chadstart 1.0.4 → 1.0.6

package/core/db.js

@@ -235,6 +235,10 @@ function buildColumnDefs(entity, allEntities) {
   if (entity.authenticable) {
     cols.push({ name: 'email',    def: `${q('email')} ${authStrType()} NOT NULL UNIQUE` });
     cols.push({ name: 'password', def: `${q('password')} ${authStrType()} NOT NULL` });
+    cols.push({ name: 'emailVerified',          def: `${q('emailVerified')} INTEGER DEFAULT 0` });
+    cols.push({ name: 'emailVerificationToken', def: `${q('emailVerificationToken')} TEXT` });
+    cols.push({ name: 'passwordResetToken',     def: `${q('passwordResetToken')} TEXT` });
+    cols.push({ name: 'passwordResetExpiry',    def: `${q('passwordResetExpiry')} TEXT` });
   }
 
   for (const p of entity.properties) {

package/core/email.js

@@ -0,0 +1,170 @@
+'use strict';
+
+/**
+ * Email sending service for ChadStart.
+ *
+ * SMTP connection details can be configured in the YAML `email` section
+ * or via environment variables (env vars always take precedence):
+ *
+ *   SMTP_HOST      SMTP server hostname
+ *   SMTP_PORT      SMTP server port (default: 587)
+ *   SMTP_USER      SMTP username / login
+ *   SMTP_PASS      SMTP password (secret — env var only)
+ *   SMTP_FROM      Default "From" address (e.g. "App <noreply@example.com>")
+ *
+ * Templates support simple {{variable}} interpolation.
+ */
+
+const nodemailer = require('nodemailer');
+const logger = require('../utils/logger');
+
+/** @type {import('nodemailer').Transporter | null} */
+let _transporter = null;
+
+/** @type {{ host: string, port: number, from: string, secure: boolean } | null} */
+let _emailConfig = null;
+
+/**
+ * Derive email/SMTP configuration from YAML + environment variables.
+ * Returns null when no SMTP host is configured (email sending is disabled).
+ *
+ * @param {object|null} emailYaml  Value of `core.email` (may be null).
+ * @returns {{ host: string, port: number, user: string, pass: string, from: string, secure: boolean } | null}
+ */
+function getEmailConfig(emailYaml) {
+  const cfg = emailYaml || {};
+
+  const host = process.env.SMTP_HOST || cfg.host || '';
+  if (!host) return null;
+
+  const port = parseInt(process.env.SMTP_PORT || cfg.port || '587', 10);
+  const user = process.env.SMTP_USER || cfg.username || '';
+  const pass = process.env.SMTP_PASS || '';
+  const from = process.env.SMTP_FROM || cfg.from || '';
+  const secure = cfg.secure !== undefined
+    ? cfg.secure
+    : port === 465;
+
+  return { host, port, user, pass, from, secure };
+}
+
+/**
+ * Initialize the email transporter.
+ * Safe to call multiple times (recreates on each call for hot-reload support).
+ *
+ * @param {object|null} emailYaml  Value of `core.email` (may be null).
+ * @returns {{ host: string, port: number, from: string, secure: boolean } | null}  The resolved config, or null if disabled.
+ */
+function initEmail(emailYaml) {
+  _transporter = null;
+  _emailConfig = null;
+
+  const cfg = getEmailConfig(emailYaml);
+  if (!cfg) {
+    logger.info('  Email/SMTP not configured — email sending disabled.');
+    return null;
+  }
+
+  const transportOpts = {
+    host: cfg.host,
+    port: cfg.port,
+    secure: cfg.secure,
+  };
+
+  if (cfg.user) {
+    transportOpts.auth = { user: cfg.user, pass: cfg.pass };
+  }
+
+  _transporter = nodemailer.createTransport(transportOpts);
+  _emailConfig = { host: cfg.host, port: cfg.port, from: cfg.from, secure: cfg.secure };
+
+  logger.info(`  Email/SMTP configured (host: ${cfg.host}:${cfg.port})`);
+  return _emailConfig;
+}
+
+/**
+ * Replace `{{variable}}` placeholders in a template string.
+ *
+ * @param {string} template  Template with `{{key}}` placeholders.
+ * @param {Record<string, string>} vars  Key→value map.
+ * @returns {string}
+ */
+function interpolate(template, vars) {
+  if (!template) return '';
+  return template.replace(/\{\{(\w+)\}\}/g, (_match, key) => {
+    return Object.prototype.hasOwnProperty.call(vars, key) ? String(vars[key]) : '';
+  });
+}
+
+/**
+ * Send an email using the configured SMTP transporter.
+ *
+ * @param {object} options
+ * @param {string} options.to           Recipient email address.
+ * @param {string} options.subject      Email subject (supports {{var}} interpolation).
+ * @param {string} [options.text]       Plain-text body (supports {{var}} interpolation).
+ * @param {string} [options.html]       HTML body (supports {{var}} interpolation).
+ * @param {string} [options.from]       Override the default "From" address.
+ * @param {Record<string, string>} [options.vars]  Variables for template interpolation.
+ * @returns {Promise<object>}           Nodemailer send result.
+ * @throws {Error}                      When SMTP is not configured or sending fails.
+ */
+async function sendEmail({ to, subject, text, html, from, vars }) {
+  if (!_transporter || !_emailConfig) {
+    throw new Error('Email is not configured. Set SMTP_HOST or configure the email section in your YAML config.');
+  }
+
+  const templateVars = vars || {};
+  const mailOptions = {
+    from: from || _emailConfig.from,
+    to,
+    subject: interpolate(subject, templateVars),
+  };
+
+  if (text) mailOptions.text = interpolate(text, templateVars);
+  if (html) mailOptions.html = interpolate(html, templateVars);
+
+  return _transporter.sendMail(mailOptions);
+}
+
+/**
+ * Verify the SMTP connection by attempting a handshake with the server.
+ *
+ * @returns {Promise<{ success: boolean, message: string }>}
+ */
+async function verifyConnection() {
+  if (!_transporter || !_emailConfig) {
+    return { success: false, message: 'Email is not configured. Set SMTP_HOST or configure the email section in your YAML config.' };
+  }
+  try {
+    await _transporter.verify();
+    return { success: true, message: `SMTP connection to ${_emailConfig.host}:${_emailConfig.port} verified.` };
+  } catch (err) {
+    return { success: false, message: `SMTP verification failed: ${err.message}` };
+  }
+}
+
+/**
+ * Returns the current email configuration metadata (without secrets).
+ *
+ * @returns {{ configured: boolean, host?: string, port?: number, from?: string, secure?: boolean }}
+ */
+function getEmailStatus() {
+  if (!_emailConfig) return { configured: false };
+  return {
+    configured: true,
+    host: _emailConfig.host,
+    port: _emailConfig.port,
+    from: _emailConfig.from,
+    secure: _emailConfig.secure,
+  };
+}
+
+module.exports = {
+  getEmailConfig,
+  initEmail,
+  interpolate,
+  sendEmail,
+  verifyConnection,
+  getEmailStatus,
+};

package/core/entity-engine.js

@@ -60,6 +60,7 @@ function buildEntities(config) {
       tableName: toSnakeCase(name),
       slug: def.slug || toKebabCase(name),
       authenticable: def.authenticable === true,
+      requireEmailVerification: def.requireEmailVerification === true,
       single: def.single === true,
       mainProp: def.mainProp || null,
       nameSingular: def.nameSingular || null,
@@ -155,6 +156,9 @@ function buildCore(config) {
     port: parseInt(process.env.CHADSTART_PORT || process.env.PORT || config.port || 3000, 10),
     rateLimits,
     telemetry,
+    email: config.email || null,
+    logs: config.logs || null,
+    backup: config.backup || null,
     oauth: config.oauth || null,
     admin: {
       enable_app: adminCfg.enable_app !== false,

package/core/logs.js

@@ -0,0 +1,179 @@
+'use strict';
+
+/**
+ * Request logging module for ChadStart.
+ *
+ * Stores API request logs in the `_cs_logs` system table and provides
+ * a paginated, filterable query API for the admin dashboard.
+ *
+ * Configuration via YAML `logs` section:
+ *   logs:
+ *     retention: 30          # Days to keep logs (default: 30, 0 = forever)
+ *     exclude:               # Paths to exclude from logging
+ *       - /health
+ *       - /admin/vendor
+ */
+
+const db = require('./db');
+const { q } = db;
+const logger = require('../utils/logger');
+
+const _DB_ENGINE = db.DB_ENGINE;
+const _ID_T   = _DB_ENGINE === 'mysql' ? 'VARCHAR(36)' : 'TEXT';
+const _NAME_T = _DB_ENGINE === 'mysql' ? 'VARCHAR(255)' : 'TEXT';
+
+/** Default log retention in days. 0 = keep forever. */
+const DEFAULT_RETENTION_DAYS = 30;
+
+/**
+ * Initialize the _cs_logs system table.
+ * Must be called after initDb().
+ */
+async function initLogs() {
+  await db.exec(`
+    CREATE TABLE IF NOT EXISTS ${q('_cs_logs')} (
+      ${q('id')}         ${_ID_T} PRIMARY KEY,
+      ${q('method')}     ${_NAME_T},
+      ${q('path')}       TEXT,
+      ${q('statusCode')} INTEGER,
+      ${q('duration')}   INTEGER,
+      ${q('ip')}         ${_NAME_T},
+      ${q('userId')}     ${_NAME_T},
+      ${q('userEntity')} ${_NAME_T},
+      ${q('createdAt')}  TEXT NOT NULL
+    )
+  `);
+}
+
+/**
+ * Insert a log entry.
+ */
+async function insertLog({ method, path, statusCode, duration, ip, userId, userEntity }) {
+  const id = require('crypto').randomUUID();
+  const now = new Date().toISOString();
+  await db.queryRun(
+    `INSERT INTO ${q('_cs_logs')} (${q('id')},${q('method')},${q('path')},${q('statusCode')},${q('duration')},${q('ip')},${q('userId')},${q('userEntity')},${q('createdAt')})
+     VALUES (?,?,?,?,?,?,?,?,?)`,
+    [id, method, path, statusCode, duration, ip || null, userId || null, userEntity || null, now]
+  );
+}
+
+/**
+ * Express middleware that logs each request to the _cs_logs table.
+ *
+ * @param {object} opts
+ * @param {string[]} opts.exclude  Path prefixes to skip logging (e.g. ['/health']).
+ */
+function requestLoggerMiddleware(opts = {}) {
+  const exclude = opts.exclude || [];
+  return (req, res, next) => {
+    // Skip excluded paths
+    for (const prefix of exclude) {
+      if (req.path.startsWith(prefix)) return next();
+    }
+
+    const start = Date.now();
+
+    // Hook into response finish event
+    const originalEnd = res.end;
+    res.end = function (...args) {
+      res.end = originalEnd;
+      res.end(...args);
+
+      const duration = Date.now() - start;
+      const userId = (req.user && req.user.id) || null;
+      const userEntity = (req.user && req.user.entity) || null;
+
+      // Insert asynchronously (best-effort, don't block response)
+      insertLog({
+        method: req.method,
+        path: req.originalUrl || req.path,
+        statusCode: res.statusCode,
+        duration,
+        ip: req.ip || req.socket?.remoteAddress || null,
+        userId,
+        userEntity,
+      }).catch((e) => logger.warn('Log insert failed:', e.message));
+    };
+
+    next();
+  };
+}
+
+/**
+ * Query logs with pagination and filters.
+ *
+ * @param {object} filters  Optional filters: { method, statusCode, path, from, to }
+ * @param {object} opts     { page, perPage, order }
+ * @returns {{ data: object[], total: number, currentPage: number, lastPage: number, perPage: number }}
+ */
+async function queryLogs(filters = {}, opts = {}) {
+  const page = Math.max(1, parseInt(opts.page || 1, 10));
+  const perPage = Math.min(100, Math.max(1, parseInt(opts.perPage || 50, 10)));
+  const order = (opts.order || 'DESC').toUpperCase() === 'ASC' ? 'ASC' : 'DESC';
+
+  const where = [];
+  const params = [];
+
+  if (filters.method) {
+    where.push(`${q('method')} = ?`);
+    params.push(filters.method.toUpperCase());
+  }
+  if (filters.statusCode) {
+    where.push(`${q('statusCode')} = ?`);
+    params.push(parseInt(filters.statusCode, 10));
+  }
+  if (filters.path) {
+    where.push(`${q('path')} LIKE ?`);
+    params.push(`%${filters.path}%`);
+  }
+  if (filters.from) {
+    where.push(`${q('createdAt')} >= ?`);
+    params.push(filters.from);
+  }
+  if (filters.to) {
+    where.push(`${q('createdAt')} <= ?`);
+    params.push(filters.to);
+  }
+
+  const whereClause = where.length ? `WHERE ${where.join(' AND ')}` : '';
+
+  const countRow = await db.queryOne(
+    `SELECT COUNT(*) AS cnt FROM ${q('_cs_logs')} ${whereClause}`,
+    params
+  );
+  const total = countRow ? countRow.cnt : 0;
+  const lastPage = Math.max(1, Math.ceil(total / perPage));
+  const offset = (page - 1) * perPage;
+
+  const data = await db.queryAll(
+    `SELECT * FROM ${q('_cs_logs')} ${whereClause} ORDER BY ${q('createdAt')} ${order} LIMIT ? OFFSET ?`,
+    [...params, perPage, offset]
+  );
+
+  return { data, total, currentPage: page, lastPage, perPage };
+}
+
+/**
+ * Delete logs older than the specified number of days.
+ *
+ * @param {number} days  Log retention in days. 0 or negative = keep all.
+ * @returns {number}     Number of rows deleted.
+ */
+async function cleanupOldLogs(days) {
+  if (!days || days <= 0) return 0;
+  const cutoff = new Date(Date.now() - days * 24 * 60 * 60 * 1000).toISOString();
+  const result = await db.queryRun(
+    `DELETE FROM ${q('_cs_logs')} WHERE ${q('createdAt')} < ?`,
+    [cutoff]
+  );
+  return result?.changes || 0;
+}
+
+module.exports = {
+  initLogs,
+  insertLog,
+  requestLoggerMiddleware,
+  queryLogs,
+  cleanupOldLogs,
+};

package/core/migrations.js

@@ -8,16 +8,22 @@ const logger = require('../utils/logger');
 
 const { buildCore, toSnakeCase } = require('./entity-engine');
 const { DB_ENGINE, q, sqlType, idColType, authStrType } = require('./db');
+const { detectFormat, parseRaw, loadConfig } = require('./config-loader');
 
 // ─── Git helpers ──────────────────────────────────────────────────────────────
 
 /**
- * Retrieve the last committed version of a file using git.
+ * Retrieve the last committed version of a config file using git.
  * Returns null if the file has no committed history (brand-new / untracked).
  */
-function getLastCommittedYaml(yamlPath) {
+function getLastCommittedConfig(configPath) {
   try {
-    const resolved = path.resolve(yamlPath);
+    const resolved = path.resolve(configPath);
+    const format = detectFormat(resolved);
+
+    // JS / Jsonnet configs can't be reconstructed from raw git content alone
+    if (format === 'js' || format === 'jsonnet') return null;
+
     const repoRoot = execFileSync('git', ['rev-parse', '--show-toplevel'], {
       cwd: path.dirname(resolved),
       stdio: ['pipe', 'pipe', 'pipe'],
@@ -30,21 +36,17 @@ function getLastCommittedYaml(yamlPath) {
       stdio: ['pipe', 'pipe', 'pipe'],
     }).toString();
 
-    return YAML.parse(raw);
+    return parseRaw(raw, format);
   } catch {
     return null;
   }
 }
 
 /**
- * Load the current YAML file from disk and return the parsed object.
+ * Load the current config file from disk and return the parsed object.
  */
-function loadCurrentYaml(yamlPath) {
-  const resolved = path.resolve(yamlPath);
-  if (!fs.existsSync(resolved)) {
-    throw new Error(`YAML config not found: ${resolved}`);
-  }
-  return YAML.parse(fs.readFileSync(resolved, 'utf8'));
+function loadCurrentConfig(configPath) {
+  return loadConfig(configPath);
 }
 
 
@@ -374,17 +376,17 @@ async function getMigrationStatus(migrationsDir, execQueryFn) {
 // ─── High-level commands ──────────────────────────────────────────────────────
 
 /**
- * Generate a migration by diffing the current YAML against the last committed
+ * Generate a migration by diffing the current config against the last committed
  * version in git. Writes numbered SQL files to the migrations directory.
  *
- * @param {string} yamlPath        Path to the chadstart YAML config file.
+ * @param {string} configPath      Path to the config file (any supported format).
  * @param {string} migrationsDir   Path to the migrations directory.
  * @param {string} [description]   Optional description for the migration.
  * @returns {{ doPath, undoPath, version, isEmpty } | null}
  */
-function generateMigration(yamlPath, migrationsDir, description) {
-  const currentConfig = loadCurrentYaml(yamlPath);
-  const oldConfig = getLastCommittedYaml(yamlPath);
+function generateMigration(configPath, migrationsDir, description) {
+  const currentConfig = loadCurrentConfig(configPath);
+  const oldConfig = getLastCommittedConfig(configPath);
 
   const newCore = buildCore(currentConfig);
   const oldCore = oldConfig ? buildCore(oldConfig) : null;
@@ -408,8 +410,11 @@ function generateMigration(yamlPath, migrationsDir, description) {
 
 module.exports = {
   // Git helpers
-  getLastCommittedYaml,
-  loadCurrentYaml,
+  getLastCommittedConfig,
+  loadCurrentConfig,
+  // Backward-compatible aliases
+  getLastCommittedYaml: getLastCommittedConfig,
+  loadCurrentYaml: loadCurrentConfig,
   // Diff engine
   diffCores,
   // SQL generation

package/core/openapi.js

@@ -30,8 +30,12 @@ function generateOpenApiSpec(core) {
     spec.components.schemas[`${e.name}AuthResponse`] = { type: 'object', properties: { token: { type: 'string' }, user: { $ref: `#/components/schemas/${e.name}` } } };
 
     spec.paths[`/api/auth/${slug}/signup`] = { post: { tags: [`Auth – ${e.name}`], summary: `Sign up as ${e.name}`, requestBody: jsonBody(`${e.name}Input`), responses: { 201: jsonResp(e.name + 'AuthResponse'), 400: desc('Validation error'), 409: desc('Email already registered') } } };
-    spec.paths[`/api/auth/${slug}/login`]  = { post: { tags: [`Auth – ${e.name}`], summary: `Login as ${e.name}`, requestBody: jsonBody(`${e.name}LoginInput`), responses: { 200: jsonResp(e.name + 'AuthResponse'), 401: desc('Invalid credentials') } } };
+    spec.paths[`/api/auth/${slug}/login`]  = { post: { tags: [`Auth – ${e.name}`], summary: `Login as ${e.name}`, requestBody: jsonBody(`${e.name}LoginInput`), responses: { 200: jsonResp(e.name + 'AuthResponse'), 401: desc('Invalid credentials'), 403: desc('Email not verified') } } };
     spec.paths[`/api/auth/${slug}/me`]     = { get: { tags: [`Auth – ${e.name}`], summary: `Get current ${e.name}`, security: [{ bearerAuth: [] }], responses: { 200: jsonResp(e.name), 401: desc('Unauthorized') } } };
+    spec.paths[`/api/auth/${slug}/request-verification`] = { post: { tags: [`Auth – ${e.name}`], summary: `Request email verification for ${e.name}`, security: [{ bearerAuth: [] }], responses: { 200: desc('Verification email sent'), 401: desc('Unauthorized') } } };
+    spec.paths[`/api/auth/${slug}/confirm-verification`] = { post: { tags: [`Auth – ${e.name}`], summary: `Confirm email verification for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['token'], properties: { token: { type: 'string' } } } } } }, responses: { 200: desc('Email verified'), 400: desc('Invalid token') } } };
+    spec.paths[`/api/auth/${slug}/request-password-reset`] = { post: { tags: [`Auth – ${e.name}`], summary: `Request password reset for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['email'], properties: { email: { type: 'string', format: 'email' } } } } } }, responses: { 200: desc('Password reset email sent (if account exists)') } } };
+    spec.paths[`/api/auth/${slug}/confirm-password-reset`] = { post: { tags: [`Auth – ${e.name}`], summary: `Confirm password reset for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['token', 'password'], properties: { token: { type: 'string' }, password: { type: 'string', format: 'password' } } } } } }, responses: { 200: desc('Password reset successful'), 400: desc('Invalid or expired token') } } };
   }
 
   // Entity CRUD endpoints
@@ -138,7 +142,7 @@ function entityInputSchema(e, all) {
 }
 
 function authSchema(e) {
-  const props = { id: { type: 'string', format: 'uuid', readOnly: true }, email: { type: 'string', format: 'email' }, createdAt: { type: 'string', format: 'date-time' }, updatedAt: { type: 'string', format: 'date-time' } };
+  const props = { id: { type: 'string', format: 'uuid', readOnly: true }, email: { type: 'string', format: 'email' }, emailVerified: { type: 'boolean' }, createdAt: { type: 'string', format: 'date-time' }, updatedAt: { type: 'string', format: 'date-time' } };
   for (const p of e.properties) {
     if (!p.hidden) props[p.name] = { type: OPENAPI_TYPE[p.type] || 'string' };
   }

package/core/yaml-loader.js

@@ -1,64 +1,19 @@
 'use strict';
 
-const fs = require('fs');
-const path = require('path');
-const YAML = require('yaml');
-const logger = require('../utils/logger');
-
 /**
- * Load and parse the chadstart.yaml file.
- * Returns the raw parsed object.
+ * Backward-compatible re-exports.
+ *
+ * All new code should import from `./config-loader` directly.
+ * These wrappers keep existing callers (tests, plugins) working unchanged.
  */
+const { loadConfig, saveConfig } = require('./config-loader');
+
 function loadYaml(filePath) {
-  const resolved = path.resolve(filePath);
-  if (!fs.existsSync(resolved)) {
-    throw new Error(`YAML config not found: ${resolved}`);
-  }
-  const raw = fs.readFileSync(resolved, 'utf8');
-  const parsed = YAML.parse(raw);
-  logger.debug('Loaded YAML from', resolved);
-  return parsed;
+  return loadConfig(filePath);
 }
 
-/**
- * Save an updated config object back to a YAML file.
- * Uses yaml's Document API so that comments in unchanged top-level sections
- * are preserved as much as possible.
- *
- * @param {string} filePath  Path to the YAML file.
- * @param {object} config    Plain-JS config object (already validated).
- */
 function saveYaml(filePath, config) {
-  const resolved = path.resolve(filePath);
-
-  let doc;
-  if (fs.existsSync(resolved)) {
-    // Parse into a live Document to keep comments / blank lines on unchanged nodes
-    const raw = fs.readFileSync(resolved, 'utf8');
-    doc = YAML.parseDocument(raw);
-
-    const existing = doc.toJS() || {};
-    const existingKeys = Object.keys(existing);
-    const newKeys = Object.keys(config);
-
-    // Update or add every key from the incoming config
-    for (const key of newKeys) {
-      doc.set(key, config[key]);
-    }
-
-    // Remove top-level keys that are no longer present
-    for (const key of existingKeys) {
-      if (!newKeys.includes(key)) {
-        doc.delete(key);
-      }
-    }
-  } else {
-    // Create a fresh Document when the file does not yet exist
-    doc = new YAML.Document(config);
-  }
-
-  fs.writeFileSync(resolved, doc.toString(), 'utf8');
-  logger.debug('Saved YAML to', resolved);
+  return saveConfig(filePath, config);
 }
 
 module.exports = { loadYaml, saveYaml };

package/docs/llm-rules.md

@@ -75,7 +75,7 @@ If you already have an existing project and want to add AI rules manually, creat
 | **GitHub Copilot** | `.github/copilot-instructions.md`              |
 | **Windsurf**       | `.windsurf/rules/chadstart.md`                 |
 
-You can base your rules file on the [chadstart.example.yml](https://github.com/saulmmendoza/chadstart.com/blob/main/chadstart.example.yml) reference file, which documents every available configuration option.
+You can base your rules file on the [chadstart.example.yaml](https://github.com/saulmmendoza/chadstart.com/blob/main/chadstart.example.yaml) reference file, which documents every available configuration option.
 
 !!! tip
     Keep your rules file up to date whenever you upgrade ChadStart. Newer versions may introduce new field types, options, or top-level blocks that your AI assistant won't know about unless the rules file is updated.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chadstart",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "YAML-first Backend as a Service — define your entire backend in one YAML file",
   "main": "server/express-server.js",
   "bin": {
@@ -49,9 +49,11 @@
     "express-rate-limit": "^8.3.1",
     "grant": "^5.4.24",
     "htmx.org": "2.0.4",
+    "json5": "^2.2.3",
     "jsonwebtoken": "^9.0.3",
     "mysql2": "^3.20.0",
     "node-cron": "^4.2.1",
+    "nodemailer": "^8.0.4",
     "pg": "^8.20.0",
     "postgrator": "^8.0.0",
     "sharp": "^0.34.5",