@oaklandzoo/ostup 0.11.0 → 0.13.0

package/templates/.claude/commands/publish.md

@@ -0,0 +1,77 @@
+---
+description: Publish a new version of this package to npm. Bumps version, runs tests, publishes, tags, pushes.
+---
+
+# Publish to npm
+
+Use this when the operator says "publish a patch / minor / major" or "ship a new version".
+
+## Preflight
+
+- This command only makes sense if `package.json` has a `version` field and the project is an npm package (not a private app).
+- Confirm `~/.npmrc` has an authToken or `npm whoami` succeeds. If neither, stop and tell the operator to run `npm login` or paste a Bypass-2FA token from `https://www.npmjs.com/settings/<username>/tokens/new`.
+- Working tree must be clean (`git status --porcelain` returns empty). If dirty, refuse and ask the operator to commit or stash first.
+
+## Steps
+
+### 1. Pick the version bump
+
+If the operator named a level (patch / minor / major), use it. Otherwise ask:
+
+| Level | When |
+|---|---|
+| patch | Bug fixes, no API change |
+| minor | New backwards-compatible features |
+| major | Breaking changes |
+
+### 2. Bump the version
+
+```bash
+npm version <patch|minor|major> --no-git-tag-version
+```
+
+This updates `package.json` only. We tag manually at the end so the commit message + tag stay in sync.
+
+### 3. Run tests
+
+```bash
+npm test
+```
+
+If tests fail, stop. Revert the version bump (`git checkout package.json package-lock.json`) and report to the operator.
+
+### 4. Publish
+
+```bash
+npm publish
+```
+
+If npm asks for an OTP and the bypass token is missing, fail clearly and tell the operator to set up a token first.
+
+### 5. Commit + tag + push
+
+```bash
+VERSION=$(node -p "require('./package.json').version")
+git add package.json package-lock.json
+git commit -m "chore: release v$VERSION"
+git tag "v$VERSION"
+git push
+git push origin "v$VERSION"
+```
+
+### 6. Verify
+
+```bash
+npm view <package-name> version
+```
+
+Expect the new version. If npm's CDN hasn't propagated yet, retry after 30s.
+
+## Report
+
+```
+Published <package-name>@<version>
+- npm:    https://www.npmjs.com/package/<package-name>
+- Tag:    v<version> pushed to origin
+- Verify: npm view <package-name> version
+```

package/templates/auth-clerk/env.example.additions

@@ -0,0 +1,10 @@
+# --- Clerk auth additions ---
+# Get keys at https://dashboard.clerk.com/apps (create an app, copy from API Keys)
+NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=
+CLERK_SECRET_KEY=
+
+# Optional: where Clerk redirects after sign-in / sign-up
+NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
+NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
+NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/dashboard
+NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/dashboard

package/templates/auth-clerk/layout.tsx

@@ -0,0 +1,25 @@
+import type { Metadata } from 'next';
+import { ClerkProvider } from '@clerk/nextjs';
+import './globals.css';
+
+export const metadata: Metadata = {
+  title: '{{DISPLAY_NAME}}',
+  description: '{{PROJECT_PURPOSE_ONE_SENTENCE}}',
+};
+
+// Build-safe: wrap with ClerkProvider only when the publishable key is set.
+// This lets `next build` succeed in CI / fresh scaffolds before the operator
+// has configured the env. In production the key is present and Clerk handles auth.
+const Wrapper = process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+  ? ClerkProvider
+  : ({ children }: { children: React.ReactNode }) => <>{children}</>;
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <Wrapper>
+      <html lang="en">
+        <body className="bg-white text-slate-900 antialiased">{children}</body>
+      </html>
+    </Wrapper>
+  );
+}

package/templates/auth-clerk/middleware.ts

@@ -0,0 +1,20 @@
+import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
+
+const isProtectedRoute = createRouteMatcher([
+  '/dashboard(.*)',
+  '/api/account(.*)',
+]);
+
+export default clerkMiddleware(async (auth, req) => {
+  if (isProtectedRoute(req)) {
+    await auth.protect();
+  }
+});
+
+export const config = {
+  matcher: [
+    // Run middleware on all non-static routes.
+    '/((?!_next/static|_next/image|favicon\\.ico).*)',
+    '/(api|trpc)(.*)',
+  ],
+};

package/templates/auth-clerk/package.json.additions

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "@clerk/nextjs": "^6.0.0"
+  }
+}

package/templates/auth-clerk/sign-in-page.tsx

@@ -0,0 +1,9 @@
+import { SignIn } from '@clerk/nextjs';
+
+export default function SignInPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <SignIn />
+    </main>
+  );
+}

package/templates/auth-clerk/sign-up-page.tsx

@@ -0,0 +1,9 @@
+import { SignUp } from '@clerk/nextjs';
+
+export default function SignUpPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <SignUp />
+    </main>
+  );
+}

package/templates/auth-google/auth.ts

@@ -0,0 +1,12 @@
+import NextAuth from 'next-auth';
+import Google from 'next-auth/providers/google';
+
+export const { handlers, signIn, signOut, auth } = NextAuth({
+  providers: [
+    Google({
+      clientId: process.env.GOOGLE_CLIENT_ID || '',
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
+    }),
+  ],
+  trustHost: true,
+});

package/templates/auth-google/env.example.additions

@@ -0,0 +1,9 @@
+# --- Google OAuth (NextAuth v5) additions ---
+# Create an OAuth 2.0 Client ID at:
+#   https://console.cloud.google.com/apis/credentials/oauthclient
+# Authorized redirect URI: <your-prod-url>/api/auth/callback/google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# NextAuth secret. Generate one with: openssl rand -base64 32
+AUTH_SECRET=

package/templates/auth-google/package.json.additions

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "next-auth": "^5.0.0-beta.20"
+  }
+}

package/templates/auth-google/route.ts

@@ -0,0 +1,2 @@
+import { handlers } from '@/auth';
+export const { GET, POST } = handlers;

package/templates/auth-google/sign-in-page.tsx

@@ -0,0 +1,32 @@
+import { signIn } from '@/auth';
+
+export default function SignInPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <div className="w-full max-w-sm rounded-lg border border-slate-200 bg-white p-8">
+        <h1 className="text-2xl font-semibold tracking-tight">Sign in</h1>
+        <p className="mt-2 text-sm text-slate-600">Continue to {`{{DISPLAY_NAME}}`}.</p>
+        <form
+          action={async () => {
+            'use server';
+            await signIn('google', { redirectTo: '/dashboard' });
+          }}
+          className="mt-8"
+        >
+          <button
+            type="submit"
+            className="flex w-full items-center justify-center gap-2 rounded-md border border-slate-300 bg-white px-4 py-2 font-medium text-slate-900 hover:bg-slate-50"
+          >
+            <svg className="h-5 w-5" viewBox="0 0 24 24" aria-hidden="true">
+              <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09Z" fill="#4285F4"/>
+              <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.99.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84A11 11 0 0 0 12 23Z" fill="#34A853"/>
+              <path d="M5.84 14.1A6.6 6.6 0 0 1 5.5 12c0-.73.13-1.43.34-2.1V7.07H2.18A11 11 0 0 0 1 12c0 1.77.42 3.45 1.18 4.93l3.66-2.83Z" fill="#FBBC05"/>
+              <path d="M12 5.38c1.62 0 3.06.56 4.21 1.65l3.15-3.15C17.45 2.09 14.97 1 12 1A11 11 0 0 0 2.18 7.07l3.66 2.83C6.71 7.3 9.14 5.38 12 5.38Z" fill="#EA4335"/>
+            </svg>
+            Sign in with Google
+          </button>
+        </form>
+      </div>
+    </main>
+  );
+}

package/templates/auth-google/sign-up-page.tsx

@@ -0,0 +1,32 @@
+import { signIn } from '@/auth';
+
+export default function SignUpPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <div className="w-full max-w-sm rounded-lg border border-slate-200 bg-white p-8">
+        <h1 className="text-2xl font-semibold tracking-tight">Create account</h1>
+        <p className="mt-2 text-sm text-slate-600">Sign up with Google to get started.</p>
+        <form
+          action={async () => {
+            'use server';
+            await signIn('google', { redirectTo: '/dashboard' });
+          }}
+          className="mt-8"
+        >
+          <button
+            type="submit"
+            className="flex w-full items-center justify-center gap-2 rounded-md border border-slate-300 bg-white px-4 py-2 font-medium text-slate-900 hover:bg-slate-50"
+          >
+            <svg className="h-5 w-5" viewBox="0 0 24 24" aria-hidden="true">
+              <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09Z" fill="#4285F4"/>
+              <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.99.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84A11 11 0 0 0 12 23Z" fill="#34A853"/>
+              <path d="M5.84 14.1A6.6 6.6 0 0 1 5.5 12c0-.73.13-1.43.34-2.1V7.07H2.18A11 11 0 0 0 1 12c0 1.77.42 3.45 1.18 4.93l3.66-2.83Z" fill="#FBBC05"/>
+              <path d="M12 5.38c1.62 0 3.06.56 4.21 1.65l3.15-3.15C17.45 2.09 14.97 1 12 1A11 11 0 0 0 2.18 7.07l3.66 2.83C6.71 7.3 9.14 5.38 12 5.38Z" fill="#EA4335"/>
+            </svg>
+            Continue with Google
+          </button>
+        </form>
+      </div>
+    </main>
+  );
+}

package/templates/private/middleware.ts

@@ -3,7 +3,14 @@ import type { NextRequest } from 'next/server';
 import { rateLimit } from '@/lib/rate-limit';
 import { audit } from '@/lib/audit';
 
-const SESSION_COOKIE_NAMES = ['better-auth.session_token', 'authjs.session-token', 'session_token'];
+const SESSION_COOKIE_NAMES = [
+  '__session',                       // Clerk
+  '__clerk_db_jwt',                  // Clerk db cookie
+  'authjs.session-token',            // NextAuth v5
+  '__Secure-authjs.session-token',   // NextAuth v5 secure
+  'better-auth.session_token',       // Better Auth
+  'session_token',                   // Generic fallback
+];
 
 function getIp(req: NextRequest): string {
   const xff = req.headers.get('x-forwarded-for');

package/templates/private/package.json.additions

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "@vercel/blob": "^0.27.0"
+  }
+}