@zintrust/core 0.1.1 → 0.1.2

package/src/security/XssProtection.js

@@ -37,14 +37,58 @@ const sanitizeHtml = (html) => {
     sanitized = sanitized.replaceAll(/<(?:iframe|object|embed|base)\b[\s\S]*?>/gi, '');
     sanitized = sanitized.replaceAll(/<\/(?:iframe|object|embed|base)>/gi, '');
     // Remove event handlers (on*)
-    sanitized = sanitized.replaceAll(/\bon\w+\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]*)/gi, '');
-    // Remove javascript: and data: URIs in attributes
-    sanitized = sanitized.replaceAll(/\b(?:href|src|action|formaction|xlink:href)\s*=\s*['"]\s*(?:javascript|data):[\s\S]*?['"]/gi, // NOSONAR: S1523 - We are removing javascript: and data: protocols to prevent XSS
-    '');
-    sanitized = sanitized.replaceAll(/\b(?:href|src|action|formaction|xlink:href)\s*=\s*(?:javascript|data):[^\s>]*?(\s|>|$)/gi, // NOSONAR: S1523 - We are removing javascript: and data: protocols to prevent XSS
-    '');
+    sanitized = sanitized.replaceAll(/\bon\w+\s*=\s*(?:'[^']*'|"[^"]*"|`[^`]*`|[^\s>]*)/gi, '');
+    // Remove dangerous protocols in URL-bearing attributes.
+    // This uses the same protocol normalization logic as encodeHref to prevent obfuscations like:
+    //   href="jav&#x61;script:..." or href="java\nscript:..." or href="%6a%61..."
+    sanitized = sanitized.replaceAll(/(\s)(href|src|action|formaction|xlink:href)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi, (match, _leadingWhitespace, _attributeName, doubleQuotedValue, singleQuotedValue, unquotedValue) => {
+        const rawValue = doubleQuotedValue ?? singleQuotedValue ?? unquotedValue ?? '';
+        const protocolCheck = normalizeHrefForProtocolCheck(rawValue);
+        // Allow relative URLs and fragments.
+        if (protocolCheck.startsWith('/') ||
+            protocolCheck.startsWith('#') ||
+            protocolCheck.startsWith('./') ||
+            protocolCheck.startsWith('../') ||
+            protocolCheck.startsWith('//')) {
+            return match;
+        }
+        // Allow-list a narrow set of data:image/* URLs for common raster formats.
+        if (protocolCheck.startsWith('data:')) {
+            const allowedDataImagePrefixes = [
+                'data:image/png',
+                'data:image/jpeg',
+                'data:image/jpg',
+                'data:image/gif',
+                'data:image/webp',
+                'data:image/avif',
+            ];
+            if (allowedDataImagePrefixes.some((p) => protocolCheck.startsWith(p))) {
+                return match;
+            }
+            return '';
+        }
+        const blockedProtocols = ['javascript:', 'vbscript:']; // NOSONAR: S1523 - Explicit protocol blocking to prevent XSS
+        if (blockedProtocols.some((p) => protocolCheck.startsWith(p))) {
+            return '';
+        }
+        // If a scheme is present, allowlist it.
+        const schemeMatch = new RegExp(/^([a-z][a-z0-9+.-]*):/i).exec(protocolCheck);
+        if (schemeMatch) {
+            const scheme = schemeMatch[1].toLowerCase();
+            const allowedSchemes = new Set(['http', 'https', 'mailto', 'tel']);
+            if (!allowedSchemes.has(scheme)) {
+                return '';
+            }
+        }
+        // Otherwise, keep the attribute (e.g. relative-like values without a scheme).
+        return match;
+    });
     // Remove style tags and style attributes with potentially dangerous content
-    sanitized = sanitized.replaceAll(/<style\b[\s\S]*?<\/style>/gi, '');
+    let prevSanitized;
+    do {
+        prevSanitized = sanitized;
+        sanitized = sanitized.replaceAll(/<style\b[\s\S]*?<\/style>/gi, '');
+    } while (sanitized !== prevSanitized);
     sanitized = sanitized.replaceAll(/\bstyle\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]*)/gi, '');
     // Remove form elements
     sanitized = sanitized.replaceAll(/<form\b[\s\S]*?<\/form>/gi, '');
@@ -70,23 +114,109 @@ const encodeUri = (uri) => {
 /**
  * Encode URI for use in href attribute
  */
+function decodeHtmlEntitiesForProtocolCheck(input) {
+    // Decode numeric HTML entities so obfuscations like "jav&#x61;script:" are caught.
+    // This is intentionally minimal and only used for protocol detection (not output rendering).
+    const decodeCodePoint = (codePoint) => {
+        if (!Number.isFinite(codePoint) || codePoint < 0 || codePoint > 0x10ffff) {
+            return '';
+        }
+        try {
+            return String.fromCodePoint(codePoint);
+        }
+        catch {
+            return '';
+        }
+    };
+    // Decode a small set of named entities commonly used for obfuscation.
+    const namedDecoded = input.replaceAll(/&([a-z]+);?/gi, (m, name) => {
+        const key = String(name).toLowerCase();
+        if (key === 'colon')
+            return ':';
+        if (key === 'tab')
+            return '\t';
+        if (key === 'newline')
+            return '\n';
+        if (key === 'nbsp')
+            return ' ';
+        return m;
+    });
+    return namedDecoded
+        .replaceAll(/&#(\d+);?/g, (_m, dec) => {
+        const decStr = typeof dec === 'string' ? dec : String(dec);
+        return decodeCodePoint(Number.parseInt(decStr, 10)) || _m;
+    })
+        .replaceAll(/&#x([0-9a-f]+);?/gi, (_m, hex) => {
+        const hexStr = typeof hex === 'string' ? hex : String(hex);
+        return decodeCodePoint(Number.parseInt(hexStr, 16)) || _m;
+    });
+}
+function tryDecodePercentEncoding(input, rounds = 2) {
+    let out = input;
+    for (let i = 0; i < rounds; i += 1) {
+        try {
+            const decoded = decodeURIComponent(out);
+            if (decoded === out) {
+                break;
+            }
+            out = decoded;
+        }
+        catch {
+            break;
+        }
+    }
+    return out;
+}
+function normalizeHrefForProtocolCheck(href) {
+    // Decode common obfuscations before protocol checks.
+    const entityDecoded = decodeHtmlEntitiesForProtocolCheck(href);
+    const percentDecoded = tryDecodePercentEncoding(entityDecoded, 2);
+    // Remove control characters and whitespace to prevent "java\nscript:" bypasses.
+    // eslint-disable-next-line no-control-regex
+    return percentDecoded.replaceAll(/[\x00-\x20\x7f\u00a0]/g, '').toLowerCase();
+}
 const encodeHref = (href) => {
     if (typeof href !== 'string') {
         return '';
     }
-    // Prevent javascript: protocol (including obfuscated versions)
-    // We remove control characters and whitespace for the check
-    // eslint-disable-next-line no-control-regex
-    const protocolCheck = href.replaceAll(/[\x00-\x20]/g, '').toLowerCase();
-    const jsProtocol = 'javascript:'; // NOSONAR: S1523 - We are explicitly blocking javascript: protocol to prevent XSS
-    if (protocolCheck.startsWith(jsProtocol)) {
+    const protocolCheck = normalizeHrefForProtocolCheck(href);
+    // Allow relative URLs and fragments.
+    if (protocolCheck.startsWith('/') ||
+        protocolCheck.startsWith('#') ||
+        protocolCheck.startsWith('./') ||
+        protocolCheck.startsWith('../') ||
+        protocolCheck.startsWith('//')) {
+        return escapeHtml(href);
+    }
+    // Explicitly block common dangerous protocols (including obfuscated versions).
+    // Allow-list a narrow set of data:image/* URLs for common raster formats.
+    if (protocolCheck.startsWith('data:')) {
+        const allowedDataImagePrefixes = [
+            'data:image/png',
+            'data:image/jpeg',
+            'data:image/jpg',
+            'data:image/gif',
+            'data:image/webp',
+            'data:image/avif',
+        ];
+        if (allowedDataImagePrefixes.some((p) => protocolCheck.startsWith(p))) {
+            return escapeHtml(href);
+        }
         return '';
     }
-    // Prevent data: protocol (unless explicitly allowed)
-    if (protocolCheck.startsWith('data:text/html')) {
-        // NOSONAR: S1523 - We are explicitly blocking data: protocol to prevent XSS
+    const blockedProtocols = ['javascript:', 'vbscript:']; // NOSONAR: S1523 - Explicit protocol blocking to prevent XSS
+    if (blockedProtocols.some((p) => protocolCheck.startsWith(p))) {
         return '';
     }
+    // If a scheme is present, allowlist it.
+    const schemeMatch = new RegExp(/^([a-z][a-z0-9+.-]*):/i).exec(protocolCheck);
+    if (schemeMatch) {
+        const scheme = schemeMatch[1].toLowerCase();
+        const allowedSchemes = new Set(['http', 'https', 'mailto', 'tel']);
+        if (!allowedSchemes.has(scheme)) {
+            return '';
+        }
+    }
     return escapeHtml(href);
 };
 /**
@@ -105,6 +235,10 @@ const isSafeUrl = (url) => {
     if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
         return true;
     }
+    // Allow common safe schemes
+    if (trimmed.startsWith('mailto:') || trimmed.startsWith('tel:')) {
+        return true;
+    }
     // Block dangerous protocols
     if (/^\w+:/.test(trimmed)) {
         return false;

package/src/templates/adapters/MySQLAdapter.ts.tpl

@@ -8,6 +8,7 @@ import { FeatureFlags } from '@config/features';
 import { Logger } from '@config/logger';
 import { ErrorFactory } from '@exceptions/ZintrustError';
 import { DatabaseConfig, IDatabaseAdapter, QueryResult } from '@orm/DatabaseAdapter';
+import { QueryBuilder } from '@orm/QueryBuilder';
 
 /**
  * MySQL adapter implementation
@@ -47,6 +48,10 @@ export const MySQLAdapter = Object.freeze({
         return result.rows[0] ?? null;
       },
 
+      async ping(): Promise<void> {
+        await this.query(QueryBuilder.create('').select('1').toSQL(), []);
+      },
+
       async transaction<T>(callback: (adapter: IDatabaseAdapter) => Promise<T>): Promise<T> {
         if (!connected) throw ErrorFactory.createConnectionError('Database not connected');
         try {

package/src/templates/adapters/PostgreSQLAdapter.ts.tpl

@@ -8,6 +8,7 @@ import { FeatureFlags } from '@config/features';
 import { Logger } from '@config/logger';
 import { ErrorFactory } from '@exceptions/ZintrustError';
 import { DatabaseConfig, IDatabaseAdapter, QueryResult } from '@orm/DatabaseAdapter';
+import { QueryBuilder } from '@orm/QueryBuilder';
 
 /**
  * PostgreSQL adapter implementation
@@ -47,6 +48,10 @@ export const PostgreSQLAdapter = Object.freeze({
         return result.rows[0] ?? null;
       },
 
+      async ping(): Promise<void> {
+        await this.query(QueryBuilder.create('').select('1').toSQL(), []);
+      },
+
       async transaction<T>(callback: (adapter: IDatabaseAdapter) => Promise<T>): Promise<T> {
         if (!connected) throw ErrorFactory.createConnectionError('Database not connected');
         try {

package/src/templates/adapters/SQLServerAdapter.ts.tpl

@@ -8,6 +8,7 @@ import { FeatureFlags } from '@config/features';
 import { Logger } from '@config/logger';
 import { ErrorFactory } from '@exceptions/ZintrustError';
 import { DatabaseConfig, IDatabaseAdapter, QueryResult } from '@orm/DatabaseAdapter';
+import { QueryBuilder } from '@orm/QueryBuilder';
 
 /**
  * SQL Server adapter implementation
@@ -47,6 +48,10 @@ export const SQLServerAdapter = Object.freeze({
         return result.rows[0] ?? null;
       },
 
+      async ping(): Promise<void> {
+        await this.query(QueryBuilder.create('').select('1').toSQL(), []);
+      },
+
       async transaction<T>(callback: (adapter: IDatabaseAdapter) => Promise<T>): Promise<T> {
         try {
           return await callback(this);

package/src/templates/adapters/SQLiteAdapter.ts.tpl

@@ -10,6 +10,7 @@ import { Logger } from '@config/logger';
 import { ErrorFactory } from '@exceptions/ZintrustError';
 import { performance } from '@node-singletons/perf-hooks';
 import { DatabaseConfig, IDatabaseAdapter, QueryResult } from '@orm/DatabaseAdapter';
+import { QueryBuilder } from '@orm/QueryBuilder';
 import Database from 'better-sqlite3';
 
 function normalizeFilename(database: string | null | undefined): string {
@@ -157,6 +158,10 @@ function createSQLiteAdapter(config: DatabaseConfig): IDatabaseAdapter {
       return result.rows[0] ?? null;
     },
 
+    async ping(): Promise<void> {
+      await adapter.query(QueryBuilder.create('').select('1').toSQL(), []);
+    },
+
     async transaction<T>(
       callback: (adapter: IDatabaseAdapter, db: Database.Database) => Promise<T>
     ): Promise<T> {

package/src/templates/features/Queue.ts.tpl

@@ -1,7 +1,7 @@
 // TEMPLATE_START
 
+import { generateSecureJobId } from '@common/uuid';
 import { Logger } from '@config/logger';
-import { ErrorFactory } from '@exceptions/ZintrustError';
 
 export interface QueueJob {
   id: string;
@@ -44,32 +44,4 @@ export const Queue = Object.freeze({
   },
 });
 
-async function generateSecureJobId(): Promise<string> {
-  if (typeof globalThis.crypto?.randomUUID === 'function') {
-    return globalThis.crypto.randomUUID();
-  }
-
-  if (typeof globalThis.crypto?.getRandomValues === 'function') {
-    const bytes = new Uint8Array(16);
-    globalThis.crypto.getRandomValues(bytes);
-    return bytesToHex(bytes);
-  }
-
-  // Node fallback for environments without Web Crypto
-  try {
-    const nodeCrypto = await import('node:crypto');
-    return nodeCrypto.randomBytes(16).toString('hex');
-  } catch (error) {
-    throw ErrorFactory.createTryCatchError(
-      'Secure crypto API not available to generate a job id.',
-      error
-    );
-  }
-}
-
-function bytesToHex(bytes: Uint8Array): string {
-  let out = '';
-  for (const b of bytes) out += b.toString(16).padStart(2, '0');
-  return out;
-}
 // TEMPLATE_END

package/src/templates/project/basic/.env.example.tpl

@@ -9,6 +9,25 @@ DB_DATABASE=./database.sqlite
 
 LOG_LEVEL=debug
 LOG_CHANNEL=file
+LOG_FORMAT=text
+
+# Cloud logging backends (optional)
+# KV logger (Cloudflare Workers KV)
+KV_LOG_ENABLED=false
+KV_NAMESPACE=CACHE
+KV_LOG_RETENTION_DAYS=30
+
+# Slack logger (Slack incoming webhook)
+SLACK_LOG_ENABLED=false
+SLACK_LOG_WEBHOOK_URL=
+SLACK_LOG_LEVELS=warn,error,fatal
+SLACK_LOG_BATCH_WINDOW_MS=5000
+
+# HTTP endpoint logger
+HTTP_LOG_ENABLED=false
+HTTP_LOG_ENDPOINT_URL=
+HTTP_LOG_BATCH_SIZE=50
+HTTP_LOG_AUTH_TOKEN=
 
 JWT_SECRET=
 JWT_EXPIRES_IN=1h
@@ -24,3 +43,32 @@ MAIL_USERNAME=
 MAIL_PASSWORD=
 MAIL_FROM_ADDRESS=
 MAIL_FROM_NAME=
+
+# Storage
+STORAGE_DRIVER=local
+STORAGE_PATH=storage
+STORAGE_URL=/storage
+STORAGE_VISIBILITY=private
+
+# AWS S3
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_REGION=us-east-1
+AWS_S3_BUCKET=
+AWS_S3_URL=
+AWS_S3_ENDPOINT=
+AWS_S3_USE_PATH_STYLE_URL=false
+
+# Cloudflare R2
+R2_ACCESS_KEY_ID=
+R2_SECRET_ACCESS_KEY=
+R2_REGION=
+R2_BUCKET=
+R2_ENDPOINT=
+R2_URL=
+
+# Google Cloud Storage (requires optional dependency @google-cloud/storage)
+GCS_PROJECT_ID=
+GCS_KEY_FILE=
+GCS_BUCKET=
+GCS_URL=

package/src/templates/project/basic/.env.tpl

@@ -1,7 +1,5 @@
-# ============================================================================
 # Zintrust Framework - Environment Configuration
-# Generated from src/config/env.ts - All available configuration keys
-# ============================================================================
+# Copy this file to .env and configure for your environment
 
 # ============================================================================
 # APPLICATION
@@ -11,21 +9,8 @@
 NODE_ENV=development
 
 # Server Configuration
-HOST=127.0.0.1
-APP_PORT=7777
-APP_NAME={{projectName}}
-APP_KEY=
-
-
-# ============================================================================
-# LOGGING
-# ============================================================================
-
-# Log Level: debug | info | warn | error
-LOG_LEVEL=debug
-DISABLE_LOGGING=true
-LOG_CHANNEL=file
-
+HOST=
+PORT=
 
 # ============================================================================
 # DATABASE
@@ -33,132 +18,142 @@ LOG_CHANNEL=file
 
 # Database Connection Driver
 # Options: sqlite | postgresql | mysql | sqlserver | d1
-DB_CONNECTION=sqlite
+DB_CONNECTION=
+
+# SQLite (default for development)
+DB_PATH=
+
+# PostgreSQL
+# DB_HOST=localhost
+# DB_PORT=5432
+# DB_DATABASE=zintrust
+# DB_USERNAME=postgres
+# DB_PASSWORD=postgres
 
-# SQLite Configuration
-DB_PATH=./storage/db.sqlite
+# MySQL
+# DB_HOST=localhost
+# DB_PORT=3306
+# DB_DATABASE=zintrust
+# DB_USERNAME=root
+# DB_PASSWORD=password
 
-# PostgreSQL Configuration
-DB_HOST=localhost
-DB_PORT=5432
-DB_DATABASE=zintrust
-DB_USERNAME=postgres
-DB_PASSWORD=
-DB_READ_HOSTS=
+# SQL Server
+# DB_HOST=localhost
+# DB_PORT=1433
+# DB_DATABASE=zintrust
+# DB_USERNAME=sa
+# DB_PASSWORD=Password123
 
 # ============================================================================
-# CLOUDFLARE
+# ADVANCED DATABASE FEATURES
 # ============================================================================
 
-D1_DATABASE_ID=
-KV_NAMESPACE_ID=
+# Raw SQL Query Support
+# WARNING: Only enable in development. Bypasses QueryBuilder safety.
+# This is checked once at application bootstrap, cached in memory.
+# Feature flag is initialized at startup - no runtime changes possible.
+USE_RAW_QRY=
 
 # ============================================================================
 # CACHE
 # ============================================================================
 
-# Cache Driver: memory | redis | memcached
-CACHE_DRIVER=memory
+# Cache Driver: memory | redis | mongodb | kv
+# - kv: Cloudflare Workers only (requires a KV binding named "CACHE")
+CACHE_DRIVER=
 
-# Redis Configuration
-REDIS_HOST=localhost
-REDIS_PORT=6379
-REDIS_PASSWORD=
+# Redis Configuration (if using Redis)
+# REDIS_HOST=localhost
+# REDIS_PORT=6379
 
-# MongoDB Cache Configuration
-MONGO_URI=
-MONGO_DB=zintrust_cache
+# MongoDB Cache (if using mongodb)
+# Uses MongoDB Atlas Data API (HTTPS)
+# MONGO_URI=https://data.mongodb-api.com/app/<app-id>/endpoint/data/v1
+# MONGO_DB=zintrust_cache
 
 # ============================================================================
-# AWS
+# LOGGING
 # ============================================================================
 
-AWS_REGION=us-east-1
-AWS_LAMBDA_FUNCTION_NAME=
-AWS_LAMBDA_FUNCTION_VERSION=
-AWS_EXECUTION_ENV=
-LAMBDA_TASK_ROOT=
-
-# ============================================================================
-# MICROSERVICES
-# ============================================================================
+# Log Level: debug | info | warn | error
+LOG_LEVEL=
 
-MICROSERVICES=
-SERVICES=
-MICROSERVICES_TRACING=false
-MICROSERVICES_TRACING_RATE=1.0
-DATABASE_ISOLATION=shared
-SERVICE_API_KEY=
-SERVICE_JWT_SECRET=
+# Log Channel: console | file | all
+LOG_CHANNEL=
 
 # ============================================================================
 # SECURITY
 # ============================================================================
 
-DEBUG=false
-ENABLE_MICROSERVICES=false
-TOKEN_TTL=3600000
-TOKEN_LENGTH=32
-
 # JWT Secret for authentication
 JWT_SECRET=
 
 # Session Configuration
-SESSION_DRIVER=cookie
-SESSION_LIFETIME=7200
+SESSION_DRIVER=
+SESSION_LIFETIME=
 
 # CORS Configuration
-CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+CORS_ORIGINS=
 
 # ============================================================================
-# DEPLOYMENT
+# MICROSERVICES
 # ============================================================================
 
-ENVIRONMENT=development
-REQUEST_TIMEOUT=30000
-MAX_BODY_SIZE=10485760
+# Enable Microservices
+MICROSERVICES=
 
+# Comma-separated list of services to load
+SERVICES=
+
+# Service Discovery
+SERVICE_DISCOVERY=
+
+# Request Tracing
+MICROSERVICES_TRACING=
+MICROSERVICES_TRACING_RATE=
 
 # ============================================================================
-# EXTERNAL SERVICES & CREDENTIALS
+# SONARQUBE / SONARCLOUD
 # ============================================================================
 
-SONAR_ORGANIZATION="zintrust"
-SONAR_PROJECT_ID="ZinTrust_ZinTrust"
-SONAR_HOST_URL="https://sonarcloud.io"
-SONAR_TOKEN=
+# SonarQube Server
+SONAR_HOST_URL=
 
-# Cloudflare Workspace-Specific Credentials
-CLOUDFLARE_API_TOKEN=
-CLOUDFLARE_ACCOUNT_ID=""
+# SonarCloud
+# SONAR_HOST_URL=https://sonarcloud.io
+# SONAR_TOKEN=your_token
+# SONAR_ORGANIZATION=your-organization
 
-CODECOV_TOKEN=
+# ============================================================================
+# EXTERNAL SERVICES
+# ============================================================================
 
-# Security Scanning
-SNYK_TOKEN=
+# Snyk Security Token
+# SNYK_TOKEN=your_token
 
-# Email (SendGrid)
-SENDGRID_API_KEY=
+# SendGrid (Email)
+# SENDGRID_API_KEY=your_api_key
 
-# Payments (Stripe)
-STRIPE_SECRET_KEY=
-STRIPE_PUBLIC_KEY=
+# Stripe (Payments)
+# STRIPE_SECRET_KEY=your_secret_key
+# STRIPE_PUBLIC_KEY=your_public_key
 
-# Cloud Storage (AWS S3)
-AWS_ACCESS_KEY_ID=
-AWS_SECRET_ACCESS_KEY=
-AWS_BUCKET=
+# AWS S3 (File Storage)
+# AWS_ACCESS_KEY_ID=your_access_key
+# AWS_SECRET_ACCESS_KEY=your_secret_key
+# AWS_REGION=us-east-1
+# AWS_BUCKET=your_bucket_name
 
 # ============================================================================
 # DEVELOPMENT
 # ============================================================================
 
+# Debug Mode
+DEBUG=
+
 # Database Synchronization (auto-migrate on startup)
-DB_SYNCHRONIZE=true
+DB_SYNCHRONIZE=
 
 # Database Logging
-DB_LOGGING=false
+DB_LOGGING=
 
-# Raw SQL Query Support (development only)
-# WARNING: Only enable in development. Bypasses QueryBuilder safety.
-USE_RAW_QRY=false

package/src/templates/project/basic/app/Toolkit/Broadcast/sendBroadcast.ts.tpl

@@ -0,0 +1,7 @@
+import { Broadcast } from '@broadcast/Broadcast';
+
+export async function sendBroadcast(channel: string, event: string, data: unknown): Promise<void> {
+  await Broadcast.send(channel, event, data);
+}
+
+export default Object.freeze({ sendBroadcast });

package/src/templates/project/basic/app/Toolkit/Mail/sendWelcomeEmail.ts.tpl

@@ -0,0 +1,30 @@
+import { Mail } from '@mail/Mail';
+
+export async function sendWelcomeEmail(
+  to: string,
+  name: string,
+  attachmentDisk?: string,
+  attachmentPath?: string
+): Promise<void> {
+  const subject = `Welcome, ${name}`;
+  const text = `Hello ${name}, welcome.`;
+
+  const attachments =
+    attachmentDisk !== null &&
+    attachmentDisk !== undefined &&
+    attachmentDisk.trim() !== '' &&
+    attachmentPath !== null &&
+    attachmentPath !== undefined &&
+    attachmentPath.trim() !== ''
+      ? [{ disk: attachmentDisk, path: attachmentPath }]
+      : undefined;
+
+  await Mail.send({
+    to,
+    subject,
+    text,
+    attachments,
+  });
+}
+
+export default Object.freeze({ sendWelcomeEmail });

package/src/templates/project/basic/app/Toolkit/Notification/sendSlackNotification.ts.tpl

@@ -0,0 +1,10 @@
+import { sendSlackWebhook } from '@notification/drivers/Slack';
+
+export async function sendSlackNotification(
+  webhookUrl: string,
+  message: { text: string }
+): Promise<void> {
+  await sendSlackWebhook({ webhookUrl }, message);
+}
+
+export default Object.freeze({ sendSlackNotification });