@lenne.tech/cli 1.7.0 → 1.9.0

package/build/templates/permissions/report.html.ejs

@@ -0,0 +1,402 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Permissions Report</title>
+<style>
+:root {
+  --bg: #ffffff; --fg: #1a1a2e; --bg-card: #f8f9fa; --border: #dee2e6;
+  --primary: #0d6efd; --success: #198754; --warning: #ffc107; --danger: #dc3545;
+  --role-everyone: #198754; --role-noone: #dc3545; --role-admin: #0d6efd;
+  --role-user: #e6a817; --role-self: #6c757d; --role-custom: #fd7e14;
+  --shadow: 0 1px 3px rgba(0,0,0,0.12);
+}
+@media (prefers-color-scheme: dark) {
+  :root {
+    --bg: #1a1a2e; --fg: #e0e0e0; --bg-card: #16213e; --border: #3a3a5c;
+    --shadow: 0 1px 3px rgba(0,0,0,0.4);
+  }
+}
+* { margin: 0; padding: 0; box-sizing: border-box; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: var(--bg); color: var(--fg); line-height: 1.6; }
+.layout { display: flex; min-height: 100vh; }
+.sidebar { width: 260px; position: sticky; top: 0; height: 100vh; overflow-y: auto; background: var(--bg-card); border-right: 1px solid var(--border); padding: 1rem; flex-shrink: 0; }
+.sidebar h3 { font-size: 0.85rem; text-transform: uppercase; letter-spacing: 0.05em; color: var(--primary); margin-bottom: 0.5rem; }
+.sidebar a { display: block; padding: 0.25rem 0.5rem; color: var(--fg); text-decoration: none; font-size: 0.85rem; border-radius: 4px; }
+.sidebar a:hover { background: var(--border); }
+.sidebar a.indent { padding-left: 1.5rem; font-size: 0.8rem; opacity: 0.8; }
+.main { flex: 1; padding: 2rem; max-width: 1200px; }
+.dashboard { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem; margin-bottom: 2rem; }
+.stat { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 1rem; text-align: center; box-shadow: var(--shadow); }
+.stat .num { font-size: 2rem; font-weight: 700; color: var(--primary); }
+.stat .label { font-size: 0.8rem; opacity: 0.7; }
+.stat.warn .num { color: var(--warning); }
+.stat.danger .num { color: var(--danger); }
+.controls { display: flex; gap: 1rem; flex-wrap: wrap; margin-bottom: 1.5rem; align-items: center; }
+.controls input, .controls select { padding: 0.4rem 0.8rem; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--fg); font-size: 0.9rem; }
+.controls input { flex: 1; min-width: 200px; }
+.controls label { font-size: 0.85rem; display: flex; align-items: center; gap: 0.3rem; }
+.badge { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 12px; font-size: 0.75rem; font-weight: 600; color: #fff; }
+.badge-everyone { background: var(--role-everyone); }
+.badge-noone { background: var(--role-noone); }
+.badge-admin { background: var(--role-admin); }
+.badge-user { background: var(--role-user); color: #000; }
+.badge-self, .badge-creator { background: var(--role-self); }
+.badge-custom { background: var(--role-custom); }
+.badge-warn { background: var(--warning); color: #000; }
+section { margin-bottom: 2rem; }
+h1 { font-size: 1.8rem; margin-bottom: 0.5rem; }
+h2 { font-size: 1.4rem; margin: 1.5rem 0 0.75rem; padding-bottom: 0.3rem; border-bottom: 2px solid var(--primary); }
+h3 { font-size: 1.1rem; margin: 1rem 0 0.5rem; }
+.meta { font-size: 0.85rem; opacity: 0.7; margin-bottom: 0.25rem; }
+table { width: 100%; border-collapse: collapse; margin: 0.5rem 0 1rem; font-size: 0.85rem; }
+th, td { padding: 0.4rem 0.6rem; text-align: left; border: 1px solid var(--border); }
+th { background: var(--bg-card); cursor: pointer; user-select: none; white-space: nowrap; }
+th:hover { background: var(--border); }
+tr:nth-child(even) { background: var(--bg-card); }
+.collapsible { cursor: pointer; }
+.collapsible::before { content: '\25B6'; display: inline-block; margin-right: 0.5rem; transition: transform 0.2s; font-size: 0.8rem; }
+.collapsible.open::before { transform: rotate(90deg); }
+.collapse-content { display: none; }
+.collapse-content.open { display: block; }
+.warning-row { background: rgba(255, 193, 7, 0.1) !important; }
+.btn { padding: 0.4rem 0.8rem; border: 1px solid var(--border); border-radius: 6px; background: var(--bg-card); color: var(--fg); cursor: pointer; font-size: 0.8rem; }
+.btn:hover { background: var(--border); }
+.module-header { position: sticky; top: 0; background: var(--bg); z-index: 10; padding: 0.5rem 0; border-bottom: 1px solid var(--border); }
+@media (max-width: 768px) {
+  .sidebar { display: none; }
+  .main { padding: 1rem; }
+  .dashboard { grid-template-columns: repeat(2, 1fr); }
+}
+</style>
+</head>
+<body>
+<div class="layout">
+<nav class="sidebar">
+  <h3>Permissions Report</h3>
+  <a href="#dashboard">Dashboard</a>
+  <a href="#role-index">Role Index</a>
+  <a href="#warnings">Warnings (<%= props.warnings.length %>)</a>
+  <hr style="margin:0.5rem 0;border-color:var(--border)">
+  <% for (const mod of props.modules) { %>
+  <a href="#mod-<%= mod.name %>"><%= mod.name %></a>
+  <% for (const model of mod.models) { %><a href="#model-<%= mod.name %>-<%= model.className %>" class="indent">Model: <%= model.className %></a><% } %>
+  <% for (const ctrl of mod.controllers) { %><a href="#ctrl-<%= mod.name %>-<%= ctrl.className %>" class="indent">Ctrl: <%= ctrl.className %></a><% } %>
+  <% for (const res of mod.resolvers) { %><a href="#res-<%= mod.name %>-<%= res.className %>" class="indent">Resolver: <%= res.className %></a><% } %>
+  <% } %>
+  <% if (props.objects.length > 0) { %>
+  <hr style="margin:0.5rem 0;border-color:var(--border)">
+  <a href="#subobjects">SubObjects</a>
+  <% } %>
+  <hr style="margin:0.5rem 0;border-color:var(--border)">
+  <button class="btn" onclick="exportAs('md')">Export MD</button>
+  <button class="btn" onclick="exportAs('json')">Export JSON</button>
+</nav>
+
+<div class="main">
+<h1>Permissions Report</h1>
+<p class="meta">Generated: <%= props.generated %></p>
+<p class="meta">Project: <%= props.projectPath %></p>
+
+<section id="dashboard">
+<div class="dashboard">
+  <div class="stat"><div class="num"><%= props.stats.totalModules %></div><div class="label">Modules</div></div>
+  <div class="stat"><div class="num"><%= props.stats.totalModels %></div><div class="label">Models</div></div>
+  <div class="stat"><div class="num"><%= props.stats.totalEndpoints %></div><div class="label">Endpoints</div></div>
+  <div class="stat"><div class="num"><%= props.stats.totalSubObjects %></div><div class="label">SubObjects</div></div>
+  <div class="stat <%= props.stats.totalWarnings > 0 ? 'danger' : '' %>"><div class="num"><%= props.stats.totalWarnings %></div><div class="label">Warnings</div></div>
+  <% var ecClass = props.stats.endpointCoverage >= 90 ? '' : props.stats.endpointCoverage >= 70 ? 'warn' : 'danger'; %>
+  <div class="stat <%= ecClass %>"><div class="num"><%= props.stats.endpointCoverage %>%</div><div class="label">Endpoint Coverage</div></div>
+  <% var scClass = props.stats.securityCoverage >= 90 ? '' : props.stats.securityCoverage >= 70 ? 'warn' : 'danger'; %>
+  <div class="stat <%= scClass %>"><div class="num"><%= props.stats.securityCoverage %>%</div><div class="label">Security Coverage</div></div>
+</div>
+</section>
+
+<section>
+<div class="controls">
+  <input type="text" id="search" placeholder="Search modules, fields, roles..." oninput="filterAll()">
+  <select id="roleFilter" onchange="filterAll()">
+    <option value="">All Roles</option>
+  </select>
+  <label><input type="checkbox" id="warnOnly" onchange="filterAll()"> Warnings only</label>
+</div>
+</section>
+
+<section id="role-index">
+<h2 class="collapsible open" onclick="toggle(this)">Role Index</h2>
+<div class="collapse-content open">
+<% if (props.roleEnums.length > 0) { %>
+<table>
+<thead><tr><th>Enum</th><th>Value</th><th>Type</th></tr></thead>
+<tbody>
+<% for (const e of props.roleEnums) { for (const v of e.values) { %>
+<tr>
+  <td><%= e.name %>.<%= v.key %></td>
+  <td><%= v.key.startsWith('S_') ? '(system)' : v.value %></td>
+  <td><span class="badge <%= getBadgeClass(v.key) %>"><%= v.key.startsWith('S_') ? 'System' : 'Real' %></span></td>
+</tr>
+<% } } %>
+</tbody>
+</table>
+<% } else { %>
+<p><em>No role enums found.</em></p>
+<% } %>
+</div>
+</section>
+
+<section id="warnings">
+<h2 class="collapsible open" onclick="toggle(this)">Warnings (<%= props.warnings.length %>)</h2>
+<div class="collapse-content open">
+<% if (props.warnings.length > 0) { %>
+<table>
+<thead><tr><th>#</th><th>Module</th><th>File</th><th>Type</th><th>Details</th></tr></thead>
+<tbody>
+<% props.warnings.forEach((w, i) => { %>
+<tr class="warning-row">
+  <td><%= i + 1 %></td>
+  <td><%= w.module %></td>
+  <td><%= w.file.split('/').pop() %></td>
+  <td><span class="badge badge-warn"><%= w.type %></span></td>
+  <td><%= w.details %></td>
+</tr>
+<% }) %>
+</tbody>
+</table>
+<% } else { %>
+<p><em>No warnings found.</em></p>
+<% } %>
+</div>
+</section>
+
+<% for (const mod of props.modules) { %>
+<section class="module-section" id="mod-<%= mod.name %>" data-module="<%= mod.name %>" data-has-warnings="<%= props.warnings.some(w => w.module === mod.name) %>">
+<div class="module-header">
+<h2 class="collapsible open" onclick="toggle(this)">Module: <%= mod.name %></h2>
+</div>
+<div class="collapse-content open">
+
+<% for (const model of mod.models) { %>
+<div id="model-<%= mod.name %>-<%= model.className %>">
+<h3>Model: <%= model.className %></h3>
+<p class="meta">File: <%= model.filePath %></p>
+<% if (model.extendsClass) { %><p class="meta">Extends: <%= model.extendsClass %></p><% } %>
+<p class="meta">Class Restriction: <% if (model.classRestriction.length > 0) { model.classRestriction.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) } else { %><em>(none)</em><% } %></p>
+<p class="meta">securityCheck: <% if (model.securityCheck) { %><%= model.securityCheck.summary %><% } else { %><em>Not present</em><% } %></p>
+<% if (model.fields.length > 0) { %>
+<table>
+<thead><tr><th>Field</th><th>Roles</th><th>Source</th></tr></thead>
+<tbody>
+<% for (const f of model.fields) { %>
+<tr>
+  <td><%= f.name %></td>
+  <td><%= f.roles %></td>
+  <td><%= f.inherited ? 'inherited' : 'local' %></td>
+</tr>
+<% } %>
+</tbody>
+</table>
+<% } %>
+</div>
+<% } %>
+
+<% for (const input of mod.inputs) { %>
+<div>
+<h3>Input: <%= input.className %></h3>
+<p class="meta">File: <%= input.filePath %></p>
+<% if (input.extendsClass) { %><p class="meta">Extends: <%= input.extendsClass %></p><% } %>
+<% if (input.fields.length > 0) { %>
+<table>
+<thead><tr><th>Field</th><th>Roles</th></tr></thead>
+<tbody>
+<% for (const f of input.fields) { %>
+<tr><td><%= f.name %></td><td><%= f.roles %></td></tr>
+<% } %>
+</tbody>
+</table>
+<% } %>
+</div>
+<% } %>
+
+<% for (const ctrl of mod.controllers) { %>
+<div id="ctrl-<%= mod.name %>-<%= ctrl.className %>">
+<h3>Controller: <%= ctrl.className %></h3>
+<p class="meta">File: <%= ctrl.filePath %></p>
+<p class="meta">Class Roles: <% if (ctrl.classRoles.length > 0) { ctrl.classRoles.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) } else { %><em>(none)</em><% } %></p>
+<% if (ctrl.methods.length > 0) { %>
+<table>
+<thead><tr><th>Method</th><th>HTTP</th><th>Route</th><th>Roles</th><th>Effective</th></tr></thead>
+<tbody>
+<% for (const m of ctrl.methods) { const eff = m.roles.length > 0 ? m.roles : ctrl.classRoles; %>
+<tr>
+  <td><%= m.name %></td>
+  <td><%= m.httpMethod %></td>
+  <td><%= m.route || '/' %></td>
+  <td><% if (m.roles.length > 0) { m.roles.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) } else { %><em>(none)</em><% } %></td>
+  <td><% eff.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) %><%= m.roles.length === 0 && ctrl.classRoles.length > 0 ? '(class)' : '' %></td>
+</tr>
+<% } %>
+</tbody>
+</table>
+<% } %>
+</div>
+<% } %>
+
+<% for (const res of mod.resolvers) { %>
+<div id="res-<%= mod.name %>-<%= res.className %>">
+<h3>Resolver: <%= res.className %></h3>
+<p class="meta">File: <%= res.filePath %></p>
+<p class="meta">Class Roles: <% if (res.classRoles.length > 0) { res.classRoles.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) } else { %><em>(none)</em><% } %></p>
+<% if (res.methods.length > 0) { %>
+<table>
+<thead><tr><th>Method</th><th>Type</th><th>Roles</th><th>Effective</th></tr></thead>
+<tbody>
+<% for (const m of res.methods) { const eff = m.roles.length > 0 ? m.roles : res.classRoles; %>
+<tr>
+  <td><%= m.name %></td>
+  <td><%= m.httpMethod %></td>
+  <td><% if (m.roles.length > 0) { m.roles.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) } else { %><em>(none)</em><% } %></td>
+  <td><% eff.forEach(r => { %><span class="badge <%= getBadgeClass(r) %>"><%= r %></span> <% }) %><%= m.roles.length === 0 && res.classRoles.length > 0 ? '(class)' : '' %></td>
+</tr>
+<% } %>
+</tbody>
+</table>
+<% } %>
+</div>
+<% } %>
+
+</div>
+</section>
+<% } %>
+
+<% if (props.objects.length > 0) { %>
+<section id="subobjects">
+<h2>SubObjects</h2>
+<% for (const obj of props.objects) { %>
+<div>
+<h3><%= obj.className %></h3>
+<p class="meta">File: <%= obj.filePath %></p>
+<% if (obj.extendsClass) { %><p class="meta">Extends: <%= obj.extendsClass %></p><% } %>
+<% if (obj.fields.length > 0) { %>
+<table>
+<thead><tr><th>Field</th><th>Roles</th><th>Source</th></tr></thead>
+<tbody>
+<% for (const f of obj.fields) { %>
+<tr><td><%= f.name %></td><td><%= f.roles %></td><td><%= f.inherited ? 'inherited' : 'local' %></td></tr>
+<% } %>
+</tbody>
+</table>
+<% } %>
+</div>
+<% } %>
+</section>
+<% } %>
+
+</div>
+</div>
+
+<script>
+var DATA = <%- JSON.stringify({ modules: props.modules, objects: props.objects, roleEnums: props.roleEnums, stats: props.stats, warnings: props.warnings }) %>;
+
+// Populate role filter
+(function() {
+  var sel = document.getElementById('roleFilter');
+  var roles = {};
+  DATA.roleEnums.forEach(function(e) { e.values.forEach(function(v) { roles[v.key] = true; }); });
+  DATA.modules.forEach(function(mod) {
+    mod.models.forEach(function(model) {
+      model.classRestriction.forEach(function(r) { roles[r] = true; });
+      model.fields.forEach(function(f) {
+        var m = f.roles.match(/`([^`]+)`/g);
+        if (m) m.forEach(function(r) { roles[r.replace(/`/g, '')] = true; });
+      });
+    });
+    mod.controllers.forEach(function(ep) {
+      ep.classRoles.forEach(function(r) { roles[r] = true; });
+      ep.methods.forEach(function(m) { m.roles.forEach(function(r) { roles[r] = true; }); });
+    });
+    mod.resolvers.forEach(function(ep) {
+      ep.classRoles.forEach(function(r) { roles[r] = true; });
+      ep.methods.forEach(function(m) { m.roles.forEach(function(r) { roles[r] = true; }); });
+    });
+  });
+  Object.keys(roles).sort().forEach(function(r) {
+    var o = document.createElement('option');
+    o.value = r; o.textContent = r;
+    sel.appendChild(o);
+  });
+})();
+
+function toggle(el) {
+  el.classList.toggle('open');
+  var content = el.nextElementSibling;
+  if (content) content.classList.toggle('open');
+}
+
+function filterAll() {
+  var q = document.getElementById('search').value.toLowerCase();
+  var role = document.getElementById('roleFilter').value;
+  var warnOnly = document.getElementById('warnOnly').checked;
+
+  document.querySelectorAll('.module-section').forEach(function(section) {
+    var hasWarnings = section.dataset.hasWarnings === 'true';
+    var text = section.textContent.toLowerCase();
+    var show = true;
+    if (q && !text.includes(q)) show = false;
+    if (warnOnly && !hasWarnings) show = false;
+    if (role && !text.includes(role.toLowerCase())) show = false;
+    section.style.display = show ? '' : 'none';
+  });
+
+  var warningsSection = document.getElementById('warnings');
+  if (warningsSection) {
+    warningsSection.querySelectorAll('tbody tr').forEach(function(row) {
+      var text = row.textContent.toLowerCase();
+      var show = true;
+      if (q && !text.includes(q)) show = false;
+      row.style.display = show ? '' : 'none';
+    });
+  }
+}
+
+document.querySelectorAll('th').forEach(function(th) {
+  th.addEventListener('click', function() {
+    var table = this.closest('table');
+    var tbody = table.querySelector('tbody');
+    if (!tbody) return;
+    var idx = Array.from(this.parentNode.children).indexOf(this);
+    var rows = Array.from(tbody.querySelectorAll('tr'));
+    var asc = this.dataset.sort !== 'asc';
+    rows.sort(function(a, b) {
+      var at = (a.children[idx] || {}).textContent || '';
+      var bt = (b.children[idx] || {}).textContent || '';
+      return asc ? at.localeCompare(bt) : bt.localeCompare(at);
+    });
+    this.dataset.sort = asc ? 'asc' : 'desc';
+    rows.forEach(function(r) { tbody.appendChild(r); });
+  });
+});
+
+function exportAs(fmt) {
+  var blob = new Blob([JSON.stringify(DATA, null, 2)], { type: fmt === 'json' ? 'application/json' : 'text/plain' });
+  var a = document.createElement('a');
+  a.href = URL.createObjectURL(blob);
+  a.download = 'permissions.' + fmt;
+  a.click();
+}
+</script>
+</body>
+</html>
+<%
+function getBadgeClass(role) {
+  if (!role) return 'badge-custom';
+  var r = role.toUpperCase();
+  if (r === 'S_EVERYONE') return 'badge-everyone';
+  if (r === 'S_NO_ONE') return 'badge-noone';
+  if (r === 'ADMIN') return 'badge-admin';
+  if (r === 'S_USER') return 'badge-user';
+  if (r === 'S_SELF') return 'badge-self';
+  if (r === 'S_CREATOR') return 'badge-creator';
+  return 'badge-custom';
+}
+%>

package/docs/commands.md

@@ -123,6 +123,30 @@ lt server object [options]
 
 ---
 
+### `lt server permissions`
+
+Scans all server modules and generates a permissions report showing roles, restrictions, and security gaps.
+
+**Usage:**
+```bash
+lt server permissions [options]
+```
+
+**Options:**
+| Option | Description |
+|--------|-------------|
+| `--path <dir>` | Path to NestJS project (default: auto-detect) |
+| `--output <file>` | Output file (default: `permissions.<format>`) |
+| `--format <md\|json\|html>` | Output format (default: `html` for TTY, `json` for CI) |
+| `--open` / `--no-open` | Open report in browser (default: `true` for TTY) |
+| `--console` | Print summary to console |
+| `--fail-on-warnings` | Exit code 1 on warnings (for CI/CD) |
+| `--noConfirm` | Skip confirmation prompts |
+
+**Configuration:** `commands.server.permissions.*`, `defaults.noConfirm`
+
+---
+
 ### `lt server addProp`
 
 Adds a property to an existing module or object.
@@ -436,10 +460,12 @@ lt fullstack init [options]
 | `--frontend-branch <branch>` | Branch of frontend starter to use (ng-base-starter or nuxt-base-starter) |
 | `--frontend-copy <path>` | Copy frontend from local template directory |
 | `--frontend-link <path>` | Symlink frontend to local template (fastest, changes affect original) |
-| `--git` | Initialize git repository |
-| `--git-link <url>` | Git repository URL |
+| `--git` | Push initial commit to remote repository (git is always initialized) |
+| `--git-link <url>` | Git remote repository URL (required when `--git` is true) |
 | `--noConfirm` | Skip confirmation prompts |
 
+**Note:** Git is always initialized with the `dev` branch. The `--git` flag only controls whether the initial commit is pushed to a remote repository.
+
 **Note:** For Nuxt frontends with `--frontend-copy` or `--frontend-link`, specify the path to the `nuxt-base-template/` subdirectory, not the repository root.
 
 **Configuration:** `commands.fullstack.*`, `defaults.noConfirm`

package/docs/lt.config.md

@@ -101,6 +101,7 @@ The `defaults` section contains settings that apply across multiple commands. Th
 | `defaults.controller` | `'Rest'` \| `'GraphQL'` \| `'Both'` \| `'auto'` | `'Both'` | server/module, server/create |
 | `defaults.domain` | `string` | - | deployment/create (use `{name}` as placeholder) |
 | `defaults.noConfirm` | `boolean` | `false` | blocks/add, components/add, config/init, git/*, server/create, server/module, npm/reinit, cli/create, typescript/create, fullstack/init, deployment/create, frontend/angular |
+| `defaults.packageManager` | `'npm'` \| `'pnpm'` \| `'yarn'` | `'npm'` | Fallback when no lockfile is found. Auto-detection from lockfiles takes precedence. Used by: all commands that run package manager operations |
 | `defaults.skipInstall` | `boolean` | `false` | git/update |
 | `defaults.skipLint` | `boolean` | `false` | server/module, server/object, server/addProp |
 
@@ -114,6 +115,7 @@ The `defaults` section contains settings that apply across multiple commands. Th
     "controller": "Both",
     "domain": "{name}.lenne.tech",
     "noConfirm": false,
+    "packageManager": "npm",
     "skipInstall": false,
     "skipLint": false
   }
@@ -129,10 +131,23 @@ defaults:
   controller: Both
   domain: "{name}.lenne.tech"
   noConfirm: false
+  packageManager: npm
   skipInstall: false
   skipLint: false
 ```
 
+### Package Manager Detection
+
+The CLI automatically detects the package manager for your project. The detection order is:
+
+1. **Lockfile in current directory**: `pnpm-lock.yaml` -> pnpm, `yarn.lock` -> yarn, `package-lock.json` -> npm
+2. **`packageManager` field in package.json** (Corepack standard): e.g., `"packageManager": "pnpm@8.15.0"`
+3. **Lockfile in parent directories** (monorepo support)
+4. **Config fallback**: `defaults.packageManager` from lt.config
+5. **Default**: `npm`
+
+This means all CLI commands (`lt server create`, `lt fullstack init`, `lt npm reinit`, etc.) will use the correct package manager automatically without any configuration needed.
+
 ### Global vs Command-Specific Settings
 
 Global defaults provide a convenient way to set organization-wide preferences. Command-specific settings override these when you need different behavior for a particular command.
@@ -333,6 +348,37 @@ Creates a new server object (embedded document).
 
 ---
 
+#### `lt server permissions`
+
+Scans server modules and generates a permissions report.
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `commands.server.permissions.format` | `'md'` \| `'json'` \| `'html'` | `'html'` (TTY) / `'json'` (CI) | Output format |
+| `commands.server.permissions.output` | `string` | `permissions.<format>` | Output file path |
+| `commands.server.permissions.path` | `string` | auto-detect | Path to NestJS project |
+| `commands.server.permissions.open` | `boolean` | `true` (TTY) / `false` (CI) | Open report in browser |
+| `commands.server.permissions.console` | `boolean` | `false` | Print summary to console |
+| `commands.server.permissions.failOnWarnings` | `boolean` | `false` | Exit code 1 on warnings |
+| `commands.server.permissions.noConfirm` | `boolean` | `false` | Skip confirmation prompts |
+
+**Example:**
+```json
+{
+  "commands": {
+    "server": {
+      "permissions": {
+        "format": "html",
+        "open": true,
+        "failOnWarnings": true
+      }
+    }
+  }
+}
+```
+
+---
+
 #### `lt server addProp`
 
 Adds a property to an existing module or object.
@@ -525,8 +571,8 @@ Creates a new fullstack workspace with API and frontend.
 | `commands.fullstack.frontendBranch` | `string` | - | Branch of frontend starter to use (ng-base-starter or nuxt-base-starter) |
 | `commands.fullstack.frontendCopy` | `string` | - | Path to local frontend template directory to copy instead of cloning |
 | `commands.fullstack.frontendLink` | `string` | - | Path to local frontend template directory to symlink (fastest, changes affect original) |
-| `commands.fullstack.git` | `boolean` | - | Initialize git repository |
-| `commands.fullstack.gitLink` | `string` | - | Git repository URL |
+| `commands.fullstack.git` | `boolean` | - | Push initial commit to remote repository (git is always initialized with `dev` branch) |
+| `commands.fullstack.gitLink` | `string` | - | Git remote repository URL (required when `git` is true) |
 
 **Example:**
 ```json
@@ -912,6 +958,7 @@ The `meta` section stores project information.
     "controller": "Both",
     "domain": "{name}.lenne.tech",
     "noConfirm": false,
+    "packageManager": "npm",
     "skipInstall": false,
     "skipLint": false
   },
@@ -924,7 +971,8 @@ The `meta` section stores project information.
     },
     "fullstack": {
       "frontend": "nuxt",
-      "git": false
+      "git": false,
+      "gitLink": "https://github.com/myorg/myproject.git"
     },
     "git": {
       "defaultBranch": "develop",
@@ -959,6 +1007,7 @@ defaults:
   controller: Both
   domain: "{name}.lenne.tech"
   noConfirm: false
+  packageManager: npm
   skipInstall: false
   skipLint: false
 
@@ -972,6 +1021,7 @@ commands:
   fullstack:
     frontend: nuxt
     git: false
+    gitLink: "https://github.com/myorg/myproject.git"
 
   git:
     defaultBranch: develop

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/cli",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "description": "lenne.Tech CLI: lt",
   "keywords": [
     "lenne.Tech",
@@ -18,6 +18,7 @@
     "lt": "bin/lt"
   },
   "scripts": {
+    "check": "npm install && npm run format && npm run build && npm run start",
     "postinstall": "node bin/postinstall.js 2>/dev/null || true",
     "build": "npm run lint && npm run test && npm run clean-build && npm run compile && npm run copy-templates",
     "clean-build": "npx rimraf ./build",
@@ -50,7 +51,7 @@
     "bin"
   ],
   "dependencies": {
-    "@aws-sdk/client-s3": "3.985.0",
+    "@aws-sdk/client-s3": "3.986.0",
     "@lenne.tech/cli-plugin-helper": "0.0.14",
     "@types/lodash": "4.17.23",
     "bcrypt": "6.0.0",
@@ -72,8 +73,8 @@
     "@types/jest": "30.0.0",
     "@types/js-yaml": "4.0.9",
     "@types/node": "25.2.2",
-    "@typescript-eslint/eslint-plugin": "8.54.0",
-    "@typescript-eslint/parser": "8.54.0",
+    "@typescript-eslint/eslint-plugin": "8.55.0",
+    "@typescript-eslint/parser": "8.55.0",
     "eslint": "9.39.2",
     "eslint-config-prettier": "10.1.8",
     "husky": "9.1.7",