@objectifthunes/create-sandstone 1.0.0 → 1.1.1

package/dist/templates/graphql-helpers.js

@@ -0,0 +1,142 @@
+export function graphqlHelpersTemplate() {
+    return `import { UnauthorizedError, NotFoundError } from '@objectifthunes/sandstone-sdk';
+import type { GraphQLContext } from '@objectifthunes/sandstone-sdk';
+import { app as sandstoneApp } from '../infrastructure.js';
+
+// ── 1. Auth guard (implemented) ──────────────────────────────────────────────
+export function requireAuth(ctx: GraphQLContext) {
+  if (!ctx.user) throw new UnauthorizedError('Authentication required');
+  return ctx.user;
+}
+
+// ── 2. Ownership check pattern ───────────────────────────────────────────────
+// Checks authz adapter first, then falls back to manual user_id comparison.
+//
+// export async function getOwnedEntity(ctx: GraphQLContext, userId: string, entityId: string) {
+//   const entity = await entityRepo.findById(ctx.db, entityId);
+//   if (!entity) throw new NotFoundError('Entity', entityId);
+//   if (sandstoneApp.authz) {
+//     const allowed = await sandstoneApp.authz.can(userId, 'read', 'entity', entityId);
+//     if (allowed) return entity;
+//   }
+//   if (entity.user_id !== userId) throw new NotFoundError('Entity', entityId);
+//   return entity;
+// }
+
+// ── 3. Cache read-through pattern ────────────────────────────────────────────
+// Reads from cache first, falls back to DB, then populates cache with TTL.
+// Always invalidate on mutation.
+//
+// export async function getCachedEntities(userId: string, page: number, perPage: number) {
+//   const cacheKey = \`entities:\${userId}:\${page}:\${perPage}\`;
+//   if (sandstoneApp.cache) {
+//     const cached = await sandstoneApp.cache.get(cacheKey);
+//     if (cached) return cached;
+//   }
+//   const result = await entityRepo.paginate(sandstoneApp.db, {
+//     where: { user_id: userId },
+//     page,
+//     perPage,
+//   });
+//   if (sandstoneApp.cache) {
+//     await sandstoneApp.cache.set(cacheKey, result, 60); // 60s TTL
+//   }
+//   return result;
+// }
+//
+// export async function invalidateEntityCache(userId: string) {
+//   if (sandstoneApp.cache) {
+//     await sandstoneApp.cache.delete(\`entities:\${userId}:*\`);
+//   }
+// }
+
+// ── 4. Search indexing pattern ───────────────────────────────────────────────
+// Index documents on create/update, remove on delete.
+//
+// export async function indexEntityInSearch(entity: { id: string; name: string; status: string; user_id: string }) {
+//   if (sandstoneApp.search) {
+//     await sandstoneApp.search.index('entity_idx', [{
+//       id: entity.id,
+//       document: {
+//         name: entity.name,
+//         status: entity.status,
+//         user_id: entity.user_id,
+//       },
+//     }]);
+//   }
+// }
+//
+// export async function removeEntityFromSearch(entityId: string) {
+//   if (sandstoneApp.search) {
+//     await sandstoneApp.search.delete('entity_idx', [entityId]);
+//   }
+// }
+
+// ── 5. Queue enqueue pattern ─────────────────────────────────────────────────
+// Offload heavy work to background workers.
+//
+// export async function enqueueEntityJob(entityId: string, action: string) {
+//   if (sandstoneApp.queue) {
+//     await sandstoneApp.queue.enqueue('entity-jobs', { entityId, action }, {
+//       maxAttempts: 3,
+//       backoff: 'exponential',
+//       backoffDelayMs: 1000,
+//     });
+//   }
+// }
+
+// ── 6. Audit logging pattern ─────────────────────────────────────────────────
+// Log every mutation for compliance and debugging.
+//
+// export async function auditLog(actor: string, action: string, resource: string, resourceId: string) {
+//   if (sandstoneApp.audit) {
+//     await sandstoneApp.audit.log({
+//       actor,
+//       action,
+//       resource,
+//       resourceId,
+//     });
+//   }
+// }
+
+// ── 7. Tracing pattern ──────────────────────────────────────────────────────
+// Wrap business operations in spans for observability.
+//
+// export async function withTrace<T>(name: string, fn: () => Promise<T>): Promise<T> {
+//   return sandstoneApp.tracer.withSpan(name, async (span) => {
+//     try {
+//       const result = await fn();
+//       span.setStatus('ok');
+//       return result;
+//     } catch (err) {
+//       span.setStatus('error', err instanceof Error ? err.message : 'unknown');
+//       throw err;
+//     }
+//   });
+// }
+
+// ── 8. Feature flag pattern ─────────────────────────────────────────────────
+// Branch logic based on feature flags with user-level targeting.
+//
+// export async function isFeatureEnabled(flag: string, userId?: string): Promise<boolean> {
+//   if (!sandstoneApp.flags) return false;
+//   return sandstoneApp.flags.isEnabled(flag, userId ? { userId } : undefined);
+// }
+//
+// Usage in a resolver:
+// const useNewFlow = await isFeatureEnabled('new_checkout_flow', user.sub);
+// if (useNewFlow) {
+//   return handleNewCheckoutFlow(args);
+// }
+// return handleLegacyCheckoutFlow(args);
+
+// === Money Arithmetic (avoids float imprecision with NUMERIC columns) ===
+// export function toCents(v: string | number): number { return Math.round(Number(v) * 100); }
+// export function fromCents(c: number): string { return (c / 100).toFixed(2); }
+// export function addMoney(a: string | number, b: string | number): string {
+//   return fromCents(toCents(a) + toCents(b));
+// }
+// export function isZero(v: string | number): boolean { return toCents(v) === 0; }
+`;
+}
+//# sourceMappingURL=graphql-helpers.js.map

package/dist/templates/graphql-helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-helpers.js","sourceRoot":"","sources":["../../src/templates/graphql-helpers.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,sBAAsB;IACpC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0IR,CAAC;AACF,CAAC"}

package/dist/templates/graphql-inputs.d.ts

@@ -0,0 +1,2 @@
+export declare function graphqlInputsTemplate(): string;
+//# sourceMappingURL=graphql-inputs.d.ts.map

package/dist/templates/graphql-inputs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-inputs.d.ts","sourceRoot":"","sources":["../../src/templates/graphql-inputs.ts"],"names":[],"mappings":"AAAA,wBAAgB,qBAAqB,IAAI,MAAM,CA0B9C"}

package/dist/templates/graphql-inputs.js

@@ -0,0 +1,28 @@
+export function graphqlInputsTemplate() {
+    return `// Add your GraphQL input types here.
+// Each input type maps to a mutation's args for structured input.
+//
+// Example:
+// import { GraphQLInputObjectType, GraphQLString, GraphQLNonNull, GraphQLFloat } from '@objectifthunes/sandstone-sdk';
+//
+// export const CreateInvoiceInput = new GraphQLInputObjectType({
+//   name: 'CreateInvoiceInput',
+//   fields: () => ({
+//     clientId: { type: new GraphQLNonNull(GraphQLString) },
+//     description: { type: new GraphQLNonNull(GraphQLString) },
+//     amount: { type: new GraphQLNonNull(GraphQLFloat) },
+//     currency: { type: GraphQLString, defaultValue: 'EUR' },
+//   }),
+// });
+//
+// export const UpdateInvoiceInput = new GraphQLInputObjectType({
+//   name: 'UpdateInvoiceInput',
+//   fields: () => ({
+//     description: { type: GraphQLString },
+//     amount: { type: GraphQLFloat },
+//     status: { type: GraphQLString },
+//   }),
+// });
+`;
+}
+//# sourceMappingURL=graphql-inputs.js.map

package/dist/templates/graphql-inputs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-inputs.js","sourceRoot":"","sources":["../../src/templates/graphql-inputs.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,qBAAqB;IACnC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;CAwBR,CAAC;AACF,CAAC"}

package/dist/templates/graphql-schema.d.ts

@@ -0,0 +1,3 @@
+import type { ProjectConfig } from '../presets.js';
+export declare function graphqlSchemaTemplate(_config: ProjectConfig): string;
+//# sourceMappingURL=graphql-schema.d.ts.map

package/dist/templates/graphql-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-schema.d.ts","sourceRoot":"","sources":["../../src/templates/graphql-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,aAAa,GAAG,MAAM,CA+BpE"}

package/dist/templates/graphql-schema.js

@@ -0,0 +1,33 @@
+export function graphqlSchemaTemplate(_config) {
+    return `import { buildSchema, GraphQLObjectType } from '@objectifthunes/sandstone-sdk';
+import { authQueries, authMutations } from './auth.js';
+
+// Import your domain modules here:
+// import { clientQueries, clientMutations } from './clients.js';
+// import { invoiceQueries, invoiceMutations } from './invoices.js';
+
+const QueryType = new GraphQLObjectType({
+  name: 'Query',
+  fields: () => ({
+    ...authQueries,
+    // ...clientQueries,
+    // ...invoiceQueries,
+  }),
+});
+
+const MutationType = new GraphQLObjectType({
+  name: 'Mutation',
+  fields: () => ({
+    ...authMutations,
+    // ...clientMutations,
+    // ...invoiceMutations,
+  }),
+});
+
+export const schema = buildSchema({
+  query: QueryType,
+  mutation: MutationType,
+});
+`;
+}
+//# sourceMappingURL=graphql-schema.js.map

package/dist/templates/graphql-schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-schema.js","sourceRoot":"","sources":["../../src/templates/graphql-schema.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,qBAAqB,CAAC,OAAsB;IAC1D,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6BR,CAAC;AACF,CAAC"}

package/dist/templates/graphql-types.d.ts

@@ -0,0 +1,3 @@
+import type { ProjectConfig } from '../presets.js';
+export declare function graphqlTypesTemplate(config: ProjectConfig): string;
+//# sourceMappingURL=graphql-types.d.ts.map

package/dist/templates/graphql-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-types.d.ts","sourceRoot":"","sources":["../../src/templates/graphql-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAkElE"}

package/dist/templates/graphql-types.js

@@ -0,0 +1,61 @@
+export function graphqlTypesTemplate(config) {
+    const parts = [];
+    // ── Imports ──────────────────────────────────────────────────────────────
+    const graphqlImports = [
+        'GraphQLObjectType',
+        'GraphQLString',
+        'GraphQLNonNull',
+        'GraphQLBoolean',
+        'GraphQLInt',
+        'GraphQLList',
+        'GraphQLID',
+    ];
+    parts.push(`import {
+  ${graphqlImports.join(',\n  ')},
+} from '@objectifthunes/sandstone-sdk';`);
+    parts.push('');
+    // ── AuthResultType ───────────────────────────────────────────────────────
+    parts.push(`export const AuthResultType = new GraphQLObjectType({
+  name: 'AuthResult',
+  fields: () => ({
+    accessToken: { type: new GraphQLNonNull(GraphQLString) },
+    refreshToken: { type: new GraphQLNonNull(GraphQLString) },
+    isNewUser: { type: new GraphQLNonNull(GraphQLBoolean) },
+  }),
+});`);
+    parts.push('');
+    // ── MeType ───────────────────────────────────────────────────────────────
+    parts.push(`export const MeType = new GraphQLObjectType({
+  name: 'Me',
+  fields: () => ({
+    id: { type: new GraphQLNonNull(GraphQLID) },
+    email: { type: new GraphQLNonNull(GraphQLString) },
+    roles: { type: new GraphQLNonNull(new GraphQLList(new GraphQLNonNull(GraphQLString))) },
+  }),
+});`);
+    parts.push('');
+    // ── PaginationInfoType ───────────────────────────────────────────────────
+    parts.push(`export const PaginationInfoType = new GraphQLObjectType({
+  name: 'PaginationInfo',
+  fields: () => ({
+    page: { type: new GraphQLNonNull(GraphQLInt) },
+    perPage: { type: new GraphQLNonNull(GraphQLInt) },
+    total: { type: new GraphQLNonNull(GraphQLInt) },
+    totalPages: { type: new GraphQLNonNull(GraphQLInt) },
+  }),
+});`);
+    // ── UploadUrlResultType (conditional on storage) ─────────────────────────
+    if (config.storage) {
+        parts.push('');
+        parts.push(`export const UploadUrlResultType = new GraphQLObjectType({
+  name: 'UploadUrlResult',
+  fields: () => ({
+    url: { type: new GraphQLNonNull(GraphQLString) },
+    key: { type: new GraphQLNonNull(GraphQLString) },
+  }),
+});`);
+    }
+    parts.push('');
+    return parts.join('\n');
+}
+//# sourceMappingURL=graphql-types.js.map

package/dist/templates/graphql-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-types.js","sourceRoot":"","sources":["../../src/templates/graphql-types.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,oBAAoB,CAAC,MAAqB;IACxD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,4EAA4E;IAC5E,MAAM,cAAc,GAAG;QACrB,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,YAAY;QACZ,aAAa;QACb,WAAW;KACZ,CAAC;IAEF,KAAK,CAAC,IAAI,CAAC;IACT,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;wCACQ,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4EAA4E;IAC5E,KAAK,CAAC,IAAI,CAAC;;;;;;;IAOT,CAAC,CAAC;IACJ,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4EAA4E;IAC5E,KAAK,CAAC,IAAI,CAAC;;;;;;;IAOT,CAAC,CAAC;IACJ,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4EAA4E;IAC5E,KAAK,CAAC,IAAI,CAAC;;;;;;;;IAQT,CAAC,CAAC;IAEJ,4EAA4E;IAC5E,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC;;;;;;IAMX,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/templates/graphql-validation.d.ts

@@ -0,0 +1,3 @@
+import type { ProjectConfig } from '../presets.js';
+export declare function graphqlValidationTemplate(config: ProjectConfig): string;
+//# sourceMappingURL=graphql-validation.d.ts.map

package/dist/templates/graphql-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-validation.d.ts","sourceRoot":"","sources":["../../src/templates/graphql-validation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAwCvE"}

package/dist/templates/graphql-validation.js

@@ -0,0 +1,37 @@
+export function graphqlValidationTemplate(config) {
+    const hasPassword = config.auth === 'password+otp' || config.auth === 'all';
+    const parts = [];
+    parts.push(`import { z } from '@objectifthunes/sandstone-sdk';`);
+    parts.push('');
+    // ── RegisterSchema (conditional on password auth) ────────────────────────
+    if (hasPassword) {
+        parts.push(`export const RegisterSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  password: z
+    .string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+    .regex(/[0-9]/, 'Password must contain at least one number'),
+});`);
+        parts.push('');
+    }
+    // ── Example validation schema (always included as commented reference) ──
+    parts.push(`// Add your validation schemas here. Use with validate(schema, data) in resolvers.
+// Every mutation should validate input before any DB operation.
+//
+// Example:
+// export const CreateEntitySchema = z.object({
+//   name: z.string().min(1, 'Name is required').max(200, 'Name too long'),
+//   email: z.string().email('Invalid email'),
+//   description: z.string().max(2000).optional(),
+//   quantity: z.number().int().min(1, 'Must be at least 1').max(10000),
+//   price: z.number().min(0, 'Price cannot be negative').max(999999.99),
+//   taxRate: z.number().min(0).max(100).optional(),
+//   status: z.enum(['draft', 'active', 'archived']).default('draft'),
+//   tags: z.array(z.string().max(50)).max(20).optional(),
+//   notes: z.string().max(5000).nullable().optional(),
+// });`);
+    parts.push('');
+    return parts.join('\n');
+}
+//# sourceMappingURL=graphql-validation.js.map

package/dist/templates/graphql-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-validation.js","sourceRoot":"","sources":["../../src/templates/graphql-validation.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,yBAAyB,CAAC,MAAqB;IAC7D,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,KAAK,cAAc,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,CAAC;IAE5E,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IACjE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4EAA4E;IAC5E,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC;;;;;;;IAOX,CAAC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,2EAA2E;IAC3E,KAAK,CAAC,IAAI,CAAC;;;;;;;;;;;;;;OAcN,CAAC,CAAC;IACP,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/templates/health-e2e-test.d.ts

@@ -0,0 +1,3 @@
+import type { ProjectConfig } from '../presets.js';
+export declare function healthE2eTestTemplate(_config: ProjectConfig): string;
+//# sourceMappingURL=health-e2e-test.d.ts.map

package/dist/templates/health-e2e-test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health-e2e-test.d.ts","sourceRoot":"","sources":["../../src/templates/health-e2e-test.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,aAAa,GAAG,MAAM,CAgDpE"}

package/dist/templates/health-e2e-test.js

@@ -0,0 +1,50 @@
+export function healthE2eTestTemplate(_config) {
+    return `import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import type { Server } from 'node:http';
+
+let baseUrl: string;
+let server: Server;
+
+describe('Health Check E2E', () => {
+  beforeAll(async () => {
+    const { app } = await import('../../src/infrastructure.js');
+    const { runMigrations } = await import('@objectifthunes/sandstone-sdk');
+
+    const migrationDir = new URL('../../migrations', import.meta.url).pathname;
+    await runMigrations(app.db, { includeBuiltIn: true, directory: migrationDir });
+
+    // Dynamic import of main module to start server
+    // Adjust this based on your framework
+    const express = await import('express');
+    const { toExpressHandler } = await import('@objectifthunes/sandstone-sdk/adapters');
+
+    const srv = express.default();
+    srv.use(express.default.json());
+    srv.get('/health', toExpressHandler(app.healthHandler));
+
+    await new Promise<void>((resolve) => {
+      server = srv.listen(0, () => {
+        const addr = server.address();
+        const port = typeof addr === 'object' && addr ? addr.port : 3099;
+        baseUrl = \`http://localhost:\${port}\`;
+        resolve();
+      });
+    });
+  }, 30_000);
+
+  afterAll(async () => {
+    server?.close();
+    const { app } = await import('../../src/infrastructure.js');
+    await app.shutdown();
+  }, 10_000);
+
+  it('health check returns healthy', async () => {
+    const res = await fetch(\`\${baseUrl}/health\`);
+    const body = await res.json();
+    expect(res.status).toBe(200);
+    expect(body.status).toBe('healthy');
+  });
+});
+`;
+}
+//# sourceMappingURL=health-e2e-test.js.map

package/dist/templates/health-e2e-test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health-e2e-test.js","sourceRoot":"","sources":["../../src/templates/health-e2e-test.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,qBAAqB,CAAC,OAAsB;IAC1D,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8CR,CAAC;AACF,CAAC"}

package/dist/templates/infrastructure.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"infrastructure.d.ts","sourceRoot":"","sources":["../../src/templates/infrastructure.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CA2mBpE"}
+{"version":3,"file":"infrastructure.d.ts","sourceRoot":"","sources":["../../src/templates/infrastructure.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAioBpE"}

package/dist/templates/infrastructure.js

@@ -7,6 +7,32 @@ export function infrastructureTemplate(config) {
     const isSocketIo = config.realtime === 'socketio';
     // Core imports always needed
     imports.push(`import { createApp } from '@objectifthunes/sandstone-sdk'`);
+    // ── Env validation (production only) ──────────────────────────────────────
+    if (!devMode) {
+        const requiredVars = ['DATABASE_URL', 'JWT_SECRET'];
+        if (config.email === 'resend')
+            requiredVars.push('RESEND_API_KEY');
+        if (config.sms === 'twilio')
+            requiredVars.push('TWILIO_ACCOUNT_SID', 'TWILIO_AUTH_TOKEN', 'TWILIO_FROM_NUMBER');
+        if (config.payments === 'stripe')
+            requiredVars.push('STRIPE_SECRET_KEY', 'STRIPE_WEBHOOK_SECRET');
+        if (config.payments === 'revenuecat')
+            requiredVars.push('REVENUECAT_API_KEY', 'REVENUECAT_WEBHOOK_SECRET');
+        if (config.payments === 'paddle')
+            requiredVars.push('PADDLE_API_KEY', 'PADDLE_WEBHOOK_SECRET');
+        if (config.payments === 'lemonsqueezy')
+            requiredVars.push('LEMONSQUEEZY_API_KEY', 'LEMONSQUEEZY_WEBHOOK_SECRET');
+        if (config.cache === 'upstash')
+            requiredVars.push('UPSTASH_REDIS_URL', 'UPSTASH_REDIS_TOKEN');
+        if (config.cache === 'redis')
+            requiredVars.push('REDIS_URL');
+        if (config.queue === 'bullmq')
+            requiredVars.push('REDIS_URL');
+        const envCheckLines = requiredVars.map((v) => `'${v}'`).join(', ');
+        inits.push(`const _requiredEnv = [${envCheckLines}]`);
+        inits.push(`const _missingEnv = _requiredEnv.filter((k) => !process.env[k])`);
+        inits.push(`if (_missingEnv.length > 0) throw new Error(\`Missing required env vars: \${_missingEnv.join(', ')}\`)`);
+    }
     // ── Database ──────────────────────────────────────────────────────────────
     if (devMode) {
         if (config.database === 'supabase') {
@@ -24,7 +50,12 @@ export function infrastructureTemplate(config) {
     }
     else {
         imports.push(`import { createPgClient } from '@objectifthunes/sandstone-sdk/pg'`);
-        inits.push(`const db = createPgClient({ connectionString: process.env.DATABASE_URL! })`);
+        inits.push(`const db = createPgClient({
+  connectionString: process.env.DATABASE_URL!,
+  max: 20,
+  idleTimeoutMillis: 30_000,
+  connectionTimeoutMillis: 5_000,
+})`);
     }
     appOptions.push('db');
     // ── Logger ────────────────────────────────────────────────────────────────
@@ -103,7 +134,6 @@ export function infrastructureTemplate(config) {
                 envVars: `{
   clientId: process.env.GOOGLE_CLIENT_ID!,
   clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-  redirectUri: process.env.GOOGLE_REDIRECT_URI!,
 }`,
             },
             github: {
@@ -112,7 +142,6 @@ export function infrastructureTemplate(config) {
                 envVars: `{
   clientId: process.env.GITHUB_CLIENT_ID!,
   clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-  redirectUri: process.env.GITHUB_REDIRECT_URI!,
 }`,
             },
             apple: {
@@ -120,7 +149,6 @@ export function infrastructureTemplate(config) {
                 subpath: 'oauth-apple',
                 envVars: `{
   clientId: process.env.APPLE_CLIENT_ID!,
-  clientSecret: process.env.APPLE_CLIENT_SECRET!,
   teamId: process.env.APPLE_TEAM_ID!,
   keyId: process.env.APPLE_KEY_ID!,
   privateKey: process.env.APPLE_PRIVATE_KEY!,
@@ -132,7 +160,6 @@ export function infrastructureTemplate(config) {
                 envVars: `{
   clientId: process.env.DISCORD_CLIENT_ID!,
   clientSecret: process.env.DISCORD_CLIENT_SECRET!,
-  redirectUri: process.env.DISCORD_REDIRECT_URI!,
 }`,
             },
         };
@@ -162,7 +189,7 @@ export function infrastructureTemplate(config) {
             inits.push(`const sms = createTwilioSms({
   accountSid: process.env.TWILIO_ACCOUNT_SID!,
   authToken: process.env.TWILIO_AUTH_TOKEN!,
-  from: process.env.TWILIO_FROM_NUMBER!,
+  defaultFrom: process.env.TWILIO_FROM_NUMBER!,
 })`);
         }
         appOptions.push('sms');
@@ -317,7 +344,10 @@ export function infrastructureTemplate(config) {
         else {
             imports.push(`import { createBullMQQueue } from '@objectifthunes/sandstone-sdk/bullmq'`);
             inits.push(`const queue = createBullMQQueue({
-  connection: process.env.REDIS_URL!,
+  connection: {
+    host: new URL(process.env.REDIS_URL!).hostname,
+    port: Number(new URL(process.env.REDIS_URL!).port || 6379),
+  },
 })`);
         }
         appOptions.push('queue');
@@ -397,7 +427,7 @@ export function infrastructureTemplate(config) {
             imports.push(`import { createPgAuthz } from '@objectifthunes/sandstone-sdk/pg-authz'`);
             inits.push(`const authz = createPgAuthz({ db })`);
         }
-        appOptions.push('authz');
+        appOptions.push('authorization: authz');
     }
     else if (config.authz === 'casbin') {
         if (devMode) {
@@ -411,7 +441,7 @@ export function infrastructureTemplate(config) {
   policyPath: './casbin/policy.csv',
 })`);
         }
-        appOptions.push('authz');
+        appOptions.push('authorization: authz');
     }
     // ── Payments ──────────────────────────────────────────────────────────────
     if (config.payments === 'stripe') {
@@ -482,10 +512,8 @@ export function infrastructureTemplate(config) {
             inits.push(`const storage = createS3Storage({
   bucket: process.env.S3_BUCKET!,
   region: process.env.S3_REGION!,
-  credentials: {
-    accessKeyId: process.env.S3_ACCESS_KEY_ID!,
-    secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
-  },
+  accessKeyId: process.env.S3_ACCESS_KEY_ID!,
+  secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
 })`);
         }
     }
@@ -554,7 +582,7 @@ export function infrastructureTemplate(config) {
     }
     // ── GraphQL ───────────────────────────────────────────────────────────────
     if (config.graphql) {
-        imports.push(`import { schema } from './schema.js'`);
+        imports.push(`import { schema } from './graphql/schema.js'`);
         appOptions.push(`graphql: { schema }`);
     }
     // ── Dashboard ─────────────────────────────────────────────────────────────