@ramonclaudio/create-vexpo 0.1.0

package/dist/templates/default/__tests__/convex/constants.test.ts

@@ -0,0 +1,49 @@
+import { describe, expect, test } from "vitest";
+
+import {
+  RESERVED_USERNAMES,
+  USERNAME_MAX_LENGTH,
+  USERNAME_MIN_LENGTH,
+  isReservedUsername,
+  isValidUsernameFormat,
+} from "@/convex/constants";
+
+describe("isValidUsernameFormat", () => {
+  test("accepts alphanumerics, dots, underscores", () => {
+    expect(isValidUsernameFormat("ray")).toBe(true);
+    expect(isValidUsernameFormat("ray_claudio")).toBe(true);
+    expect(isValidUsernameFormat("ray.claudio")).toBe(true);
+    expect(isValidUsernameFormat("Ray123")).toBe(true);
+  });
+
+  test("rejects strings shorter than the min length", () => {
+    expect(USERNAME_MIN_LENGTH).toBe(3);
+    expect(isValidUsernameFormat("ab")).toBe(false);
+  });
+
+  test("rejects strings longer than the max length", () => {
+    expect(USERNAME_MAX_LENGTH).toBe(30);
+    expect(isValidUsernameFormat("a".repeat(31))).toBe(false);
+  });
+
+  test("rejects characters outside the allowed set", () => {
+    expect(isValidUsernameFormat("ray-claudio")).toBe(false);
+    expect(isValidUsernameFormat("ray claudio")).toBe(false);
+    expect(isValidUsernameFormat("ray@claudio")).toBe(false);
+    expect(isValidUsernameFormat("rayé")).toBe(false);
+  });
+});
+
+describe("isReservedUsername", () => {
+  test("matches every name on the reserved list, case-insensitive", () => {
+    for (const name of RESERVED_USERNAMES) {
+      expect(isReservedUsername(name)).toBe(true);
+      expect(isReservedUsername(name.toUpperCase())).toBe(true);
+    }
+  });
+
+  test("does not match a normal username", () => {
+    expect(isReservedUsername("ray")).toBe(false);
+    expect(isReservedUsername("ramon")).toBe(false);
+  });
+});

package/dist/templates/default/__tests__/convex/validators.test.ts

@@ -0,0 +1,23 @@
+import { describe, expect, test } from "vitest";
+
+import { validateBio } from "@/convex/validators";
+
+describe("validateBio", () => {
+  test("accepts empty string", () => {
+    expect(validateBio("")).toEqual({ valid: true });
+  });
+
+  test("accepts a normal bio", () => {
+    expect(validateBio("Building things on the internet.")).toEqual({ valid: true });
+  });
+
+  test("accepts exactly 500 characters", () => {
+    expect(validateBio("a".repeat(500))).toEqual({ valid: true });
+  });
+
+  test("rejects bios over 500 characters", () => {
+    const result = validateBio("a".repeat(501));
+    expect(result.valid).toBe(false);
+    expect(result.error).toMatch(/500 characters or less/);
+  });
+});

package/dist/templates/default/__tests__/convex/webhook.test.ts

@@ -0,0 +1,343 @@
+import { afterEach, beforeEach, describe, expect, test } from "vitest";
+
+import { withWebhook } from "@/convex/webhook";
+
+// Stub Convex action context. The webhook factory doesn't use it (the inner
+// handler does, if it needs to call queries/mutations), so an empty object
+// satisfies the type for these unit tests. Cast through `unknown` rather than
+// importing the Convex generic action type, which would bloat the test deps.
+const ctx = {} as unknown as Parameters<ReturnType<typeof withWebhook>>[0];
+
+async function sign(algorithm: "sha1" | "sha256", secret: string, body: string): Promise<string> {
+  const enc = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: algorithm === "sha1" ? "SHA-1" : "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(body));
+  return [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+function makeRequest(opts: {
+  body: string;
+  signatureHeader: string;
+  signatureValue?: string;
+  timestampHeader?: string;
+  timestampValue?: string;
+  contentLength?: number;
+}): Request {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+  };
+  if (opts.signatureValue) headers[opts.signatureHeader] = opts.signatureValue;
+  if (opts.timestampHeader && opts.timestampValue)
+    headers[opts.timestampHeader] = opts.timestampValue;
+  if (opts.contentLength !== undefined) headers["Content-Length"] = String(opts.contentLength);
+  return new Request("https://example.convex.site/webhook", {
+    method: "POST",
+    headers,
+    body: opts.body,
+  });
+}
+
+describe("withWebhook (HMAC signature verification)", () => {
+  const SECRET = "test-secret-do-not-rotate";
+
+  beforeEach(() => {
+    process.env.TEST_WEBHOOK_SECRET = SECRET;
+  });
+
+  afterEach(() => {
+    delete process.env.TEST_WEBHOOK_SECRET;
+  });
+
+  test("503 when secret env var is unset", async () => {
+    delete process.env.TEST_WEBHOOK_SECRET;
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => new Response("ok"),
+    );
+    const res = await handler(ctx, makeRequest({ body: "{}", signatureHeader: "x-signature" }));
+    expect(res.status).toBe(503);
+    expect(res.headers.get("X-Request-Id")).toBeTruthy();
+  });
+
+  test("401 when signature header is missing", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => new Response("ok"),
+    );
+    const res = await handler(ctx, makeRequest({ body: "{}", signatureHeader: "x-signature" }));
+    expect(res.status).toBe(401);
+    const text = await res.text();
+    expect(text).toContain("missing x-signature");
+  });
+
+  test("401 when signature does not match", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => new Response("ok"),
+    );
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body: "{}",
+        signatureHeader: "x-signature",
+        signatureValue: "deadbeef",
+      }),
+    );
+    expect(res.status).toBe(401);
+    const text = await res.text();
+    expect(text).toContain("signature mismatch");
+  });
+
+  test("200 when signature matches (SHA-256)", async () => {
+    const body = JSON.stringify({ event: "test.ping" });
+    const signature = await sign("sha256", SECRET, body);
+    let handlerCalled = false;
+    const handler = withWebhook<{ event: string }>(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      (_ctx, payload) => {
+        handlerCalled = true;
+        return new Response(JSON.stringify({ ok: true, received: payload.event }), { status: 200 });
+      },
+    );
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(200);
+    expect(handlerCalled).toBe(true);
+    const json = (await res.json()) as { ok: boolean; received: string };
+    expect(json.received).toBe("test.ping");
+  });
+
+  test("200 when signature matches with prefix (SHA-1, EAS-style)", async () => {
+    const body = JSON.stringify({ status: "finished" });
+    const signature = `sha1=${await sign("sha1", SECRET, body)}`;
+    const handler = withWebhook(
+      {
+        source: "eas-webhook",
+        signatureHeader: "expo-signature",
+        signaturePrefix: "sha1=",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha1",
+      },
+      () => new Response("ok", { status: 200 }),
+    );
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "expo-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(200);
+  });
+
+  test("400 when body is not valid JSON", async () => {
+    const body = "not-json{";
+    const signature = await sign("sha256", SECRET, body);
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => new Response("ok"),
+    );
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("413 when Content-Length exceeds maxBodyBytes", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+        maxBodyBytes: 100,
+      },
+      () => new Response("ok"),
+    );
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body: "{}",
+        signatureHeader: "x-signature",
+        signatureValue: "deadbeef",
+        contentLength: 999_999,
+      }),
+    );
+    expect(res.status).toBe(413);
+  });
+
+  test("401 when replay timestamp is missing", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+        replay: { header: "x-timestamp", maxAgeSeconds: 300 },
+      },
+      () => new Response("ok"),
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(401);
+    const text = await res.text();
+    expect(text).toContain("missing x-timestamp");
+  });
+
+  test("401 when replay timestamp is stale", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+        replay: { header: "x-timestamp", maxAgeSeconds: 60 },
+      },
+      () => new Response("ok"),
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const stale = Date.now() - 120_000; // 2 minutes ago, exceeds 60s window
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+        timestampHeader: "x-timestamp",
+        timestampValue: String(stale),
+      }),
+    );
+    expect(res.status).toBe(401);
+    const text = await res.text();
+    expect(text).toContain("timestamp out of window");
+  });
+
+  test("200 when replay timestamp is fresh", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+        replay: { header: "x-timestamp", maxAgeSeconds: 300 },
+      },
+      () => new Response("ok", { status: 200 }),
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+        timestampHeader: "x-timestamp",
+        timestampValue: String(Date.now()),
+      }),
+    );
+    expect(res.status).toBe(200);
+  });
+
+  test("X-Request-Id header is set on every response", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => new Response("ok", { status: 200 }),
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(200);
+    expect(res.headers.get("X-Request-Id")).toBeTruthy();
+  });
+
+  test("500 when handler throws", async () => {
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+      },
+      () => {
+        throw new Error("simulated handler crash");
+      },
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+      }),
+    );
+    expect(res.status).toBe(500);
+    const text = await res.text();
+    expect(text).toContain("handler error");
+  });
+});

package/dist/templates/default/__tests__/lib/deep-link.test.ts

@@ -0,0 +1,67 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+vi.mock("expo-linking", () => {
+  function parse(url: string) {
+    try {
+      const u = new URL(url);
+      const queryParams: Record<string, string> = {};
+      u.searchParams.forEach((v, k) => {
+        queryParams[k] = v;
+      });
+      return {
+        scheme: u.protocol.replace(/:$/, ""),
+        hostname: u.hostname || null,
+        path: u.pathname || null,
+        queryParams,
+      };
+    } catch {
+      return { scheme: null, hostname: null, path: url, queryParams: null };
+    }
+  }
+  return { parse, createURL: (p: string) => p };
+});
+
+import { resolveDeepLink } from "@/lib/deep-link";
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+describe("resolveDeepLink", () => {
+  it("parses a valid path with query params", () => {
+    const result = resolveDeepLink("vexpo://app/linked?foo=bar&n=1");
+    expect(result.path).toBe("/linked");
+    expect(result.params).toEqual({ foo: "bar", n: "1" });
+  });
+
+  it("returns null path for disallowed routes", () => {
+    const result = resolveDeepLink("vexpo://app/admin");
+    expect(result.path).toBeNull();
+    expect(result.params).toEqual({});
+  });
+
+  it("returns null path for path traversal attempts", () => {
+    const result = resolveDeepLink("vexpo://app/../etc/passwd");
+    expect(result.path).toBeNull();
+  });
+
+  it("handles empty input", () => {
+    expect(resolveDeepLink("")).toEqual({ path: null, params: {} });
+  });
+
+  it("handles garbage input without throwing", () => {
+    expect(() => resolveDeepLink("not a url")).not.toThrow();
+    const result = resolveDeepLink("not a url");
+    expect(result.path).toBeNull();
+  });
+
+  it("normalizes trailing slashes", () => {
+    const result = resolveDeepLink("vexpo://app/linked/");
+    expect(result.path).toBe("/linked");
+  });
+
+  it("drops nullish query values", () => {
+    const result = resolveDeepLink("vexpo://app/linked?x=1");
+    expect(result.params).toEqual({ x: "1" });
+  });
+});

package/dist/templates/default/_easignore

@@ -0,0 +1,22 @@
+.expo
+.git
+dist
+node_modules
+ios/Pods
+ios/.xcode.env.local
+__tests__
+*.test.ts
+*.test.tsx
+*.spec.ts
+*.spec.tsx
+.env.example
+.env.convex.local
+README.md
+ios/
+plans/
+docs/
+.agents/
+.claude/
+app-store/
+.husky/
+convex/*.test.ts

package/dist/templates/default/_editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true

package/dist/templates/default/_env.example

@@ -0,0 +1,34 @@
+# .env.local template. Copy to .env.local then run `bun run setup`.
+# `bun run setup` writes most of these for you. The two identity vars
+# (EXPO_PUBLIC_APP_BUNDLE_ID and EXPO_PUBLIC_APPLE_TEAM_ID) are prompted by
+# `bun run setup:convex`. Edit by hand if you prefer.
+
+# ---------------------------------------------------------------------------
+# Convex deployment (written by `bun run setup:convex`)
+# ---------------------------------------------------------------------------
+CONVEX_DEPLOYMENT=
+EXPO_PUBLIC_CONVEX_URL=
+EXPO_PUBLIC_CONVEX_SITE_URL=
+EXPO_PUBLIC_SITE_URL=
+
+# ---------------------------------------------------------------------------
+# iOS identity (prompted by `bun run setup:convex`, also pushed to Convex env)
+# ---------------------------------------------------------------------------
+# Reverse-DNS bundle id, e.g. com.you.vexpo.
+EXPO_PUBLIC_APP_BUNDLE_ID=
+# 10-character Apple Team id from developer.apple.com/account.
+EXPO_PUBLIC_APPLE_TEAM_ID=
+
+# ---------------------------------------------------------------------------
+# Optional
+# ---------------------------------------------------------------------------
+# Sets `owner` in app.config.ts for EAS. Leave blank if you're not yet linked.
+# EXPO_PUBLIC_EXPO_OWNER=
+# Toggles `name` to "Vexpo (Dev)" so dev and prod can install side-by-side.
+# APP_VARIANT=development
+# Pre-fills the full-access Resend key for `bun run setup:resend` (else prompts).
+# RESEND_FULL_ACCESS_KEY=
+# Skips prompts in `bun run setup:apple` / `setup:asc`.
+# APPLE_P8_PATH=
+# APPLE_AUTH_KEY_PATH=
+# APPLE_ASC_ISSUER_ID=

package/dist/templates/default/_fingerprintignore

@@ -0,0 +1,24 @@
+# Environment files (no native impact)
+.env*
+
+# EAS workflows (CI config, not native code)
+.eas/**/*
+
+# Convex backend (server-side only)
+convex/**/*
+
+# Static assets (handled by expo-asset plugin separately)
+assets/**/*
+
+# Documentation
+*.md
+
+# Meta / ignored by native
+plans/
+docs/
+.agents/
+.claude/
+.github/
+app-store/
+store.config.json
+eas.json

package/dist/templates/default/_gitattributes

@@ -0,0 +1,7 @@
+.gitattributes merge=ours
+README.md merge=ours
+.env.example merge=ours
+package.json merge=ours
+bun.lock merge=ours
+app.json merge=ours
+eas.json merge=ours

package/dist/templates/default/_gitignore

@@ -0,0 +1,69 @@
+# Dependencies
+node_modules/
+
+# Environment variables
+.env
+.env.*
+!.env.example
+
+# Expo
+.expo/
+dist/
+expo-env.d.ts
+
+# Native project (CNG)
+ios/
+*.p8
+*.p12
+*.mobileprovision
+*.cer
+
+# Apple keys with no extension (Apple's default download naming)
+AuthKey_*
+SubscriptionKey_*
+
+# EAS (CLI state; keep workflows tracked)
+.eas/*
+!.eas/workflows/
+
+# Agents / local AI tooling
+.claude/
+.agents/
+.cursor/
+.aider*
+skills-lock.json
+
+# Working notes (not committed)
+plans/
+
+# App Store metadata. Ships with placeholder values so `eas submit` works
+# out-of-the-box. `vexpo rebrand` fills in your real review contact + demo creds.
+# Decide whether to commit your filled-in version based on team policy (it
+# contains demo passwords for App Review).
+# store.config.json
+
+# Setup state cache (resumable orchestrator; never holds secrets)
+.setup-state.json
+.setup-state.json.*.tmp
+
+# Manual-mode instruction files (contain raw secret values when CLIs missing)
+.vexpo-manual-setup/
+.rebrand-backup/
+
+# macOS
+.DS_Store
+
+# Pack artifacts. Allow patches/ tarballs since those are the source of truth
+# for `file:` deps the template ships with.
+*.tgz
+!patches/*.tgz
+
+# Bun
+bun-error.*
+
+# Test coverage
+coverage/
+.vitest-cache/
+
+# Build / typecheck artifacts
+tsconfig.tsbuildinfo

package/dist/templates/default/_oxfmtrc.json

@@ -0,0 +1,3 @@
+{
+  "ignorePatterns": ["convex/_generated/", "ios/", ".expo/", "dist/", "coverage/", "node_modules/"]
+}

package/dist/templates/default/_oxlintrc.json

@@ -0,0 +1,34 @@
+{
+  "$schema": "./node_modules/oxlint/configuration_schema.json",
+  "plugins": ["typescript", "react", "react-hooks", "import", "unicorn", "oxc"],
+  "categories": {
+    "correctness": "error",
+    "suspicious": "warn",
+    "perf": "warn",
+    "style": "off"
+  },
+  "rules": {
+    "no-console": "off",
+    "react/react-in-jsx-scope": "off",
+    "react/style-prop-object": "off",
+    "react/no-array-index-key": "off",
+    "react-hooks/exhaustive-deps": "warn",
+    "react-hooks/rules-of-hooks": "error",
+    "typescript/no-explicit-any": "warn",
+    "typescript/no-unused-vars": ["warn", { "argsIgnorePattern": "^_" }],
+    "import/no-unassigned-import": "off",
+    "no-await-in-loop": "off",
+    "unicorn/consistent-function-scoping": "off",
+    "no-underscore-dangle": ["warn", { "allow": ["_id", "_creationTime"] }],
+    "no-shadow": ["warn", { "allow": ["resolve", "reject"] }]
+  },
+  "ignorePatterns": [
+    "node_modules",
+    "ios",
+    "android",
+    "dist",
+    ".expo",
+    "convex/_generated",
+    "coverage"
+  ]
+}