@rapidd/core 2.1.0

package/.dockerignore

@@ -0,0 +1,71 @@
+# Dependencies
+node_modules
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Testing and development
+__test__
+*.test.ts
+*.test.js
+*.spec.ts
+*.spec.js
+jest.setup.*
+coverage
+
+# Environment files
+.env
+.env.*
+!.env.example
+
+# Version control and CI/CD
+.git
+.gitignore
+.github
+.gitlab-ci.yml
+
+# Documentation
+*.md
+README*
+CHANGELOG*
+LICENSE*
+
+# Docker files
+Dockerfile*
+dockerfile*
+docker-compose*
+compose.yml
+.dockerignore
+
+# IDE and editor files
+.vscode
+.idea
+.claude
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Logs and temporary files
+logs
+*.log
+tmp
+temp
+*.tmp
+
+# Build artifacts (rebuilt in Docker)
+dist
+
+# Prisma client (regenerated in Docker)
+prisma/client
+
+# TypeScript config for tests
+tsconfig.test.json
+
+# Other
+*.orig
+*.backup
+data/

package/.env.example

@@ -0,0 +1,70 @@
+NODE_ENV=development
+
+# ── Database (REQUIRED) ────────────────────────────────
+DATABASE_URL="postgresql://user:password@localhost:5432/database?schema=public"
+# Admin connection (bypasses RLS); defaults to DATABASE_URL
+DATABASE_URL_ADMIN=
+# Auto-detected from URL; set to "postgresql" or "mysql" to override
+DATABASE_PROVIDER=
+
+# ── Server ─────────────────────────────────────────────
+HOST=0.0.0.0
+PORT=3000
+DOMAIN=localhost
+FRONTEND_DOMAIN=frontend.domain
+ALLOWED_ORIGINS=frontend.domain
+COOKIE_SECRET=your-cookie-secret-here
+# true/false; defaults to true in production
+TRUST_PROXY=
+
+# ── Authentication (auto-configured) ───────────────────
+# Auth is auto-enabled when a user table is detected in the Prisma schema.
+# Identifier fields and password field are auto-detected from the schema.
+# JWT secrets are auto-generated if not set (won't persist across restarts).
+JWT_SECRET=
+JWT_REFRESH_SECRET=
+# redis or memory
+AUTH_SESSION_STORAGE=redis
+# Session TTL in seconds (default: 24h)
+AUTH_SESSION_TTL=86400
+# bcrypt salt rounds
+AUTH_SALT_ROUNDS=10
+# JWT access token expiry
+AUTH_ACCESS_TOKEN_EXPIRY=1d
+# JWT refresh token expiry
+AUTH_REFRESH_TOKEN_EXPIRY=30d
+# Auto-detected; set to override (e.g., "accounts")
+DB_USER_TABLE=
+# Auto-detected; set to override (e.g., "hash")
+DB_USER_PASSWORD_FIELD=
+# Auto-detected from unique string fields; comma-separated (default: email)
+DB_USER_IDENTIFIER_FIELDS=
+# Comma-separated: bearer, basic, cookie, header (default: bearer)
+AUTH_STRATEGIES=bearer
+# Cookie name for cookie strategy (default: token)
+AUTH_COOKIE_NAME=token
+# Header name for header strategy (default: X-Auth-Token)
+AUTH_CUSTOM_HEADER=X-Auth-Token
+
+# ── API Settings ───────────────────────────────────────
+# Max results per query
+API_RESULT_LIMIT=500
+# Rate limit window in ms (default: 15min)
+RATE_LIMIT_WINDOW_MS=900000
+# Max requests per window
+RATE_LIMIT_MAX_REQUESTS=100
+
+# ── Redis ──────────────────────────────────────────────
+REDIS_HOST=localhost
+REDIS_PORT=6379
+REDIS_PASSWORD=
+REDIS_DB_RATE_LIMIT=0
+REDIS_DB_AUTH=1
+
+# ── Row-Level Security ─────────────────────────────────
+# RLS is auto-enabled for PostgreSQL and disabled for MySQL.
+# true/false; override auto-detection
+RLS_ENABLED=
+# Namespace prefix for SQL session variables (default: app)
+RLS_NAMESPACE=app
+# Configure RLS variables in src/config/rls.ts

package/.gitignore

@@ -0,0 +1,11 @@
+.DS_Store
+._*
+/node_modules
+.env
+compose.yml
+/config/app.json
+/logs
+/data/api_credentials.json
+/prisma/client
+/dist
+/wiki

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2025 Mert Dalbudak
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,231 @@
+<img width="64" height="64" alt="logo" src="https://github.com/user-attachments/assets/706dd13b-212c-4076-b4d7-94dec4001a06" />
+
+# Rapidd
+
+Code-first REST API framework for TypeScript. Database in, API out.
+
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.x-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
+[![Fastify](https://img.shields.io/badge/Fastify-5.x-000000?logo=fastify&logoColor=white)](https://fastify.dev/)
+[![Prisma](https://img.shields.io/badge/Prisma-7.x-2D3748?logo=prisma&logoColor=white)](https://www.prisma.io/)
+[![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)](LICENSE)
+[![CI](https://github.com/MertDalbudak/rapidd/actions/workflows/ci.yml/badge.svg)](https://github.com/MertDalbudak/rapidd/actions/workflows/ci.yml)
+
+---
+
+## Why Rapidd
+
+Rapidd generates a fully-featured REST API from your database schema — then gets out of your way. It's not a scaffolder that dumps code you'll rewrite. It's not a hosted service between you and your data. It's a framework you own, extend, and deploy anywhere.
+
+**Unlike Hasura or Supabase**, you get a full TypeScript codebase — no vendor lock-in, no managed service dependency. **Unlike PostgREST**, you get auth, ACL, middleware hooks, and utilities built in. **Unlike Strapi**, it's schema-first via Prisma, not UI-driven.
+
+- **Zero to API in 3 commands** — CRUD endpoints with filtering, pagination, relations, and field selection
+- **Convention over configuration** — auto-detects auth tables, password fields, DB provider, and RLS support. Every default overridable
+- **Production-grade from day one** — security headers, JWT with refresh rotation, row-level security, per-model ACL, rate limiting
+- **Batteries included** — HTTP client, SMTP mailer with templates, file uploads, rate limiting, i18n across 10 languages
+- **Fully extensible** — before/after middleware on every CRUD operation, custom routes alongside generated ones
+
+---
+
+## Quick Start
+
+```bash
+npm install @rapidd/build
+```
+
+```env
+DATABASE_URL="postgresql://user:pass@localhost:5432/mydb"
+```
+
+```bash
+npx prisma db pull        # introspect existing database
+npx rapidd build          # generate models, routes & ACL scaffold
+npm run dev               # http://localhost:3000
+```
+
+Every table gets full CRUD endpoints. Auth is enabled automatically when a user table is detected. Every auto-detected value — auth fields, password hashing, JWT secrets, session store — is overridable via env vars. See [`.env.example`](.env.example) for the full list.
+
+> 📖 **[Getting Started guide →](https://github.com/MertDalbudak/rapidd/wiki/Getting-Started)** — full walkthrough with project structure
+
+---
+
+## Features
+
+| Feature | PostgreSQL | MySQL/MariaDB |
+|---------|:----------:|:-------------:|
+| CRUD API generation | ✓ | ✓ |
+| Query filtering (20+ operators) | ✓ | ✓ |
+| Relations & deep includes | ✓ | ✓ |
+| Field selection | ✓ | ✓ |
+| JWT authentication (4 strategies) | ✓ | ✓ |
+| Per-model ACL | ✓ | ✓ |
+| Row-Level Security (database-enforced) | ✓ | — |
+| Rate limiting (Redis + memory fallback) | ✓ | ✓ |
+| File uploads with MIME validation | ✓ | ✓ |
+| SMTP mailer with EJS templates | ✓ | ✓ |
+| Config-driven HTTP client | ✓ | ✓ |
+| i18n (10 languages) | ✓ | ✓ |
+| Security headers (HSTS, CSP, etc.) | ✓ | ✓ |
+
+> **MySQL note:** ACL provides application-level access control for all databases. RLS adds database-enforced row filtering as a second layer (PostgreSQL-only). For MySQL, ACL is your primary access control mechanism and covers most use cases. See the **[Access Control wiki](https://github.com/MertDalbudak/rapidd/wiki/Access-Control-(ACL))** for details.
+
+---
+
+## Query API
+
+All generated endpoints support filtering, relations, field selection, sorting, and pagination.
+
+```
+GET /api/v1/posts?filter=status=active,title=%typescript%
+GET /api/v1/posts?filter=createdAt=after:2025-01-01,views=gte:100
+GET /api/v1/posts?include=author,comments.user&fields=id,title,author.name
+GET /api/v1/posts?sortBy=createdAt&sortOrder=desc&limit=10&offset=20
+```
+
+20+ filter operators for strings, numbers, dates, arrays, nulls, and nested relation fields. Responses include pagination metadata with `total`, `count`, `limit`, `offset`, and `hasMore`.
+
+> 📖 **[Query API wiki →](https://github.com/MertDalbudak/rapidd/wiki/Query-API)** — all operators, composite PKs, relation filtering
+
+---
+
+## Authentication
+
+Auto-enabled when a user table is detected.
+
+```
+POST /auth/login          { "user": "john@example.com", "password": "..." }
+POST /auth/logout         Authorization: Bearer <token>
+POST /auth/refresh        { "refreshToken": "..." }
+GET  /auth/me             Authorization: Bearer <token>
+```
+
+Four strategies — **bearer** (default), **basic**, **cookie**, and **custom header** — configurable per-route. Multi-identifier login lets users authenticate with any unique field (email, username, phone) in a single endpoint.
+
+⚠️ **Production:** `JWT_SECRET` and `JWT_REFRESH_SECRET` must be set explicitly. The server refuses to start without them to prevent session invalidation on restart.
+
+> 📖 **[Authentication wiki →](https://github.com/MertDalbudak/rapidd/wiki/Authentication)** — session stores, route protection, per-endpoint strategy overrides
+
+---
+
+## Access Control
+
+Define per-model rules in `src/config/acl.ts`. Enforced on every CRUD operation, relation include, and field selection.
+
+```typescript
+const acl: AclConfig = {
+    model: {
+        posts: {
+            canCreate: (user, data) => user.role !== 'GUEST',
+            getAccessFilter: (user) => user.role === 'ADMIN' ? {} : { authorId: user.id },
+            getUpdateFilter: (user) => user.role === 'ADMIN' ? {} : { authorId: user.id },
+            getDeleteFilter: (user) => user.role === 'ADMIN' ? {} : false,
+            getOmitFields: (user) => user.role !== 'ADMIN' ? ['internalNotes'] : [],
+        }
+    }
+};
+```
+
+Return `{}` for full access, a filter object to scope records, or `false` to deny.
+
+> 📖 **[Access Control wiki →](https://github.com/MertDalbudak/rapidd/wiki/Access-Control-(ACL))** — all 5 ACL methods, relation ACL, 404 vs 403 distinction
+
+---
+
+## Model Middleware
+
+Hook into any CRUD operation before or after execution.
+
+```typescript
+// Auto-timestamps
+Model.middleware.use('before', 'create', async (ctx) => {
+    ctx.data.createdAt = new Date();
+    ctx.data.createdBy = ctx.user?.id;
+    return ctx;
+});
+
+// Soft deletes (scoped to a specific model)
+Model.middleware.use('before', 'delete', async (ctx) => {
+    ctx.softDelete = true;
+    ctx.data = { deletedAt: new Date(), deletedBy: ctx.user?.id };
+    return ctx;
+}, 'posts');
+```
+
+Supports `create`, `update`, `upsert`, `upsertMany`, `delete`, `get`, `getMany`, and `count`. Middleware can abort operations, modify data, and short-circuit with cached results.
+
+> 📖 **[Model Middleware wiki →](https://github.com/MertDalbudak/rapidd/wiki/Model-Middleware)** — all hooks, context object, patterns (soft delete, validation, caching)
+
+---
+
+## Row-Level Security
+
+Auto-enabled for PostgreSQL. Define which variables to inject in `src/config/rls.ts`:
+
+```typescript
+// src/config/rls.ts
+const rlsContext: RlsContextFn = (request) => ({
+    current_user_id: request.user?.id ?? null,
+    current_tenant_id: request.headers['x-tenant-id'] ?? null,
+});
+```
+
+```sql
+CREATE POLICY tenant_isolation ON orders
+    USING (tenant_id = current_setting('app.current_tenant_id')::int);
+```
+
+> 📖 **[Row-Level Security wiki →](https://github.com/MertDalbudak/rapidd/wiki/Row%E2%80%90Level-Security-(RLS))** — policy examples, RLS vs ACL comparison
+
+---
+
+## Built-in Utilities
+
+| Utility | Description | Docs |
+|---------|-------------|------|
+| **ApiClient** | Config-driven HTTP client with Bearer, Basic, API Key, and OAuth2 auth. Automatic token caching, retries, and fluent builder. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/ApiClient) |
+| **Mailer** | SMTP email with EJS template rendering, layout wrappers, i18n support, batch sending, and attachments. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Mailer) |
+| **File Uploads** | Multipart uploads with MIME validation, size limits, and type presets (`images`, `documents`, etc.). | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/File-Uploads) |
+| **Rate Limiting** | Redis-backed with automatic memory fallback. Per-path configuration via `config/rate-limit.json`. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Rate-Limiting) |
+| **i18n** | 10 languages included. Auto-detected from `Accept-Language` header. Parameter interpolation in error messages. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Internationalization-(i18n)) |
+
+---
+
+## Production & Deployment
+
+```env
+NODE_ENV=production
+JWT_SECRET=your-secret-here          # Required — server won't start without it
+JWT_REFRESH_SECRET=your-refresh-secret
+ALLOWED_ORIGINS=yourdomain.com
+TRUST_PROXY=true
+```
+
+```bash
+npm run build && npm start
+
+# or Docker
+docker build -t rapidd . && docker run -p 3000:3000 --env-file .env rapidd
+```
+
+**Security defaults in production:** HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and CORS with explicit origin whitelisting — all enabled automatically.
+
+> 📖 **[Deployment wiki →](https://github.com/MertDalbudak/rapidd/wiki/Deployment-&-Production)** — Docker Compose, nginx reverse proxy, production checklist, horizontal scaling
+
+---
+
+## Documentation
+
+Full documentation: **[github.com/MertDalbudak/rapidd/wiki](https://github.com/MertDalbudak/rapidd/wiki)**
+
+[Getting Started](https://github.com/MertDalbudak/rapidd/wiki/Getting-Started) · [Configuration](https://github.com/MertDalbudak/rapidd/wiki/Configuration) · [Query API](https://github.com/MertDalbudak/rapidd/wiki/Query-API) · [Authentication](https://github.com/MertDalbudak/rapidd/wiki/Authentication) · [Access Control](https://github.com/MertDalbudak/rapidd/wiki/Access-Control-(ACL)) · [Model Middleware](https://github.com/MertDalbudak/rapidd/wiki/Model-Middleware) · [Row-Level Security](https://github.com/MertDalbudak/rapidd/wiki/Row%E2%80%90Level-Security-(RLS)) · [ApiClient](https://github.com/MertDalbudak/rapidd/wiki/ApiClient) · [Mailer](https://github.com/MertDalbudak/rapidd/wiki/Mailer) · [File Uploads](https://github.com/MertDalbudak/rapidd/wiki/File-Uploads) · [Rate Limiting](https://github.com/MertDalbudak/rapidd/wiki/Rate-Limiting) · [i18n](https://github.com/MertDalbudak/rapidd/wiki/Internationalization-(i18n)) · [Deployment](https://github.com/MertDalbudak/rapidd/wiki/Deployment-&-Production)
+
+---
+
+## Contributing
+
+Issues and pull requests are welcome. If you find a bug or have a feature request, [open an issue](https://github.com/MertDalbudak/rapidd/issues).
+
+## License
+
+[ISC](LICENSE)
+
+Built by [Mert Dalbudak](https://github.com/MertDalbudak)

package/bin/cli.js

@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+
+const COMMANDS = { 'create-project': createProject };
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+if (!command || !COMMANDS[command]) {
+    console.log('Usage: npx rapidd <command>\n');
+    console.log('Commands:');
+    console.log('  create-project   Scaffold a new Rapidd project in the current directory');
+    process.exit(command ? 1 : 0);
+}
+
+COMMANDS[command](args.slice(1));
+
+function createProject() {
+    const targetDir = process.cwd();
+
+    // Safety check — don't overwrite an existing project
+    if (fs.existsSync(path.join(targetDir, 'src')) || fs.existsSync(path.join(targetDir, 'main.ts'))) {
+        console.error('Error: Current directory already contains a project (src/ or main.ts found).');
+        process.exit(1);
+    }
+
+    const packageRoot = path.resolve(__dirname, '..');
+    const projectName = path.basename(targetDir);
+
+    const SKIP = new Set([
+        'node_modules', 'dist', '__test__', '.github', '.claude', 'wiki',
+        'bin', '.git', 'package-lock.json', '.env', 'prisma/client',
+    ]);
+
+    const FILES = [
+        'src/',
+        'config/',
+        'locales/',
+        'routes/',
+        'templates/',
+        'public/',
+        'prisma/schema.prisma',
+        'prisma.config.ts',
+        'main.ts',
+        'tsconfig.json',
+        '.env.example',
+        '.gitignore',
+        '.dockerignore',
+        'dockerfile',
+    ];
+
+    console.log(`\nCreating project in ${targetDir}...\n`);
+
+    for (const entry of FILES) {
+        const src = path.join(packageRoot, entry);
+        if (!fs.existsSync(src)) continue;
+
+        const dest = path.join(targetDir, entry);
+
+        if (entry.endsWith('/')) {
+            copyDir(src, dest, SKIP);
+        } else {
+            fs.mkdirSync(path.dirname(dest), { recursive: true });
+            fs.copyFileSync(src, dest);
+        }
+    }
+
+    // Generate a fresh package.json for the new project
+    const pkg = {
+        name: projectName,
+        version: '1.0.0',
+        private: true,
+        scripts: {
+            start: 'node dist/main.js',
+            dev: 'tsx watch main.ts',
+            build: 'tsc',
+        },
+        engines: { node: '>=24.0.0' },
+        dependencies: {
+            '@fastify/cookie': '^11.0.2',
+            '@fastify/cors': '^11.0.0',
+            '@fastify/formbody': '^8.0.2',
+            '@fastify/multipart': '^9.4.0',
+            '@fastify/static': '^9.0.0',
+            '@prisma/adapter-mariadb': '^7.0.1',
+            '@prisma/adapter-pg': '^7.0.1',
+            '@prisma/client': '^7.0.1',
+            '@prisma/internals': '^7.0.1',
+            'bcrypt': '^6.0.0',
+            'dotenv': '^17.3.1',
+            'ejs': '^4.0.1',
+            'fastify': '^5.2.1',
+            'fastify-plugin': '^5.0.1',
+            'ioredis': '^5.6.1',
+            'jsonwebtoken': '^9.0.2',
+            'luxon': '^3.7.2',
+            'nodemailer': '^8.0.1',
+            'pg': '^8.16.3',
+        },
+        devDependencies: {
+            '@rapidd/build': '^2.1.3',
+            '@types/bcrypt': '^6.0.0',
+            '@types/ejs': '^3.1.5',
+            '@types/jsonwebtoken': '^9.0.8',
+            '@types/luxon': '^3.7.1',
+            '@types/node': '^22.12.0',
+            '@types/nodemailer': '^7.0.9',
+            '@types/pg': '^8.11.11',
+            'prisma': '^7.0.2',
+            'tsx': '^4.19.2',
+            'typescript': '^5.7.3',
+        },
+    };
+
+    fs.writeFileSync(
+        path.join(targetDir, 'package.json'),
+        JSON.stringify(pkg, null, 2) + '\n'
+    );
+
+    console.log('Project created. Next steps:\n');
+    console.log('  npm install');
+    console.log('  # Set DATABASE_URL in .env');
+    console.log('  npx prisma db pull');
+    console.log('  npx rapidd build');
+    console.log('  npm run dev\n');
+}
+
+function copyDir(src, dest, skip) {
+    fs.mkdirSync(dest, { recursive: true });
+
+    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+        if (skip.has(entry.name) || entry.name === '.DS_Store') continue;
+
+        const srcPath = path.join(src, entry.name);
+        const destPath = path.join(dest, entry.name);
+
+        if (entry.isDirectory()) {
+            copyDir(srcPath, destPath, skip);
+        } else {
+            fs.copyFileSync(srcPath, destPath);
+        }
+    }
+}