@techstream/quark-create-app 1.2.0 → 1.4.0

package/package.json

@@ -1,34 +1,35 @@
 {
-	"name": "@techstream/quark-create-app",
-	"version": "1.2.0",
-	"type": "module",
-	"bin": {
-		"quark-create-app": "src/index.js",
-		"create-quark-app": "src/index.js"
-	},
-	"files": [
-		"src",
-		"templates",
-		"README.md"
-	],
-	"scripts": {
-		"test": "node test-cli.js",
-		"test:e2e": "node test-e2e.js",
-		"test:integration": "node test-integration.js",
-		"test:all": "node test-all.js"
-	},
-	"dependencies": {
-		"chalk": "^5.6.2",
-		"commander": "^12.1.0",
-		"execa": "^9.6.1",
-		"fs-extra": "^11.3.3",
-		"prompts": "^2.4.2"
-	},
-	"publishConfig": {
-		"registry": "https://registry.npmjs.org",
-		"access": "public"
-	},
-	"engines": {
-		"node": ">=24"
-	}
-}
+  "name": "@techstream/quark-create-app",
+  "version": "1.4.0",
+  "type": "module",
+  "bin": {
+    "quark-create-app": "src/index.js",
+    "create-quark-app": "src/index.js"
+  },
+  "files": [
+    "src",
+    "templates",
+    "README.md"
+  ],
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "commander": "^12.1.0",
+    "execa": "^9.6.1",
+    "fs-extra": "^11.3.3",
+    "prompts": "^2.4.2"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=22"
+  },
+  "license": "ISC",
+  "scripts": {
+    "test": "node test-cli.js",
+    "test:e2e": "node test-e2e.js",
+    "test:integration": "node test-integration.js",
+    "test:all": "node test-all.js"
+  }
+}

package/src/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import crypto from "node:crypto";
+import net from "node:net";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import chalk from "chalk";
@@ -47,6 +48,48 @@ function generateSecurePassword(length = 24) {
 	return result;
 }
 
+/**
+ * Check if a TCP port is available on localhost.
+ * Uses a connect test (not bind) to reliably detect Docker-bound ports on macOS.
+ * @param {number} port
+ * @returns {Promise<boolean>}
+ */
+function isPortAvailable(port) {
+	return new Promise((resolve) => {
+		const socket = new net.Socket();
+		socket.setTimeout(500);
+		socket.once("connect", () => {
+			socket.destroy();
+			resolve(false); // something is listening — port is in use
+		});
+		socket.once("error", () => {
+			socket.destroy();
+			resolve(true); // ECONNREFUSED — port is free
+		});
+		socket.once("timeout", () => {
+			socket.destroy();
+			resolve(true); // no response — port is free
+		});
+		socket.connect(port, "127.0.0.1");
+	});
+}
+
+/**
+ * Find the next available port starting from a given port
+ * @param {number} startPort
+ * @param {number} [maxAttempts=20]
+ * @returns {Promise<number>}
+ */
+async function findAvailablePort(startPort, maxAttempts = 20) {
+	for (let i = 0; i < maxAttempts; i++) {
+		const port = startPort + i;
+		if (await isPortAvailable(port)) {
+			return port;
+		}
+	}
+	return startPort; // fallback to default if all checked ports are busy
+}
+
 /**
  * Copy a template directory to the target location, with variable substitution
  */
@@ -67,7 +110,10 @@ async function copyTemplate(templateName, targetDir, variables = {}) {
 			let content = await fs.readFile(packageJsonPath, "utf-8");
 
 			for (const [key, value] of Object.entries(variables)) {
-				const pattern = new RegExp(key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"), "g");
+				const pattern = new RegExp(
+					key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"),
+					"g",
+				);
 				content = content.replace(pattern, value);
 			}
 
@@ -131,8 +177,12 @@ function replaceDepsScope(deps, scope, selectedPackages) {
 		if (key.startsWith("@techstream/quark-") && value === "workspace:*") {
 			const packageName = key.replace("@techstream/quark-", "");
 			delete deps[key];
-			// Only keep the dep if the package was selected (or is "db" which is always required)
-			if (packageName === "db" || selectedPackages.includes(packageName)) {
+			// Only keep the dep if the package was selected (or is always required)
+			if (
+				packageName === "db" ||
+				packageName === "config" ||
+				selectedPackages.includes(packageName)
+			) {
 				deps[`@${scope}/${packageName}`] = value;
 			}
 		}
@@ -151,7 +201,11 @@ async function replaceImportsInSourceFiles(dir, scope) {
 	for (const entry of entries) {
 		const fullPath = path.join(dir, entry.name);
 
-		if (entry.isDirectory() && entry.name !== "node_modules" && entry.name !== ".next") {
+		if (
+			entry.isDirectory() &&
+			entry.name !== "node_modules" &&
+			entry.name !== ".next"
+		) {
 			await replaceImportsInSourceFiles(fullPath, scope);
 		} else if (entry.isFile() && /\.(js|ts|jsx|tsx|mjs)$/.test(entry.name)) {
 			let content = await fs.readFile(fullPath, "utf-8");
@@ -202,7 +256,9 @@ program
 	.argument("<project-name>", "Name of the project to create")
 	.action(async (projectName) => {
 		console.log(
-			chalk.blue.bold(`\n\uD83D\uDE80 Creating your new Quark project: ${projectName}\n`),
+			chalk.blue.bold(
+				`\n\uD83D\uDE80 Creating your new Quark project: ${projectName}\n`,
+			),
 		);
 
 		const targetDir = validateProjectName(projectName);
@@ -210,8 +266,30 @@ program
 
 		// Check if directory already exists
 		if (await fs.pathExists(targetDir)) {
-			console.error(chalk.red(`✗ Directory already exists: ${targetDir}`));
-			process.exit(1);
+			const { overwrite } = await prompts({
+				type: "confirm",
+				name: "overwrite",
+				message: `Directory "${projectName}" already exists. Remove it and recreate?`,
+				initial: false,
+			});
+
+			if (!overwrite) {
+				console.log(chalk.yellow("Aborted."));
+				process.exit(1);
+			}
+
+			// Clean up Docker resources (volumes hold old credentials)
+			try {
+				await execa("docker", ["compose", "down", "-v"], {
+					cwd: targetDir,
+					stdio: "ignore",
+				});
+				console.log(chalk.green("  ✓ Cleaned up Docker volumes"));
+			} catch {
+				// No docker-compose file or Docker not running — fine
+			}
+
+			await fs.remove(targetDir);
 		}
 
 		try {
@@ -233,25 +311,33 @@ program
 			// Step 4: Copy required packages (always included)
 			console.log(chalk.cyan("\n  📦 Setting up required packages..."));
 
-			// Database package is always required (already copied from base-project)
-			// Just update its package.json name
-			const dbPackageDir = path.join(targetDir, "packages", "db");
-			const dbPackageJsonPath = path.join(dbPackageDir, "package.json");
-			const dbPackageJson = await fs.readJSON(dbPackageJsonPath);
-			dbPackageJson.name = `@${scope}/db`;
-			await fs.writeFile(
-				dbPackageJsonPath,
-				`${JSON.stringify(dbPackageJson, null, 2)}\n`,
-			);
-			console.log(chalk.green(`    ✓ db (required)`));
+			// Database and config packages are always required
+			const requiredPackages = ["db", "config"];
+			for (const reqPkg of requiredPackages) {
+				const pkgDir = path.join(targetDir, "packages", reqPkg);
+				// db is already copied from base-project; config needs to be copied from its template
+				if (!(await fs.pathExists(pkgDir))) {
+					await fs.ensureDir(pkgDir);
+					await copyTemplate(reqPkg, pkgDir);
+				}
+				const pkgJsonPath = path.join(pkgDir, "package.json");
+				const pkgJson = await fs.readJSON(pkgJsonPath);
+				pkgJson.name = `@${scope}/${reqPkg}`;
+				await fs.writeFile(
+					pkgJsonPath,
+					`${JSON.stringify(pkgJson, null, 2)}\n`,
+				);
+				console.log(chalk.green(`    ✓ ${reqPkg} (required)`));
+			}
 
 			// Step 5: Ask which optional features to eject
-			console.log(chalk.cyan("\n  🎯 Configuring optional features..."));
+			console.log(chalk.cyan("\n  🎯 Configuring optional features...\n"));
 			const response = await prompts([
 				{
 					type: "multiselect",
 					name: "features",
 					message: "Which optional packages would you like to include?",
+					instructions: false,
 					choices: [
 						{
 							title: "UI Components (packages/ui)",
@@ -263,11 +349,6 @@ program
 							value: "jobs",
 							selected: true,
 						},
-						{
-							title: "Configuration (packages/config)",
-							value: "config",
-							selected: false,
-						},
 					],
 				},
 			]);
@@ -298,27 +379,44 @@ program
 				}
 			}
 
-			// Step 7: Update app dependencies to use correct scope
+			// Step 7: Update all package.json dependencies to use correct scope
 			console.log(chalk.cyan("\n  🔧 Updating app dependencies..."));
 
-			// Update app package.json files to use correct scope
-			const appPaths = [
+			// Collect all package.json files that need scope replacement (apps + packages)
+			const allPkgPaths = [
 				path.join(targetDir, "apps", "web", "package.json"),
 				path.join(targetDir, "apps", "worker", "package.json"),
+				// Also update cross-dependencies in scaffolded packages (e.g. db → config)
+				...["db", ...features].map((pkg) =>
+					path.join(targetDir, "packages", pkg, "package.json"),
+				),
 			];
 
-			for (const appPkgPath of appPaths) {
-				if (await fs.pathExists(appPkgPath)) {
-					const appPkg = await fs.readJSON(appPkgPath);
-					replaceDepsScope(appPkg.dependencies, scope, features);
-					replaceDepsScope(appPkg.devDependencies, scope, features);
-					await fs.writeFile(
-						appPkgPath,
-						`${JSON.stringify(appPkg, null, 2)}\n`,
-					);
+			for (const pkgPath of allPkgPaths) {
+				if (await fs.pathExists(pkgPath)) {
+					const pkg = await fs.readJSON(pkgPath);
+					// Rename package name if it uses @quark/ prefix
+					if (pkg.name?.startsWith("@quark/")) {
+						const shortName = pkg.name.replace("@quark/", "");
+						pkg.name = `@${scope}/${shortName}`;
+					}
+					replaceDepsScope(pkg.dependencies, scope, features);
+					replaceDepsScope(pkg.devDependencies, scope, features);
+					await fs.writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
 				}
 			}
 
+			// Also rename root package.json
+			const rootPkgPath = path.join(targetDir, "package.json");
+			if (await fs.pathExists(rootPkgPath)) {
+				const rootPkg = await fs.readJSON(rootPkgPath);
+				rootPkg.name = `@${scope}/root`;
+				await fs.writeFile(
+					rootPkgPath,
+					`${JSON.stringify(rootPkg, null, 2)}\n`,
+				);
+			}
+
 			console.log(chalk.green(`    ✓ App dependencies updated`));
 
 			// Step 7b: Replace workspace package imports in source files
@@ -354,11 +452,9 @@ MAILHOG_UI_PORT=8025
 # MAILHOG_SMTP_URL="smtp://localhost:1025"
 
 # --- Application URL ---
-# The canonical URL of your application.
-# NEXTAUTH_URL, CORS origins, and other URL-dependent settings are derived from this.
-# Development: http://localhost:3000
-# Production: https://yourdomain.com
-APP_URL=http://localhost:3000
+# In development, APP_URL is derived automatically from PORT — no need to set it.
+# In production, set this to your real domain:
+# APP_URL=https://yourdomain.com
 
 # --- NextAuth Configuration ---
 # ⚠️  CRITICAL: Generate a secure secret with: openssl rand -base64 32
@@ -375,7 +471,7 @@ NEXTAUTH_SECRET=CHANGE_ME_TO_STRONG_SECRET
 # GOOGLE_CLIENT_SECRET=your_google_client_secret
 
 # --- Web App Configuration ---
-WEB_PORT=3000
+PORT=3000
 
 # --- Worker Configuration ---
 WORKER_CONCURRENCY=5
@@ -386,7 +482,31 @@ WORKER_CONCURRENCY=5
 			);
 			console.log(chalk.green(`    ✓ .env.example`));
 
-			// Step 9: Generate .env with secure defaults
+			// Step 9: Find available ports and generate .env
+			console.log(chalk.cyan("\n  🔌 Checking port availability..."));
+			const postgresPort = await findAvailablePort(5432);
+			const redisPort = await findAvailablePort(6379);
+			const mailSmtpPort = await findAvailablePort(1025);
+			const mailUiPort = await findAvailablePort(8025);
+			const webPort = await findAvailablePort(3000);
+
+			const portChanges = [];
+			if (postgresPort !== 5432)
+				portChanges.push(`PostgreSQL: ${postgresPort}`);
+			if (redisPort !== 6379) portChanges.push(`Redis: ${redisPort}`);
+			if (mailSmtpPort !== 1025) portChanges.push(`Mail SMTP: ${mailSmtpPort}`);
+			if (mailUiPort !== 8025) portChanges.push(`Mail UI: ${mailUiPort}`);
+			if (webPort !== 3000) portChanges.push(`Web: ${webPort}`);
+
+			if (portChanges.length > 0) {
+				console.log(chalk.yellow(`    ⚡ Ports adjusted to avoid conflicts:`));
+				for (const change of portChanges) {
+					console.log(chalk.yellow(`      • ${change}`));
+				}
+			} else {
+				console.log(chalk.green(`    ✓ All default ports available`));
+			}
+
 			console.log(chalk.cyan("\n  🔑 Generating secure environment file..."));
 
 			// Generate secure random values
@@ -396,28 +516,27 @@ WORKER_CONCURRENCY=5
 			// Create .env with auto-generated secure values
 			const envContent = `# --- Database Configuration ---
 POSTGRES_HOST=localhost
-POSTGRES_PORT=5432
+POSTGRES_PORT=${postgresPort}
 POSTGRES_USER=quark_user
 POSTGRES_PASSWORD=${dbPassword}
 POSTGRES_DB=${scope}_dev
 
 # --- Redis Configuration ---
 REDIS_HOST=localhost
-REDIS_PORT=6379
+REDIS_PORT=${redisPort}
 
-# --- Mailhog Configuration ---
+# --- Mail Configuration ---
 MAILHOG_HOST=localhost
-MAILHOG_SMTP_PORT=1025
-MAILHOG_UI_PORT=8025
+MAILHOG_SMTP_PORT=${mailSmtpPort}
+MAILHOG_UI_PORT=${mailUiPort}
 
 # --- NextAuth Configuration ---
 NEXTAUTH_SECRET=${nextAuthSecret}
 
-# --- Application URL ---
-APP_URL=http://localhost:3000
-
 # --- Web App Configuration ---
-WEB_PORT=3000
+# APP_URL is derived from PORT automatically in development.
+# In production, set APP_URL explicitly in your environment.
+PORT=${webPort}
 
 # --- Worker Configuration ---
 WORKER_CONCURRENCY=5
@@ -432,7 +551,7 @@ WORKER_CONCURRENCY=5
 				quarkVersion: process.env.QUARK_VERSION || "latest",
 				quarkSourcePath: process.env.QUARK_SOURCE_PATH || "../../quark",
 				scaffoldedDate: new Date().toISOString(),
-				requiredPackages: ["db"],
+				requiredPackages: ["db", "config"],
 				packages: features,
 			};
 			await fs.writeFile(
@@ -457,16 +576,33 @@ WORKER_CONCURRENCY=5
 				});
 				console.log(chalk.green(`\n    ✓ Dependencies installed`));
 			} catch (installError) {
+				console.warn(
+					chalk.yellow(`\n    ⚠️  pnpm install failed: ${installError.message}`),
+				);
 				console.warn(
 					chalk.yellow(
-						`\n    ⚠️  pnpm install failed: ${installError.message}`,
+						`    Run 'pnpm install' manually after resolving the issue.`,
 					),
 				);
+			}
+
+			// Step 13: Generate Prisma client
+			console.log(chalk.cyan("\n  🗄️  Generating Prisma client..."));
+			try {
+				await execa("pnpm", ["--filter", "db", "db:generate"], {
+					cwd: targetDir,
+					stdio: "inherit",
+				});
+				console.log(chalk.green(`    ✓ Prisma client generated`));
+			} catch (generateError) {
 				console.warn(
 					chalk.yellow(
-						`    Run 'pnpm install' manually after resolving the issue.`,
+						`\n    ⚠️  Prisma generate failed: ${generateError.message}`,
 					),
 				);
+				console.warn(
+					chalk.yellow(`    Run 'pnpm --filter db db:generate' manually.`),
+				);
 			}
 
 			// Success message
@@ -480,7 +616,8 @@ WORKER_CONCURRENCY=5
 			console.log(chalk.cyan("Next steps:"));
 			console.log(chalk.white(`  1. cd ${projectName}`));
 			console.log(chalk.white(`  2. docker compose up -d`));
-			console.log(chalk.white(`  3. pnpm dev\n`));
+			console.log(chalk.white(`  3. pnpm --filter db db:push`));
+			console.log(chalk.white(`  4. pnpm dev\n`));
 
 			console.log(chalk.cyan("Important:"));
 			console.log(

package/templates/base-project/apps/web/src/app/api/auth/register/route.js

@@ -1,5 +1,10 @@
-import { hashPassword, validateBody } from "@techstream/quark-core";
+import {
+	createQueue,
+	hashPassword,
+	validateBody,
+} from "@techstream/quark-core";
 import { user, userRegisterSchema } from "@techstream/quark-db";
+import { JOB_NAMES, JOB_QUEUES } from "@techstream/quark-jobs";
 import { NextResponse } from "next/server";
 import { handleError } from "../../error-handler";
 
@@ -29,6 +34,17 @@ export async function POST(request) {
 			password: hashedPassword,
 		});
 
+		// Enqueue welcome email (fire-and-forget)
+		try {
+			const emailQueue = createQueue(JOB_QUEUES.EMAIL);
+			await emailQueue.add(JOB_NAMES.SEND_WELCOME_EMAIL, {
+				userId: newUser.id,
+			});
+		} catch (emailError) {
+			// Don't fail registration if email enqueue fails
+			console.error("Failed to enqueue welcome email:", emailError);
+		}
+
 		// Don't return the password
 		const { password: _, ...safeUser } = newUser;
 

package/templates/base-project/apps/web/src/app/api/error-handler.js

@@ -1,8 +1,10 @@
-import { AppError } from "@techstream/quark-core";
+import { AppError, createLogger } from "@techstream/quark-core";
 import { NextResponse } from "next/server";
 
+const logger = createLogger("api");
+
 export function handleError(error) {
-	console.error("API Error:", error);
+	logger.error("API Error", { error: error.message, stack: error.stack });
 
 	if (error instanceof AppError) {
 		return NextResponse.json(error.toJSON(), { status: error.statusCode });

package/templates/base-project/apps/web/src/app/api/health/route.js

@@ -4,10 +4,12 @@
  * Times out after 5 seconds to prevent hanging.
  */
 
-import { pingRedis } from "@techstream/quark-core";
+import { createLogger, pingRedis } from "@techstream/quark-core";
 import { prisma } from "@techstream/quark-db";
 import { NextResponse } from "next/server";
 
+const logger = createLogger("health");
+
 /** Overall timeout for the health check (ms). */
 const HEALTH_CHECK_TIMEOUT = 5000;
 
@@ -27,12 +29,15 @@ export async function GET() {
 			status: result.status === "ok" ? 200 : 503,
 		});
 	} catch (error) {
-		console.error("Health check failed:", error);
+		logger.error("Health check failed", {
+			error: error.message,
+			stack: error.stack,
+		});
 		return NextResponse.json(
 			{
 				status: "error",
 				timestamp: new Date().toISOString(),
-				message: error.message,
+				message: "Service health check failed",
 			},
 			{ status: 500 },
 		);

package/templates/base-project/apps/web/src/app/api/posts/[id]/route.js

@@ -1,4 +1,8 @@
-import { UnauthorizedError, validateBody } from "@techstream/quark-core";
+import {
+	UnauthorizedError,
+	validateBody,
+	withCsrfProtection,
+} from "@techstream/quark-core";
 import { post, postUpdateSchema } from "@techstream/quark-db";
 import { NextResponse } from "next/server";
 import { requireAuth } from "@/lib/auth-middleware";
@@ -17,7 +21,7 @@ export async function GET(_request, { params }) {
 	}
 }
 
-export async function PATCH(request, { params }) {
+export const PATCH = withCsrfProtection(async (request, { params }) => {
 	try {
 		const session = await requireAuth();
 		const { id } = await params;
@@ -37,9 +41,9 @@ export async function PATCH(request, { params }) {
 	} catch (error) {
 		return handleError(error);
 	}
-}
+});
 
-export async function DELETE(_request, { params }) {
+export const DELETE = withCsrfProtection(async (_request, { params }) => {
 	try {
 		const session = await requireAuth();
 		const { id } = await params;
@@ -58,4 +62,4 @@ export async function DELETE(_request, { params }) {
 	} catch (error) {
 		return handleError(error);
 	}
-}
+});

package/templates/base-project/apps/web/src/app/api/posts/route.js

@@ -1,14 +1,22 @@
-import { validateBody } from "@techstream/quark-core";
+import { validateBody, withCsrfProtection } from "@techstream/quark-core";
 import { post, postCreateSchema } from "@techstream/quark-db";
 import { NextResponse } from "next/server";
+import { z } from "zod";
 import { requireAuth } from "@/lib/auth-middleware";
 import { handleError } from "../error-handler";
 
+const paginationSchema = z.object({
+	page: z.coerce.number().int().min(1).default(1),
+	limit: z.coerce.number().int().min(1).max(100).default(10),
+});
+
 export async function GET(request) {
 	try {
 		const { searchParams } = new URL(request.url);
-		const page = parseInt(searchParams.get("page") || "1", 10);
-		const limit = parseInt(searchParams.get("limit") || "10", 10);
+		const { page, limit } = paginationSchema.parse({
+			page: searchParams.get("page") ?? undefined,
+			limit: searchParams.get("limit") ?? undefined,
+		});
 		const skip = (page - 1) * limit;
 
 		const posts = await post.findAll({ skip, take: limit });
@@ -18,7 +26,7 @@ export async function GET(request) {
 	}
 }
 
-export async function POST(request) {
+export const POST = withCsrfProtection(async (request) => {
 	try {
 		const session = await requireAuth();
 		const data = await validateBody(request, postCreateSchema);
@@ -31,4 +39,4 @@ export async function POST(request) {
 	} catch (error) {
 		return handleError(error);
 	}
-}
+});

package/templates/base-project/apps/web/src/app/api/users/[id]/route.js

@@ -1,12 +1,12 @@
-import { validateBody } from "@techstream/quark-core";
+import { validateBody, withCsrfProtection } from "@techstream/quark-core";
 import { user, userUpdateSchema } from "@techstream/quark-db";
 import { NextResponse } from "next/server";
-import { requireAuth } from "@/lib/auth-middleware";
+import { requireRole } from "@/lib/auth-middleware";
 import { handleError } from "../../error-handler";
 
 export async function GET(_request, { params }) {
 	try {
-		await requireAuth();
+		await requireRole("admin");
 		const { id } = await params;
 		const foundUser = await user.findById(id);
 		if (!foundUser) {
@@ -18,9 +18,9 @@ export async function GET(_request, { params }) {
 	}
 }
 
-export async function PATCH(request, { params }) {
+export const PATCH = withCsrfProtection(async (request, { params }) => {
 	try {
-		await requireAuth();
+		await requireRole("admin");
 		const { id } = await params;
 
 		const existingUser = await user.findById(id);
@@ -34,11 +34,11 @@ export async function PATCH(request, { params }) {
 	} catch (error) {
 		return handleError(error);
 	}
-}
+});
 
-export async function DELETE(_request, { params }) {
+export const DELETE = withCsrfProtection(async (_request, { params }) => {
 	try {
-		await requireAuth();
+		await requireRole("admin");
 		const { id } = await params;
 
 		const existingUser = await user.findById(id);
@@ -51,4 +51,4 @@ export async function DELETE(_request, { params }) {
 	} catch (error) {
 		return handleError(error);
 	}
-}
+});