantiate it) — payment endpoints fail until creds are set.
           if (process.env.NODE_ENV === 'production') throw new Error(banner);
           logger.warn(banner);
+          return createPayment({ strategies: {} });
         }
 
         return createPayment({
           strategies: {
             paypal: new PaypalStrategy({
-              clientId: cfg.get<string>('PAYPAL_CLIENT_ID') ?? '',
-              secret: cfg.get<string>('PAYPAL_CLIENT_SECRET') ?? '',
+              clientId: cfg.getOrThrow<string>('PAYPAL_CLIENT_ID'),
+              secret: cfg.getOrThrow<string>('PAYPAL_CLIENT_SECRET'),
               environment: cfg.get<'sandbox' | 'live'>('PAYPAL_ENVIRONMENT') ?? 'sandbox',
             }),
           },