@koalarx/nest 3.1.50 → 4.0.1

package/cli/utils/parse-new-args.js

@@ -0,0 +1,127 @@
+import {
+  AuthStrategy,
+  FEATURE_ALIASES,
+  parseAuthStrategies,
+  Template,
+  TEMPLATE_ALIASES
+} from "../constants/domain.js";
+function parseFeatures(value) {
+  return value.split(",").map((item) => item.trim().toLowerCase()).filter(Boolean).map((item) => {
+    const feature = FEATURE_ALIASES[item];
+    if (!feature) {
+      throw new Error(`Feature desconhecida: "${item}". Use: cache, health, cron, events.`);
+    }
+    return feature;
+  });
+}
+function parseTemplate(value) {
+  const template = TEMPLATE_ALIASES[value.toLowerCase()];
+  if (!template) {
+    throw new Error(`Template desconhecido: "${value}". Use: default, crud.`);
+  }
+  return template;
+}
+function parsePackageManager(value) {
+  if (value === "bun" || value === "npm" || value === "pnpm") {
+    return value;
+  }
+  throw new Error(`Gerenciador desconhecido: "${value}". Use: bun, npm, pnpm.`);
+}
+function parseAuth(value, template) {
+  return parseAuthStrategies(value, template);
+}
+export function parseNewArgs(args) {
+  let projectName;
+  let packageManager;
+  let template;
+  let auth;
+  let features = [];
+  let yes = false;
+  for (let index = 0;index < args.length; index += 1) {
+    const arg = args[index];
+    if (!arg) {
+      continue;
+    }
+    if (arg === "-y" || arg === "--yes") {
+      yes = true;
+      continue;
+    }
+    if (arg === "--template" || arg === "-t") {
+      const value = args[index + 1];
+      if (!value) {
+        throw new Error("Valor ausente para --template.");
+      }
+      template = parseTemplate(value);
+      index += 1;
+      continue;
+    }
+    if (arg === "--package-manager" || arg === "--pm") {
+      const value = args[index + 1];
+      if (!value) {
+        throw new Error("Valor ausente para --package-manager.");
+      }
+      packageManager = parsePackageManager(value);
+      index += 1;
+      continue;
+    }
+    if (arg === "--auth") {
+      const value = args[index + 1];
+      if (!value) {
+        throw new Error("Valor ausente para --auth.");
+      }
+      auth = parseAuth(value, template);
+      index += 1;
+      continue;
+    }
+    if (arg === "--features") {
+      const value = args[index + 1];
+      if (!value) {
+        throw new Error("Valor ausente para --features.");
+      }
+      features = parseFeatures(value);
+      index += 1;
+      continue;
+    }
+    if (arg.startsWith("-")) {
+      throw new Error(`Flag desconhecida: ${arg}`);
+    }
+    if (!projectName) {
+      projectName = arg;
+    }
+  }
+  if (auth && template === Template.CRUD_SAMPLE && auth.length === 0) {
+    throw new Error("Template CRUD exige autenticação. Use: --auth jwt, --auth oauth2 ou --auth jwt,oauth2.");
+  }
+  return {
+    projectName,
+    packageManager,
+    template,
+    auth,
+    features,
+    yes,
+    interactive: !yes
+  };
+}
+export function assertNewArgsComplete(args) {
+  if (!args.projectName) {
+    throw new Error("Nome do projeto é obrigatório.");
+  }
+  if (!args.packageManager) {
+    throw new Error("Gerenciador de pacotes é obrigatório.");
+  }
+  if (!args.template) {
+    throw new Error("Template é obrigatório.");
+  }
+  if (args.auth === undefined) {
+    throw new Error("Autenticação é obrigatória.");
+  }
+}
+export function buildNewProjectConfig(parsed, overrides) {
+  return {
+    name: overrides.name,
+    packageManager: parsed.packageManager ?? overrides.packageManager,
+    template: parsed.template ?? overrides.template,
+    auth: parsed.auth ?? overrides.auth,
+    features: parsed.features.length > 0 ? parsed.features : overrides.features
+  };
+}

package/cli/utils/patch-auth-install.js

@@ -0,0 +1,224 @@
+import { cpSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { AuthStrategy } from "../constants/domain.js";
+import { getSourceCodePath } from "./get-source-code-path.js";
+import { patchMainForAuth } from "./patch-main.js";
+import { removeImportLines } from "./project-files.js";
+import { resolveProjectPath } from "./resolve-project-path.js";
+import { patchEnvForAuthStrategies } from "./patch-env.js";
+import { syncDefineDocumentationForProject } from "./patch-define-documentation.js";
+import { syncAuthStrategySupportFiles } from "./sync-auth-strategy-files.js";
+import {
+  installAuthArtifactsForStrategies,
+  pruneAuthArtifactsForStrategies
+} from "./prune-auth-strategies.js";
+function patchFile(projectName, relativePath, replacers) {
+  const filePath = path.join(resolveProjectPath(projectName), relativePath);
+  let content = readFileSync(filePath, "utf8");
+  for (const { from, to } of replacers) {
+    if (content.includes(from)) {
+      content = content.replace(from, to);
+    }
+  }
+  writeFileSync(filePath, content);
+}
+export function patchAppModuleForAuth(content) {
+  if (content.includes("import { SecurityModule }")) {
+    return content;
+  }
+  const patched = content.replace("import { Module } from '@nestjs/common';", `import { Module } from '@nestjs/common';
+import { AuthModule } from './controllers/auth/auth.module.js';
+import { SecurityModule } from './security/security.module';`);
+  if (patched.includes("PersonModule,")) {
+    return patched.replace("    PersonModule,", `    SecurityModule,
+    AuthModule,
+    PersonModule,`);
+  }
+  return patched.replace(/(ConfigModule\.forRoot\(\{[\s\S]*?\}\),)\n/, `$1
+    SecurityModule,
+    AuthModule,
+`);
+}
+export function patchRepositoryForAuth(content) {
+  if (content.includes("IUserRepository")) {
+    return content;
+  }
+  let patched = content.replace("import { Module } from '@nestjs/common';", `import { IUserRepository } from '@/domain/repositories/iuser.repository';
+import { Module } from '@nestjs/common';`);
+  patched = patched.replace("import { DatabaseModule } from '@/infra/database/database.module';", `import { DatabaseModule } from '@/infra/database/database.module';
+import { UserRepository } from '@/infra/repositories/user.repository';`);
+  if (patched.includes("providers: [")) {
+    patched = patched.replace("providers: [", `providers: [
+    { provide: IUserRepository, useClass: UserRepository },`);
+  } else {
+    patched = patched.replace("imports: [DatabaseModule],", `imports: [DatabaseModule],
+  providers: [{ provide: IUserRepository, useClass: UserRepository }],`);
+  }
+  if (patched.includes("exports: [DatabaseModule]")) {
+    patched = patched.replace("exports: [DatabaseModule]", "exports: [DatabaseModule, IUserRepository]");
+  } else {
+    patched = patched.replace("exports: [DatabaseModule,", "exports: [DatabaseModule, IUserRepository,");
+  }
+  return patched;
+}
+export function patchDataSourceForAuth(content) {
+  if (content.includes("@/domain/entities/user/user")) {
+    return content;
+  }
+  return content.replace("import { EnvService } from '@/infra/common/env.service';", `import { User } from '@/domain/entities/user/user';
+import { EnvService } from '@/infra/common/env.service';`).replace(/entities: \[([^\]]*)\],/, (match, entities) => {
+    const trimmed = entities.trim();
+    if (!trimmed) {
+      return "entities: [User],";
+    }
+    if (trimmed.includes("User")) {
+      return match;
+    }
+    return `entities: [${trimmed}, User],`;
+  });
+}
+const JWT_OAUTH_IMPORTS = [
+  "@/application/auth/oauth2/auth-link/auth-link.handler",
+  "@/application/auth/oauth2/exchange-code/exchange-code.handler",
+  "@/application/auth/oauth2/scalar-token/scalar-oauth-token.handler",
+  "../oauth2/auth-link.controller",
+  "../oauth2/exchange-code.controller",
+  "../oauth2/oauth-callback.controller",
+  "../oauth2/scalar-token.controller"
+];
+const JWT_OAUTH_SYMBOLS = [
+  "OAuthAuthLinkController",
+  "OAuthExchangeCodeController",
+  "OAuthCallbackController",
+  "ScalarOAuthTokenController",
+  "OAuthAuthLinkHandler",
+  "OAuthExchangeCodeHandler",
+  "ScalarOAuthTokenHandler"
+];
+export function patchAuthModuleForJwt(content) {
+  let patched = removeImportLines(content, JWT_OAUTH_IMPORTS);
+  for (const symbol of JWT_OAUTH_SYMBOLS) {
+    patched = patched.replace(new RegExp(`\\s*${symbol},\\n`, "g"), "");
+  }
+  return patched;
+}
+const JWT_LOGIN_IMPORTS = [
+  "@/application/auth/login/login.handler",
+  "./login.controller"
+];
+const JWT_LOGIN_SYMBOLS = ["LoginController", "LoginHandler"];
+export function patchAuthModuleForOAuth2(content) {
+  let patched = removeImportLines(content, JWT_LOGIN_IMPORTS);
+  for (const symbol of JWT_LOGIN_SYMBOLS) {
+    patched = patched.replace(new RegExp(`\\s*${symbol},\\n`, "g"), "");
+  }
+  return patched;
+}
+export function applyAuthModuleStrategies(content, strategies) {
+  const hasJwt = strategies.includes(AuthStrategy.JWT);
+  const hasOauth = strategies.includes(AuthStrategy.OAUTH2);
+  if (hasJwt && hasOauth) {
+    return content;
+  }
+  if (hasJwt) {
+    return patchAuthModuleForJwt(content);
+  }
+  if (hasOauth) {
+    return patchAuthModuleForOAuth2(content);
+  }
+  return content;
+}
+export function syncAuthModuleForProject(projectName, strategies) {
+  const authModulePath = path.join(resolveProjectPath(projectName), "src/host/controllers/auth/auth.module.ts");
+  cpSync(path.join(getSourceCodePath(), "src/host/controllers/auth/auth.module.ts"), authModulePath, { force: true });
+  writeFileSync(authModulePath, applyAuthModuleStrategies(readFileSync(authModulePath, "utf8"), strategies));
+}
+const domainAuthServiceJwtOnly = `import { JwtClaims } from '@/core/auth/jwt-claims';
+
+export abstract class IJwtTokenService {
+  abstract signAccessToken(claims: JwtClaims): string;
+  abstract signRefreshToken(claims: JwtClaims): string;
+  abstract signTokenPair(claims: JwtClaims): {
+    accessToken: string;
+    access_token: string;
+    refreshToken: string;
+    refresh_token: string;
+  };
+}
+`;
+export function syncDomainAuthServiceForProject(projectName, strategies) {
+  const hasJwt = strategies.includes(AuthStrategy.JWT);
+  const hasOauth = strategies.includes(AuthStrategy.OAUTH2);
+  const servicePath = path.join(resolveProjectPath(projectName), "src/domain/auth/services/iauth.service.ts");
+  mkdirSync(path.dirname(servicePath), { recursive: true });
+  if (hasJwt && !hasOauth) {
+    writeFileSync(servicePath, domainAuthServiceJwtOnly);
+    return;
+  }
+  cpSync(path.join(getSourceCodePath(), "src/domain/auth/services/iauth.service.ts"), servicePath, { force: true });
+}
+const SECURITY_OAUTH_IMPORTS = [
+  "@/core/auth/oauth-provider.registry",
+  "@/infra/auth/oauth2-auth.service"
+];
+const SECURITY_OAUTH_SYMBOLS = ["OAuthProviderRegistry", "IOAuth2Service"];
+export function patchSecurityModuleForJwt(content) {
+  let patched = removeImportLines(content, SECURITY_OAUTH_IMPORTS);
+  patched = patched.replace(/import \{\n  IJwtTokenService,\n  IOAuth2Service,\n\} from '@\/domain\/auth\/services\/iauth.service';/, "import { IJwtTokenService } from '@/domain/auth/services/iauth.service';");
+  patched = patched.replace(/\s*\{ provide: IOAuth2Service, useClass: OAuth2AuthService \},\n/g, "");
+  for (const symbol of SECURITY_OAUTH_SYMBOLS) {
+    patched = patched.replace(new RegExp(`\\s*${symbol},\\s*\\n`, "g"), "");
+    patched = patched.replace(new RegExp(`\\s*${symbol},`, "g"), "");
+  }
+  return patched;
+}
+export function syncSecurityModuleForProject(projectName, strategies) {
+  const hasJwt = strategies.includes(AuthStrategy.JWT);
+  const hasOauth = strategies.includes(AuthStrategy.OAUTH2);
+  const securityModulePath = path.join(resolveProjectPath(projectName), "src/host/security/security.module.ts");
+  cpSync(path.join(getSourceCodePath(), "src/host/security/security.module.ts"), securityModulePath, { force: true });
+  if (hasJwt && !hasOauth) {
+    writeFileSync(securityModulePath, patchSecurityModuleForJwt(readFileSync(securityModulePath, "utf8")));
+  }
+}
+export async function patchAuthInstall(projectName, strategies) {
+  if (strategies.length === 0) {
+    throw new Error("Informe ao menos uma estratégia de autenticação.");
+  }
+  installAuthArtifactsForStrategies(projectName, strategies);
+  const projectRoot = resolveProjectPath(projectName);
+  const appModulePath = path.join(projectRoot, "src/host/app.module.ts");
+  const appModule = readFileSync(appModulePath, "utf8");
+  const hasSecurityModule = appModule.includes("SecurityModule");
+  if (!hasSecurityModule) {
+    writeFileSync(appModulePath, patchAppModuleForAuth(appModule));
+    writeFileSync(path.join(projectRoot, "src/infra/repositories/repository.module.ts"), patchRepositoryForAuth(readFileSync(path.join(projectRoot, "src/infra/repositories/repository.module.ts"), "utf8")));
+    writeFileSync(path.join(projectRoot, "src/infra/database/data-source-factory.ts"), patchDataSourceForAuth(readFileSync(path.join(projectRoot, "src/infra/database/data-source-factory.ts"), "utf8")));
+    const mainPath = path.join(projectRoot, "src/host/main.ts");
+    writeFileSync(mainPath, patchMainForAuth(readFileSync(mainPath, "utf8")));
+    patchFile(projectName, "src/host/main.ts", [
+      {
+        from: "import { HttpAdapterHost } from '@nestjs/core';",
+        to: `import { HttpAdapterHost } from '@nestjs/core';
+import { AuthGuard } from './security/guards/auth.guard.js';
+import { ProfilesGuard } from './security/guards/profiles.guard';`
+      },
+      {
+        from: "  await app.listen",
+        to: `  app.useGlobalGuards(
+    await app.resolve(AuthGuard),
+    await app.resolve(ProfilesGuard),
+  );
+
+  await app.listen`
+      }
+    ]);
+  }
+  syncAuthModuleForProject(projectName, strategies);
+  syncDomainAuthServiceForProject(projectName, strategies);
+  syncSecurityModuleForProject(projectName, strategies);
+  syncDefineDocumentationForProject(projectName, strategies);
+  syncAuthStrategySupportFiles(projectName, strategies);
+  pruneAuthArtifactsForStrategies(projectName, strategies);
+  patchEnvForAuthStrategies(projectName, strategies);
+}

package/cli/utils/patch-define-documentation.js

@@ -0,0 +1,222 @@
+import { cpSync, mkdirSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { AuthStrategy } from "../constants/domain.js";
+import { getSourceCodePath } from "./get-source-code-path.js";
+import { resolveProjectPath } from "./resolve-project-path.js";
+const defineDocumentationWithoutAuth = `import { INestApplication } from '@nestjs/common';
+import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
+import { apiReference } from '@scalar/nestjs-api-reference';
+import packageJson from '../../../package.json';
+
+const DOC_ENDPOINT = '/doc';
+
+export async function defineDocumentation(app: INestApplication) {
+  const document = SwaggerModule.createDocument(
+    app,
+    new DocumentBuilder()
+      .setTitle(packageJson.name)
+      .setVersion(packageJson.version)
+      .build(),
+  );
+
+  SwaggerModule.setup(DOC_ENDPOINT, app, document, { swaggerUiEnabled: false });
+
+  app.use(
+    DOC_ENDPOINT,
+    apiReference({
+      darkMode: true,
+      spec: { content: document },
+      metaData: {
+        title: packageJson.name,
+        version: packageJson.version,
+      },
+      hideModels: true,
+      hideDownloadButton: true,
+      hideClientButton: true,
+      hiddenClients: [
+        'libcurl',
+        'clj_http',
+        'restsharp',
+        'native',
+        'http1.1',
+        'asynchttp',
+        'nethttp',
+        'okhttp',
+        'unirest',
+        'xhr',
+        'request',
+        'nsurlsession',
+        'cohttp',
+        'guzzle',
+        'http1',
+        'http2',
+        'webrequest',
+        'restmethod',
+        'requests',
+        'httr',
+        'httpie',
+        'wget',
+        'undici',
+      ],
+    }),
+  );
+}
+`;
+export function stripDefineDocumentationAuth(projectName) {
+  const targetPath = path.join(resolveProjectPath(projectName), "src/host/open-api/define-documentation.ts");
+  mkdirSync(path.dirname(targetPath), { recursive: true });
+  writeFileSync(targetPath, defineDocumentationWithoutAuth, "utf8");
+}
+export function restoreDefineDocumentationWithAuth(projectName) {
+  cpSync(path.join(getSourceCodePath(), "src/host/open-api/define-documentation.ts"), path.join(resolveProjectPath(projectName), "src/host/open-api/define-documentation.ts"), { force: true });
+}
+const defineDocumentationJwtOnly = `import { EnvConfig } from '@/core/utils/env.config';
+import { isProviderRegistered } from '@/core/utils/is-provider-registered';
+import { resolveApiHost } from '@/core/utils/resolve-api-host';
+import { IJwtTokenService } from '@/domain/auth/services/iauth.service';
+import {
+  applyAuthSecurityToProtectedRoutes,
+  syncIsPublicRoutesInOpenApi,
+} from '@/host/decorators/is-public.decorator';
+import { EnvService } from '@/infra/common/env.service';
+import { INestApplication } from '@nestjs/common';
+import { ModulesContainer } from '@nestjs/core';
+import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
+import { apiReference } from '@scalar/nestjs-api-reference';
+import packageJson from '../../../package.json';
+
+const DOC_ENDPOINT = '/doc';
+const ACCESS_TOKEN_FIELD = 'accessToken';
+
+type DocAuthorization = {
+  name: string;
+  config: Record<string, unknown>;
+};
+
+function hasController(app: INestApplication, controllerName: string) {
+  const modulesContainer = app.get(ModulesContainer);
+
+  for (const moduleRef of modulesContainer.values()) {
+    for (const wrapper of moduleRef.controllers.values()) {
+      if (wrapper.metatype?.name === controllerName) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+async function buildDocAuthorizations(
+  app: INestApplication,
+): Promise<DocAuthorization[]> {
+  if (!isProviderRegistered(app, IJwtTokenService)) {
+    return [];
+  }
+
+  const env = app.get(EnvService);
+  const hostAddress = resolveApiHost(env.get('API_HOST'), env.get('PORT'));
+  const isDevelop = EnvConfig.isEnvDevelop;
+  const refreshUrl = \`\${hostAddress}/auth/refresh\`;
+  const authorizations: DocAuthorization[] = [];
+
+  if (hasController(app, 'LoginController')) {
+    authorizations.push({
+      name: 'JWT',
+      config: {
+        type: 'oauth2',
+        flows: {
+          password: {
+            tokenUrl: \`\${hostAddress}/auth/login\`,
+            refreshUrl,
+            username: isDevelop ? 'admin@example.com' : '',
+            password: isDevelop ? 'admin123' : '',
+            'x-tokenName': ACCESS_TOKEN_FIELD,
+          },
+        },
+      },
+    });
+  }
+
+  return authorizations;
+}
+
+export async function defineDocumentation(app: INestApplication) {
+  const authorizations = await buildDocAuthorizations(app);
+
+  const documentBuilder = new DocumentBuilder()
+    .setTitle(packageJson.name)
+    .setVersion(packageJson.version);
+
+  for (const authorization of authorizations) {
+    documentBuilder.addBearerAuth(
+      authorization.config as never,
+      authorization.name,
+    );
+    documentBuilder.addSecurityRequirements(authorization.name);
+  }
+
+  const document = SwaggerModule.createDocument(app, documentBuilder.build());
+
+  if (authorizations.length > 0) {
+    syncIsPublicRoutesInOpenApi(document);
+    applyAuthSecurityToProtectedRoutes(
+      document,
+      authorizations.map((authorization) => authorization.name),
+    );
+  }
+
+  SwaggerModule.setup(DOC_ENDPOINT, app, document, { swaggerUiEnabled: false });
+
+  app.use(
+    DOC_ENDPOINT,
+    apiReference({
+      darkMode: true,
+      spec: { content: document },
+      metaData: {
+        title: packageJson.name,
+        version: packageJson.version,
+      },
+      hideModels: true,
+      hideDownloadButton: true,
+      hideClientButton: true,
+      hiddenClients: [
+        'libcurl',
+        'clj_http',
+        'restsharp',
+        'native',
+        'http1.1',
+        'asynchttp',
+        'nethttp',
+        'okhttp',
+        'unirest',
+        'xhr',
+        'request',
+        'nsurlsession',
+        'cohttp',
+        'guzzle',
+        'http1',
+        'http2',
+        'webrequest',
+        'restmethod',
+        'requests',
+        'httr',
+        'httpie',
+        'wget',
+        'undici',
+      ],
+    }),
+  );
+}
+`;
+export function syncDefineDocumentationForProject(projectName, strategies) {
+  const hasJwt = strategies.includes(AuthStrategy.JWT);
+  const hasOauth = strategies.includes(AuthStrategy.OAUTH2);
+  const targetPath = path.join(resolveProjectPath(projectName), "src/host/open-api/define-documentation.ts");
+  mkdirSync(path.dirname(targetPath), { recursive: true });
+  if (hasJwt && !hasOauth) {
+    writeFileSync(targetPath, defineDocumentationJwtOnly);
+    return;
+  }
+  restoreDefineDocumentationWithAuth(projectName);
+}

package/cli/utils/patch-env.js

@@ -0,0 +1,106 @@
+import { cpSync, mkdirSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { AuthStrategy } from "../constants/domain.js";
+import { getSourceCodePath } from "./get-source-code-path.js";
+import { resolveProjectPath } from "./resolve-project-path.js";
+const envWithoutAuth = `import { envBooleanSchema } from '@/core/schemas';
+import { z } from 'zod';
+
+export const envSchema = z.object({
+  PORT: z.coerce.number().default(3000),
+  NODE_ENV: z.enum(['test', 'develop', 'staging', 'production']),
+  DATABASE_URL: z.string(),
+  REDIS_CONNECTION_STRING: z.string().optional(),
+  CACHE_KEY_PREFIX: z.string().optional(),
+  CRON_JOBS_ENABLED: envBooleanSchema(false),
+  BOOTSTRAP_DELAY_MS: z.coerce.number().default(0),
+});
+
+export type Env = z.infer<typeof envSchema>;
+
+export function validateEnvConfig(config: Record<string, unknown>): Env {
+  return envSchema.parse(config);
+}
+`;
+const envExampleWithoutAuth = `PORT=3000
+NODE_ENV=develop
+DATABASE_URL=postgresql://postgres:root@localhost:5432/koala_nest
+
+# Redis (opcional)
+# Instância única: pode omitir — usa memória local (cache, lock de CronJob em dev).
+# Várias réplicas: recomendado para cache/lock consistentes entre processos.
+# REDIS_CONNECTION_STRING=redis://localhost:6379
+# CACHE_KEY_PREFIX=koala-nest
+
+# Cron jobs internos. Ative com \`kl-nest add cron\`.
+CRON_JOBS_ENABLED=false
+BOOTSTRAP_DELAY_MS=0
+`;
+export function stripEnvAuth(projectName) {
+  const projectRoot = resolveProjectPath(projectName);
+  mkdirSync(path.join(projectRoot, "src/core"), { recursive: true });
+  writeFileSync(path.join(projectRoot, "src/core/env.ts"), envWithoutAuth);
+  writeFileSync(path.join(projectRoot, ".env.example"), envExampleWithoutAuth);
+}
+export function restoreEnvWithAuth(projectName) {
+  const projectRoot = resolveProjectPath(projectName);
+  for (const relativePath of ["src/core/env.ts", ".env.example"]) {
+    cpSync(path.join(getSourceCodePath(), relativePath), path.join(projectRoot, relativePath), { force: true });
+  }
+}
+const envJwtOnly = `import { envBooleanSchema } from '@/core/schemas';
+import { z } from 'zod';
+
+export const envSchema = z.object({
+  PORT: z.coerce.number().default(3000),
+  NODE_ENV: z.enum(['test', 'develop', 'staging', 'production']),
+  DATABASE_URL: z.string(),
+  REDIS_CONNECTION_STRING: z.string().optional(),
+  CACHE_KEY_PREFIX: z.string().optional(),
+  CRON_JOBS_ENABLED: envBooleanSchema(false),
+  BOOTSTRAP_DELAY_MS: z.coerce.number().default(0),
+  JWT_PRIVATE_KEY: z.string().optional(),
+  JWT_PUBLIC_KEY: z.string().optional(),
+  JWT_ACCESS_TOKEN_EXPIRES_IN: z.string().default('15m'),
+  JWT_REFRESH_TOKEN_EXPIRES_IN: z.string().default('7d'),
+  API_HOST: z.string().optional(),
+});
+
+export type Env = z.infer<typeof envSchema>;
+
+export function validateEnvConfig(config: Record<string, unknown>): Env {
+  return envSchema.parse(config);
+}
+`;
+const envExampleJwtOnly = `PORT=3000
+NODE_ENV=develop
+DATABASE_URL=postgresql://postgres:root@localhost:5432/koala_nest
+
+# Redis (opcional)
+# REDIS_CONNECTION_STRING=redis://localhost:6379
+# CACHE_KEY_PREFIX=koala-nest
+
+CRON_JOBS_ENABLED=false
+BOOTSTRAP_DELAY_MS=0
+
+# JWT (RS256 — chaves em base64)
+JWT_PRIVATE_KEY=
+JWT_PUBLIC_KEY=
+JWT_ACCESS_TOKEN_EXPIRES_IN=15m
+JWT_REFRESH_TOKEN_EXPIRES_IN=7d
+API_HOST=http://localhost:3000
+
+# Usuário demo (migration Init): admin@example.com / admin123
+`;
+export function patchEnvForAuthStrategies(projectName, strategies) {
+  const hasJwt = strategies.includes(AuthStrategy.JWT);
+  const hasOauth = strategies.includes(AuthStrategy.OAUTH2);
+  const projectRoot = resolveProjectPath(projectName);
+  mkdirSync(path.join(projectRoot, "src/core"), { recursive: true });
+  if (hasJwt && !hasOauth) {
+    writeFileSync(path.join(projectRoot, "src/core/env.ts"), envJwtOnly);
+    writeFileSync(path.join(projectRoot, ".env.example"), envExampleJwtOnly);
+    return;
+  }
+  restoreEnvWithAuth(projectName);
+}