@lenne.tech/cli 1.11.1 → 1.13.0

package/build/lib/hoist-workspace-pnpm-config.js

@@ -0,0 +1,97 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hoistWorkspacePnpmConfig = hoistWorkspacePnpmConfig;
+/**
+ * pnpm workspace-scoped fields that must live at the workspace root.
+ * When present in sub-project package.json files, pnpm emits:
+ *
+ *   WARN  The field "<field>" was found in <path>. This will not take
+ *   effect. You should configure "<field>" at the root of the workspace
+ *   instead.
+ *
+ * Crucially, the WARN also means the values are silently ignored — CVE
+ * overrides defined only in projects/api/package.json never reach the
+ * install resolver. Hoisting them to the root fixes both the warning
+ * and the actual dependency-resolution behavior.
+ */
+const WORKSPACE_SCOPED_PNPM_FIELDS = ['overrides', 'onlyBuiltDependencies', 'ignoredOptionalDependencies'];
+/**
+ * Hoist workspace-scoped pnpm config from sub-projects into the root
+ * package.json. After this runs, sub-project package.json files no
+ * longer have `overrides`, `onlyBuiltDependencies`, or
+ * `ignoredOptionalDependencies`, and the root package.json contains
+ * the merged union.
+ *
+ * Idempotent: running twice has the same effect as running once.
+ *
+ * @param options.filesystem  Gluegun filesystem tool
+ * @param options.projectDir  Workspace root (contains pnpm-workspace.yaml)
+ * @param options.subProjects Sub-project dirs relative to projectDir
+ */
+function hoistWorkspacePnpmConfig(options) {
+    var _a;
+    const { filesystem, projectDir, subProjects } = options;
+    const rootPkgPath = `${projectDir}/package.json`;
+    if (!filesystem.exists(rootPkgPath))
+        return;
+    const rootPkg = filesystem.read(rootPkgPath, 'json');
+    if (!rootPkg)
+        return;
+    (_a = rootPkg.pnpm) !== null && _a !== void 0 ? _a : (rootPkg.pnpm = {});
+    let rootChanged = false;
+    for (const subDir of subProjects) {
+        const subPkgPath = `${projectDir}/${subDir}/package.json`;
+        if (!filesystem.exists(subPkgPath))
+            continue;
+        const subPkg = filesystem.read(subPkgPath, 'json');
+        if (!(subPkg === null || subPkg === void 0 ? void 0 : subPkg.pnpm))
+            continue;
+        let subChanged = false;
+        for (const field of WORKSPACE_SCOPED_PNPM_FIELDS) {
+            const subValue = subPkg.pnpm[field];
+            if (subValue === undefined)
+                continue;
+            rootPkg.pnpm[field] = mergePnpmFieldValue(field, rootPkg.pnpm[field], subValue);
+            rootChanged = true;
+            delete subPkg.pnpm[field];
+            subChanged = true;
+        }
+        if (subChanged) {
+            // If the sub-project's pnpm section is now empty, drop it entirely.
+            if (subPkg.pnpm && Object.keys(subPkg.pnpm).length === 0) {
+                delete subPkg.pnpm;
+            }
+            filesystem.write(subPkgPath, `${JSON.stringify(subPkg, null, 2)}\n`);
+        }
+    }
+    if (rootChanged) {
+        filesystem.write(rootPkgPath, `${JSON.stringify(rootPkg, null, 2)}\n`);
+    }
+}
+/**
+ * Merge two values for a pnpm workspace-scoped field.
+ *
+ * pnpm expects:
+ * - `overrides` → object ({pkg: version})
+ * - `onlyBuiltDependencies` → array of strings
+ * - `ignoredOptionalDependencies` → array of strings
+ *
+ * Arrays: deduplicated, alphabetically sorted union.
+ * Objects: sub-project values take precedence over root (sub-projects
+ * like nest-server-starter own the authoritative CVE override list for
+ * their transitive deps; the root usually only seeds cross-cutting
+ * handlebars/minimatch patches).
+ */
+function mergePnpmFieldValue(field, rootValue, subValue) {
+    if (field === 'onlyBuiltDependencies' || field === 'ignoredOptionalDependencies') {
+        const rootArr = Array.isArray(rootValue) ? rootValue : [];
+        const subArr = Array.isArray(subValue) ? subValue : [];
+        return Array.from(new Set([...rootArr, ...subArr])).sort((a, b) => a.localeCompare(b));
+    }
+    const rootObj = rootValue && typeof rootValue === 'object' && !Array.isArray(rootValue)
+        ? rootValue
+        : {};
+    const subObj = subValue && typeof subValue === 'object' && !Array.isArray(subValue) ? subValue : {};
+    const merged = Object.assign(Object.assign({}, rootObj), subObj);
+    return Object.fromEntries(Object.entries(merged).sort(([a], [b]) => a.localeCompare(b)));
+}

package/build/lib/markdown-table.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatMarkdownTable = formatMarkdownTable;
+/**
+ * Build an oxfmt-compatible Markdown table with padded columns so that the
+ * generated file passes `oxfmt --check` without a reformat pass.
+ *
+ * Column width = max(header length, longest cell length, 3). Cells are
+ * padded with trailing spaces; the separator row uses `-` characters of
+ * the same width.
+ *
+ * Character width note: uses JavaScript `.length` (UTF-16 code units),
+ * which matches oxfmt's own accounting for typical BMP characters used
+ * in VENDOR.md generation (em-dash `—`, backticks, version strings).
+ *
+ * @param headers Column headers (top row)
+ * @param rows    Data rows; each row must have `headers.length` cells
+ * @returns       Lines ready to concatenate with `\n`
+ */
+function formatMarkdownTable(headers, rows) {
+    const columnCount = headers.length;
+    const widths = headers.map((h, i) => {
+        const cellMax = rows.reduce((max, row) => { var _a; return Math.max(max, ((_a = row[i]) !== null && _a !== void 0 ? _a : '').length); }, 0);
+        return Math.max(h.length, cellMax, 3);
+    });
+    const formatRow = (cells) => `| ${cells.map((cell, i) => cell.padEnd(widths[i])).join(' | ')} |`;
+    const lines = [formatRow(headers), `| ${widths.map((w) => '-'.repeat(w)).join(' | ')} |`];
+    for (const row of rows) {
+        const padded = Array.from({ length: columnCount }, (_, i) => { var _a; return (_a = row[i]) !== null && _a !== void 0 ? _a : ''; });
+        lines.push(formatRow(padded));
+    }
+    return lines;
+}

package/docs/VENDOR-MODE-WORKFLOW.md

@@ -11,6 +11,7 @@ Practical guide for converting a lenne.tech fullstack project from **npm mode**
 ## Table of Contents
 
 - [Prerequisites](#prerequisites)
+- [Vendor Modification Policy](#vendor-modification-policy)
 - [Part 1: Convert npm → vendor](#part-1-convert-npm--vendor)
 - [Part 2: Update in vendor mode](#part-2-update-in-vendor-mode)
 - [Part 3: Roll back vendor → npm](#part-3-roll-back-vendor--npm)
@@ -32,6 +33,78 @@ Before you start, make sure:
 
 ---
 
+## Vendor Modification Policy
+
+**Read this before you convert.** It shapes how you work in vendor mode.
+
+Vendoring copies the framework source into your project tree:
+
+- Backend: `projects/api/src/core/` (from `@lenne.tech/nest-server`)
+- Frontend: `projects/app/app/core/` (from `@lenne.tech/nuxt-extensions`)
+
+**This is a comprehension aid, not a fork.** The copy exists so Claude
+Code (and humans) can read framework internals directly — it is **not**
+an invitation to embed project-specific behavior in the framework tree.
+
+### When may I edit `core/`?
+
+Only when the change is **generally useful to every consumer** of the
+framework:
+
+| ✅ Valid reason to edit `core/` | ❌ Belongs in project code instead |
+|--------------------------------|------------------------------------|
+| Bugfix that every consumer hits | Customer-specific business rules |
+| Broad framework enhancement | Project tenant IDs, enums, branding |
+| Security vulnerability fix | Proprietary integration adapters |
+| TypeScript / build compatibility | Project-specific authorization logic |
+
+**Project-specific behavior belongs outside `core/`:**
+
+- Backend: extend/inherit from core classes, use `ICoreModuleOverrides`
+  on `CoreModule.forRoot()`
+- Frontend: use `app/composables/`, `app/components/`,
+  `app/middleware/`, or plugin overrides
+
+### Every generic change MUST flow back upstream
+
+If you fixed or improved something in `core/` that every consumer could
+benefit from, you MUST submit it as a pull request to the corresponding
+upstream repository:
+
+| Layer | Command | Upstream |
+|-------|---------|----------|
+| Backend | `/lt-dev:backend:contribute-nest-server-core` | https://github.com/lenneTech/nest-server |
+| Frontend | `/lt-dev:frontend:contribute-nuxt-extensions-core` | https://github.com/lenneTech/nuxt-extensions |
+
+The contributor command analyzes your local changes, filters cosmetic
+noise, categorizes commits as upstream-candidate vs. project-specific,
+cherry-picks candidates onto a branch in a fresh upstream clone, and
+drafts a PR body for your review. It **never auto-pushes** — you
+explicitly open the PR via normal GitHub flow.
+
+**Why this matters:** Without upstream flow-back, useful fixes rot in
+one project's vendor tree and conflict on every sync. Once merged
+upstream, the next `/lt-dev:*:update-*-core` sync picks the change up
+as upstream-delivered and the local patch disappears — clean state for
+everyone.
+
+### Where the policy is documented
+
+The same policy is enforced / surfaced in multiple places so you
+encounter it at every relevant touchpoint:
+
+- `projects/api/src/core/VENDOR.md` and `projects/app/app/core/VENDOR.md`
+  (inside every vendor project, auto-generated by the lt CLI)
+- Skills `nest-server-core-vendoring` and `nuxt-extensions-core-vendoring`
+  (lt-dev plugin)
+- Reviewer agents `backend-reviewer` and `frontend-reviewer`
+  (flag non-compliant changes in code reviews)
+- The contributor commands themselves
+
+When in doubt, **ask before editing `core/`**.
+
+---
+
 ## Part 1: Convert npm → vendor
 
 ### Step 1: Check status

package/docs/commands.md

@@ -230,7 +230,7 @@ lt server convert-mode --to <vendor|npm> [options]
 
 - **npm → vendor:**
   - Clones `@lenne.tech/nest-server` from GitHub at the specified tag (default: currently installed version)
-  - Copies `src/core/`, `src/index.ts`, `src/core.module.ts`, `src/test/`, `src/templates/`, `src/types/`, and `LICENSE` to `<api-root>/src/core/`
+  - Copies `src/core/`, `src/index.ts`, `src/core.module.ts`, `src/test/`, `src/types/`, and `LICENSE` to `<api-root>/src/core/`; places upstream `src/templates/` at `<api-root>/src/templates/` (outside `core/` so the runtime E-Mail template resolver works)
   - Applies flatten-fix on `index.ts`, `core.module.ts`, `test.helper.ts`, `core-persistence-model.interface.ts`
   - Rewrites all consumer imports from `'@lenne.tech/nest-server'` to relative paths
   - Merges upstream dependencies dynamically into `package.json`
@@ -1409,6 +1409,58 @@ lt tools regex [pattern] [text]
 
 ---
 
+### `lt tools crawl`
+
+Crawls a website and stores each page as a Markdown file (with YAML frontmatter containing `source_url`, `download_date`, `first_downloaded`, `description`, language, word count, etc.) so it can be consumed as a Claude Code knowledge base. Optionally follows same-origin links up to a configurable depth, seeds the queue from `<origin>/sitemap.xml`, and downloads referenced images into a shared `images/` folder (deduplicated by content hash). Re-running the command against the same output directory updates existing pages while preserving their original `first_downloaded` timestamp.
+
+**Alias:** `cr`
+
+**Usage:**
+```bash
+lt tools crawl <url> [options]
+```
+
+**Options:**
+- `--out <dir>` — Output directory (default: current directory). Single-page crawls write the `.md` directly here; multi-page crawls generate `<out>/README.md` plus `<out>/pages/` and `<out>/images/`.
+- `--depth <n|all>` — Link depth (default `0`). `0` = only the start page, `1` = start page + direct same-origin links, `2` = and their links, ... Use `--depth all` (or `--depth -1`, or the shortcut flag `--all`) to follow every same-origin link transitively; the crawl then stops when `--max-pages` is reached.
+- `--all` — Shortcut for `--depth all`.
+- `--render` / `--no-render` — Render each page through a headless browser before extraction (default **on**). Required for SPAs (Vue/Nuxt/React/Angular) whose content is client-rendered. Uses `playwright-core` with system Chrome / Edge first, then Playwright's bundled Chromium. Use `--no-render` for a plain HTTP fetch when you know the site is static (faster, no browser needed).
+- `--install-browser` — If `--render` finds no browser, auto-install Playwright's Chromium (one-time ~170 MB download).
+- `--prune` / `--no-prune` — After a multi-page crawl, remove any `.md` or image files inside `<out>/pages` and `<out>/images` that were not written by the current run (default **on**). Keeps the knowledge base aligned with the live site on update runs. Empty subdirectories are cleaned up too. Ignored in single-page mode. Use `--no-prune` to preserve old files.
+- `--no-images` — Disable image downloads.
+- `--no-sitemap` — Skip discovery via `<origin>/sitemap.xml`.
+- `--concurrency <n>` — Parallel HTTP requests (default `4`).
+- `--max-pages <n>` — Safety cap on total pages (default `200`).
+- `--selector <css>` — CSS selector scoping the main content (e.g. `article`, `main`).
+- `--timeout <ms>` — HTTP request timeout in ms (default `20000`).
+- `--noConfirm` — Skip confirmation prompts.
+
+**Examples:**
+```bash
+# Single page into the current directory
+lt tools crawl https://example.com/article --noConfirm
+
+# Crawl start page + direct links into ./knowledge
+lt tools crawl https://example.com --out ./knowledge --depth 1 --noConfirm
+
+# Full mini-site with sitemap seeding and images
+lt tools crawl https://example.com --out ./kb --depth 2 --max-pages 100 --noConfirm
+
+# Crawl every reachable same-origin page (safety cap via --max-pages)
+lt tools crawl https://example.com --out ./kb --depth all --max-pages 500 --noConfirm
+
+# Same, using the --all shortcut
+lt tools crawl https://example.com --out ./kb --all --max-pages 500 --noConfirm
+
+# Full SPA-aware crawl (render + prune are on by default)
+lt tools crawl https://lenne.tech --all --noConfirm
+
+# Opt-out: plain HTTP fetch for a known-static site, keep orphans
+lt tools crawl https://example.com --all --no-render --no-prune --noConfirm
+```
+
+---
+
 ## Configuration Priority
 
 All configurable commands follow this priority order (highest to lowest):

package/docs/lt.config.md

@@ -923,6 +923,43 @@ Reinitializes npm packages.
 }
 ```
 
+#### `lt tools crawl`
+
+Crawls a website into Markdown files (knowledge base builder).
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `commands.tools.crawl.out` | `string` | `.` | Output directory |
+| `commands.tools.crawl.depth` | `number \| "all"` | `0` | Link depth (0 = only start page, 1 = direct links, ..., `"all"` or `-1` = follow every same-origin link, bounded by `maxPages`) |
+| `commands.tools.crawl.includeImages` | `boolean` | `true` | Download images and inline with local paths |
+| `commands.tools.crawl.includeSitemap` | `boolean` | `true` | Also seed queue from `<origin>/sitemap.xml` |
+| `commands.tools.crawl.concurrency` | `number` | `4` | Parallel HTTP requests |
+| `commands.tools.crawl.maxPages` | `number` | `200` | Safety cap on total pages |
+| `commands.tools.crawl.selector` | `string` | – | CSS selector for main content |
+| `commands.tools.crawl.timeout` | `number` | `20000` | HTTP request timeout in ms |
+| `commands.tools.crawl.renderJs` | `boolean` | `true` | Render pages through a headless browser (for SPAs). Uses playwright-core. Set to `false` for plain HTTP. |
+| `commands.tools.crawl.prune` | `boolean` | `true` | Remove orphaned `.md` / image files after a multi-page crawl (update-in-place). Set to `false` to preserve old files. |
+| `commands.tools.crawl.noConfirm` | `boolean` | `false` | Skip confirmation prompts |
+
+**Example:**
+```json
+{
+  "commands": {
+    "tools": {
+      "crawl": {
+        "out": "./knowledge",
+        "depth": 2,
+        "includeImages": true,
+        "includeSitemap": true,
+        "concurrency": 4,
+        "maxPages": 200,
+        "noConfirm": true
+      }
+    }
+  }
+}
+```
+
 ---
 
 ### Metadata

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/cli",
-  "version": "1.11.1",
+  "version": "1.13.0",
   "description": "lenne.Tech CLI: lt",
   "keywords": [
     "lenne.Tech",
@@ -18,7 +18,11 @@
     "lt": "bin/lt"
   },
   "scripts": {
-    "check": "npm install && npm run format && npm run build && npm run start",
+    "c": "npm run check",
+    "cf": "npm run check:fix",
+    "check": "npm install && npm run format && npm run build && npm run check:start",
+    "check:fix": "npm install && npm audit fix && npm run format && npm run lint:fix && npm run build && npm run check:start",
+    "check:start": "bash scripts/check-cli-start.sh",
     "postinstall": "node bin/postinstall.js 2>/dev/null || true",
     "build": "npm run lint && npm run test && npm run clean-build && npm run compile && npm run copy-templates",
     "clean-build": "npx rimraf ./build",
@@ -53,20 +57,24 @@
     "bin"
   ],
   "dependencies": {
-    "@aws-sdk/client-s3": "3.1029.0",
+    "@aws-sdk/client-s3": "3.1032.0",
     "@lenne.tech/cli-plugin-helper": "0.0.14",
     "axios": "1.15.0",
     "bcrypt": "6.0.0",
-    "ejs": "5.0.1",
+    "defuddle": "0.17.0",
     "glob": "13.0.6",
     "gluegun": "5.2.2",
     "js-sha256": "0.11.1",
     "js-yaml": "4.1.1",
+    "jsdom": "29.0.2",
     "lodash": "4.18.1",
     "open": "11.0.0",
-    "ts-morph": "27.0.2",
+    "playwright-core": "1.59.1",
+    "ts-morph": "28.0.0",
     "ts-node": "10.9.2",
-    "typescript": "6.0.2"
+    "turndown": "7.2.4",
+    "turndown-plugin-gfm": "1.0.2",
+    "typescript": "6.0.3"
   },
   "devDependencies": {
     "@lenne.tech/eslint-config-ts": "2.1.4",
@@ -74,25 +82,32 @@
     "@types/ejs": "3.1.5",
     "@types/jest": "30.0.0",
     "@types/js-yaml": "4.0.9",
+    "@types/jsdom": "28.0.1",
     "@types/lodash": "4.17.24",
     "@types/node": "25.6.0",
-    "@typescript-eslint/eslint-plugin": "8.58.1",
-    "@typescript-eslint/parser": "8.58.1",
+    "@types/turndown": "5.0.6",
+    "@typescript-eslint/eslint-plugin": "8.58.2",
+    "@typescript-eslint/parser": "8.58.2",
+    "ejs": "5.0.2",
     "eslint": "9.39.4",
     "eslint-config-prettier": "10.1.8",
     "husky": "9.1.7",
     "jest": "30.3.0",
-    "prettier": "3.8.2",
+    "prettier": "3.8.3",
     "rimraf": "6.1.3",
     "standard-version": "9.5.0",
     "ts-jest": "29.4.9"
   },
+  "//overrides": {
+    "semver@*": "Force latest semver across all sub-deps; gluegun@5.2.2 pins semver@7.7.0 which is stale - remove once gluegun updates its dep."
+  },
   "overrides": {
     "semver@*": "7.7.4"
   },
   "jest": {
     "testEnvironment": "node",
     "rootDir": "__tests__",
+    "testTimeout": 60000,
     "transform": {
       "^.+\\.tsx?$": [
         "ts-jest",