@mars-stack/cli 8.0.7 → 8.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mars-stack/cli",
-  "version": "8.0.7",
+  "version": "8.0.9",
   "description": "MARS CLI: scaffold, configure, and maintain SaaS apps",
   "license": "MIT",
   "repository": {

package/template/.cursor/rules/mars-security.mdc

@@ -9,7 +9,7 @@ alwaysApply: true
 - Every API route under `src/app/api/protected/` MUST use `withAuth`, `withAuthNoParams`, `withRole`, or `withOwnership` from `@/lib/mars`.
 - Admin-only routes MUST use `withRole(['admin'], ...)` which verifies the role against the database on every request. Never trust the JWT role claim alone.
 - Ownership-gated routes MUST use `withOwnership`. Never accept a `userId` parameter from the client for authorization.
-- Public auth endpoints (`login`, `signup`, `forgot`, `reset`, `verify`) MUST call `checkRateLimit` with the appropriate `RATE_LIMITS` config from `@mars-stack/core/rate-limit`.
+- Public auth endpoints (`login`, `signup`, `forgot`, `reset`, `verify`, `me`, `logout`) MUST call `checkRateLimit` with the appropriate `RATE_LIMITS` config from `@mars-stack/core/rate-limit`.
 
 ## Secrets
 

package/template/e2e-kitchen-sink/playwright.config.ts

@@ -7,6 +7,9 @@ import { defineConfig, devices } from '@playwright/test';
 export default defineConfig({
   testDir: '.',
   testMatch: 'kitchen-sink-catalog.spec.ts',
+  // Scaffold copies template/e2e-kitchen-sink/ into the project; the runner also copies this
+  // spec to the repo root — without ignore, Playwright discovers the same tests twice (CI timeout).
+  testIgnore: '**/e2e-kitchen-sink/**',
   fullyParallel: false,
   forbidOnly: !!process.env.CI,
   retries: process.env.CI ? 2 : 0,

package/template/scripts/seed.ts

@@ -1,4 +1,7 @@
-import { PrismaClient } from '../prisma/generated/prisma/client.js';
+// Relative import: `prisma db seed` runs this file with `tsx`. The `@db` tsconfig alias
+// is not a valid Node package name (ERR_INVALID_MODULE_SPECIFIER). Omit `.js` so tsx
+// resolves Prisma’s emitted `client.ts` (there is no standalone `client.js` on disk).
+import { PrismaClient } from '../prisma/generated/prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 import { hashPassword } from '@mars-stack/core/auth/password-hash';
 

package/template/src/app/api/auth/logout/route.ts

@@ -1,8 +1,15 @@
-import { deleteSession, getSession } from '@/lib/mars';
+import 'server-only';
+
+import { deleteSession, getSession, handleApiError } from '@/lib/mars';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
 import { revokeAllSessionsForUser } from '@/features/auth/server/sessions';
 import { NextResponse } from 'next/server';
 
-export async function POST() {
+export async function POST(request: Request) {
+  const ip = getClientIP(request);
+  const rateLimit = await checkRateLimit(ip, RATE_LIMITS.logout);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
   try {
     const session = await getSession();
 
@@ -13,7 +20,6 @@ export async function POST() {
     await deleteSession();
     return NextResponse.json({ message: 'Logout successful' }, { status: 200 });
   } catch (error) {
-    console.error('Logout error:', error);
-    return NextResponse.json({ error: 'An error occurred during logout' }, { status: 500 });
+    return handleApiError(error, { endpoint: '/api/auth/logout' });
   }
 }

package/template/src/app/api/auth/me/route.ts

@@ -1,7 +1,14 @@
+import 'server-only';
+
 import { handleApiError, getSession } from '@/lib/mars';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
 import { NextResponse } from 'next/server';
 
-export async function GET() {
+export async function GET(request: Request) {
+  const ip = getClientIP(request);
+  const rateLimit = await checkRateLimit(ip, RATE_LIMITS.sessionMe);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
   try {
     const session = await getSession();