codeninja 3.1.0 → 4.0.0

package/tasks/ask-new-module-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-new-module-name
+---
+
+# Task: ask-new-module-name
+
+Ask: "Enter the new name for '[context.current_refactor.old_module_name]':"
+- Validate: must not already exist in the service — error if conflict
+- Use PascalCase (e.g., "UserOrders" not "userorders")
+- Stores: `context.current_refactor.new_module_name`
+
+Do not ask any other question in this task.

package/tasks/ask-new-service-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-new-service-name
+---
+
+# Task: ask-new-service-name
+
+Ask: "Enter the new name for '[context.current_refactor.old_service_name]':"
+- Validate: must not already exist in `context.services` — error if conflict
+- Validate: lowercase, no spaces (suggest replacing spaces with hyphens)
+- Stores: `context.current_refactor.new_service_name`
+
+Do not ask any other question in this task.

package/tasks/ask-old-module-name.task.md

@@ -0,0 +1,15 @@
+---
+type: task
+name: ask-old-module-name
+---
+
+# Task: ask-old-module-name
+
+Read the target service name from: `context.current_refactor.old_service_name` (set by ask-old-service-name).
+
+Ask: "Enter the current module name to rename:"
+- Show available modules from `context.services[<service>].modules`
+- Validate: must exist in the service — error if not found
+- Stores: `context.current_refactor.old_module_name`
+
+Do not ask any other question in this task.

package/tasks/ask-old-service-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-old-service-name
+---
+
+# Task: ask-old-service-name
+
+Ask: "Enter the current service name to rename:"
+- Show available service names from `context.services` as options
+- Validate: name must exist in `context.services` — error if not found
+- Stores: `context.current_refactor.old_service_name`
+
+Do not ask any other question in this task.

package/tasks/ask-orm-type.task.md

@@ -0,0 +1,26 @@
+---
+type: task
+name: ask-orm-type
+---
+
+# Task: ask-orm-type
+
+Condition: if `context.current_init.init_mode == "fast"` → skip this task,
+set `context.db.orm = "none"` silently, return.
+
+Ask: "How would you like to interact with the database?"
+
+Options:
+1. Raw driver (default) — direct SQL with pg / mysql2 / mongoose; generates config/database.js
+2. Prisma ORM — schema-first ORM; generates prisma/schema.prisma + config/prisma.js
+
+Guidance to show the user:
+- Raw driver: full SQL control, better for complex queries and existing DBA workflows
+- Prisma: type-safe queries, auto-generated client, faster development (pairs well with TypeScript)
+
+If `context.db.orm` is already set from a previous service init, ask:
+"Existing services use [current value]. Keep the same? (yes / change)"
+
+Stores: `context.db.orm` ("none" | "prisma")
+
+Do not ask any other question in this task.

package/tasks/collect-seed-data.task.md

@@ -0,0 +1,19 @@
+---
+type: task
+name: collect-seed-data
+---
+
+# Task: collect-seed-data
+
+Orchestrates seed row collection for `context.current_db.table_name`.
+
+Step 1 — Run task: `ask-seed-rows-count`
+- Stores: `context.current_db.seed_count`
+
+Step 2 — Repeat `context.current_db.seed_count` times:
+Run task: `ask-seed-row-values`
+- Appends each completed row to: `context.current_db.seed_rows[]`
+
+After all rows are collected, show preview:
+"Seed data collected: [N] rows for [table_name]"
+Return to calling workflow.

package/tasks/generate-app.task.md

@@ -14,6 +14,48 @@ starts.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `app.ts` + `server.ts`:**
+
+`app.ts`:
+```typescript
+import express, { Application } from 'express';
+import cors from 'cors';
+import helmet from 'helmet';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const app: Application = express();
+
+app.use(cors({ origin: process.env.ALLOWED_ORIGINS?.split(',') }));
+app.use(helmet());
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+export default app;
+```
+
+`server.ts` (entry point):
+```typescript
+import app from './app';
+import { router as v1Router } from './modules/v1/route_manager';
+
+app.use('/api/v1', v1Router);
+
+const PORT = parseInt(process.env.PORT || '3000', 10);
+app.listen(PORT, () => {
+    console.log(`[${process.env.PROJECT_NAME}] running on port ${PORT}`);
+});
+```
+
+**JavaScript — generate `app.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `dotenv` — called as `require('dotenv').config()` on the very first

package/tasks/generate-common.task.md

@@ -15,6 +15,19 @@ config/database.js. The object is named `common` and exported directly.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/common.ts`:**
+Same content as JS variant but with typed exports.
+Use `export const GLOBALS = Object.freeze({ ... } as const);`
+All function signatures typed.
+
+**JavaScript — generate `config/common.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `./database` — imported as `con`. Used by all database functions.

package/tasks/generate-constants.task.md

@@ -15,6 +15,19 @@ using Object.freeze so no file can accidentally mutate it at runtime.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/constants.ts`:**
+Same content as JS variant.
+Use `export const` for all exported values.
+Add type annotations where helpful: `export const PORT: number = parseInt(process.env.PORT || '3000', 10);`
+
+**JavaScript — generate `config/constants.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies
 
 No imports from within the service. Only reads from process.env which

package/tasks/generate-database.task.md

@@ -15,6 +15,38 @@ the correct implementation.
 
 ---
 
+## ORM Branch
+
+Read `context.db.orm` before generating anything.
+
+**If `orm == "prisma"`:**
+- Do NOT generate `config/database.js` or `config/database.ts`
+- Instead: run task `generate-prisma-schema` then run task `generate-prisma-client`
+- Update `.env` to use `DATABASE_URL` instead of individual DB_HOST/PORT/NAME/USER/PASS:
+  - PostgreSQL: `DATABASE_URL="postgresql://<user>:<password>@<host>:<port>/<db_name>?schema=public"`
+  - MySQL: `DATABASE_URL="mysql://<user>:<password>@<host>:<port>/<db_name>"`
+  - MongoDB: `DATABASE_URL="mongodb+srv://<user>:<password>@<cluster>/<db_name>?retryWrites=true&w=majority"`
+- Skip the rest of this task after running those two tasks.
+
+**If `orm == "none"`:**
+- Continue with raw driver generation below (existing behavior).
+
+---
+
+## Language Branch (raw driver path only — Prisma path already handles JS/TS in generate-prisma-client)
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/database.ts`:**
+Same pool/connection setup as JS but with typed imports.
+PostgreSQL: `import { Pool, PoolConfig } from 'pg';`
+MySQL: `import mysql from 'mysql2/promise';`
+MongoDB: `import mongoose from 'mongoose';`
+
+**JavaScript — generate `config/database.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `../logger/logging` — imported as `log`. Used for connection error

package/tasks/generate-encryption.task.md

@@ -6,6 +6,34 @@ agent: nodejs-agent
 
 # File: utilities/encryption.js
 
+## SCOPE: Transport Encryption Only
+
+`utilities/encryption.js` (or `.ts`) handles AES-256-CBC **transport encryption only**:
+- Encrypting outgoing API response payloads
+- Decrypting incoming encrypted request payloads
+- Encrypting/decrypting session tokens for transmission
+
+**This file does NOT handle passwords.** Password hashing is handled exclusively by
+`utilities/hashing.js` (see task: generate-hashing). Never import encryption functions
+for password storage. Never store an AES-encrypted password — passwords must be
+bcrypt/argon2 hashed (one-way, irreversible).
+
+---
+
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `utilities/encryption.ts`:**
+Same AES-256-CBC encrypt/decrypt functions as JS variant.
+Use `import CryptoJS from 'crypto-js';` (or `import cryptlib from 'cryptlib';` for app client type).
+All function signatures typed: `export function encrypt(data: unknown): string`
+and `export function decrypt(ciphertext: string): unknown`.
+
+**JavaScript — generate `utilities/encryption.js` (existing behavior — see below)**
+
+---
+
 ## Purpose
 Single source of truth for all encryption and decryption operations in the
 service. All other files that need to encrypt or decrypt call this module.

package/tasks/generate-fast-defaults.task.md

@@ -50,6 +50,13 @@ Validate after generation:
 - encryption_iv must equal the first 16 characters of encryption_key —
   re-derive if not
 
+### Language and Hashing Library
+- `language` → "javascript" (TypeScript requires manual selection — never auto-picked in fast mode)
+- `hashing_library` → "bcryptjs" (fast mode default — pure JS, no native build tools required)
+
+### ORM Default (nodejs only, if not already set)
+- `context.db.orm` → "none" if not already set (raw driver — Prisma requires manual selection)
+
 ### Redis Config (nodejs only — skip for reactjs)
 - `context.current_init.redis_host` → `"localhost"`
 - `context.current_init.redis_port` → `6379`

package/tasks/generate-hashing.task.md

@@ -0,0 +1,180 @@
+---
+type: task
+name: generate-hashing
+agent: nodejs-agent
+---
+
+# File: utilities/hashing.js OR utilities/hashing.ts
+
+## Purpose
+Single source of truth for all password hashing and verification in the service.
+All code that needs to hash or verify a password calls this module.
+No other file in the service imports bcryptjs or argon2 directly.
+This file handles one-way password storage ONLY.
+
+## SCOPE BOUNDARY
+
+NEVER use `encryption.js` / `decrypt` / AES / KEY / IV in this file.
+This is not transport encryption — it is irreversible password hashing.
+Do not import or reference `../utilities/encryption` from this file.
+
+---
+
+## Active library and language
+
+Read `context.current_init.hashing_library` (or
+`context.services[<name>].hashing_library`) — value is `"bcryptjs"` or
+`"argon2"`.
+
+Read `context.current_init.language` (or `context.services[<name>].language`)
+— value is `"javascript"` or `"typescript"`.
+
+Generate the matching variant below. Do not emit unused variants.
+
+---
+
+## JavaScript — bcryptjs variant
+
+```javascript
+const bcrypt = require('bcryptjs');
+
+const SALT_ROUNDS = 12;
+
+/**
+ * Hashes a plaintext password using bcrypt.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The bcrypt hash string.
+ */
+async function hashPassword(plaintext) {
+    return bcrypt.hash(plaintext, SALT_ROUNDS);
+}
+
+/**
+ * Verifies a plaintext password against a stored bcrypt hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored bcrypt hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+async function verifyPassword(plaintext, hash) {
+    return bcrypt.compare(plaintext, hash);
+}
+
+module.exports = { hashPassword, verifyPassword };
+```
+
+---
+
+## JavaScript — argon2 variant
+
+```javascript
+const argon2 = require('argon2');
+
+/**
+ * Hashes a plaintext password using argon2id.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The argon2 hash string.
+ */
+async function hashPassword(plaintext) {
+    return argon2.hash(plaintext, { type: argon2.argon2id });
+}
+
+/**
+ * Verifies a plaintext password against a stored argon2 hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored argon2 hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+async function verifyPassword(plaintext, hash) {
+    return argon2.verify(hash, plaintext);
+}
+
+module.exports = { hashPassword, verifyPassword };
+```
+
+---
+
+## TypeScript — bcryptjs variant
+
+```typescript
+import bcrypt from 'bcryptjs';
+
+const SALT_ROUNDS = 12;
+
+/**
+ * Hashes a plaintext password using bcrypt.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The bcrypt hash string.
+ */
+export async function hashPassword(plaintext: string): Promise<string> {
+    return bcrypt.hash(plaintext, SALT_ROUNDS);
+}
+
+/**
+ * Verifies a plaintext password against a stored bcrypt hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored bcrypt hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
+    return bcrypt.compare(plaintext, hash);
+}
+```
+
+---
+
+## TypeScript — argon2 variant
+
+```typescript
+import argon2 from 'argon2';
+
+/**
+ * Hashes a plaintext password using argon2id.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The argon2 hash string.
+ */
+export async function hashPassword(plaintext: string): Promise<string> {
+    return argon2.hash(plaintext, { type: argon2.argon2id });
+}
+
+/**
+ * Verifies a plaintext password against a stored argon2 hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored argon2 hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
+    return argon2.verify(hash, plaintext);
+}
+```
+
+---
+
+## Export
+
+JavaScript variants export via CommonJS:
+```
+module.exports = { hashPassword, verifyPassword }
+```
+
+TypeScript variants use named ES module exports (no default export).
+
+Every file that imports this module destructures exactly what it needs:
+`const { hashPassword, verifyPassword } = require('../utilities/hashing')`
+
+---
+
+## What This File Does NOT Do
+
+- Does not read `req` or `res` — no Express objects
+- Does not log — callers handle logging
+- Does not import `encryption.js` or use AES, KEY, or IV
+- Does not provide a `decrypt` or `unhash` function — hashing is irreversible
+- Does not conditionally skip hashing — always hashes when called

package/tasks/generate-headerValidator.task.md

@@ -17,6 +17,19 @@ delegated to `utilities/validator.js`.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `headerValidator.ts`:**
+All exports are typed middleware functions with signature `(req: Request, res: Response, next: NextFunction): void`.
+Use `import { Request, Response, NextFunction } from 'express';` at the top.
+All other logic identical to JS variant — same checks, same middleware order.
+
+**JavaScript — generate `headerValidator.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `../config/constants` — GLOBALS object containing API_KEY and other

package/tasks/generate-ioRedis.task.md

@@ -19,6 +19,26 @@ starting the service.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `utilities/ioRedis.ts`:**
+```typescript
+import Redis from 'ioredis';
+
+const redisClient = new Redis({
+    host: process.env.REDIS_HOST || 'localhost',
+    port: parseInt(process.env.REDIS_PORT || '6379', 10),
+});
+
+export default redisClient;
+```
+
+**JavaScript — generate `utilities/ioRedis.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `ioredis` — imported as `IORedis` (capital letters). The Redis client

package/tasks/generate-language-en.task.md

@@ -19,6 +19,18 @@ area. This makes it easy to find and add related messages together.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `languages/en.ts`:**
+Same message key/value object as JS variant.
+Use: `const messages: Record<string, string> = { ... }; export default messages;`
+
+**JavaScript — generate `languages/en.js` (existing behavior — see below)**
+
+---
+
 ## Structure and Sections
 
 ### Section 1 — Validator Messages

package/tasks/generate-logging.task.md

@@ -16,6 +16,18 @@ than 10 days.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `logger/logging.ts`:**
+Same custom file-based logger as JS variant with typed function signatures.
+`export function log(message: string, level?: 'info' | 'error' | 'warn'): void`
+
+**JavaScript — generate `logger/logging.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `fs` — Node.js built-in. Used for file existence checks, directory

package/tasks/generate-model.task.md

@@ -19,6 +19,50 @@ name, primary table, and available columns.
 
 ---
 
+## ORM Branch
+
+Read `context.db.orm` before generating the model file.
+
+### If `orm == "prisma"` — generate Prisma-based model
+
+Import from the `config/prisma` singleton. Use Prisma Client API. Never use raw SQL.
+
+Example model function (JavaScript):
+```javascript
+const prisma = require('../../config/prisma');
+const { hashPassword, verifyPassword } = require('../../utilities/hashing');
+
+/**
+ * Registers a new user with hashed password.
+ *
+ * @param {Object} request - Decrypted request body.
+ * @param {number} user_id - Authenticated user ID (0 for public endpoint).
+ * @param {string} user_type - Authenticated user type.
+ * @returns {Promise<Object>} Standard response: { responsecode, responsemsg, responsedata }
+ */
+async function registerUser(request, user_id, user_type) {
+    const hashedPassword = await hashPassword(request.password);
+    const user = await prisma.users.create({
+        data: { email: request.email, password: hashedPassword, status: 1 },
+        select: { id: true, email: true }
+    });
+    return { responsecode: 1, responsemsg: 'register_success', responsedata: user };
+}
+
+module.exports = { registerUser };
+```
+
+Prisma model naming rules:
+- `tbl_users` → `prisma.users` (strip `tbl_` prefix, keep lowercase in queries)
+- Always use `select` to specify returned columns — never return all columns
+- Passwords: always call `hashPassword()` / `verifyPassword()` from utilities/hashing
+
+### If `orm == "none"` — generate raw SQL model (existing behavior)
+
+Continue with parameterized SQL queries as per the rest of this task file.
+
+---
+
 ## Dependencies to Import
 
 - `../../../config/database` — imported as `con`. Used for all DB
@@ -129,12 +173,36 @@ Every function generated by `@create-api` follows this pattern:
    error level with function name and error, then return the failure
    shape with keyword `rest_keywords_something_went_wrong`.
 
-### Password handling
-When the function receives or stores passwords:
-- For storing: call `encrypt(password)` from utilities/encryption.js.
-  Never store plaintext passwords.
-- For comparing: encrypt the incoming password and compare against the
-  stored encrypted value. Never decrypt stored passwords for comparison.
+## Password Handling in Model Files
+
+When a query involves a password column (login, register, change-password):
+
+**On registration / password save (JavaScript):**
+```javascript
+const { hashPassword } = require('../../utilities/hashing');
+// ...
+const hashedPassword = await hashPassword(request.password);
+// Store hashedPassword in DB — NEVER store request.password directly
+```
+
+**On login / password verify (JavaScript):**
+```javascript
+const { verifyPassword } = require('../../utilities/hashing');
+// ...
+const isMatch = await verifyPassword(request.password, dbRow.password);
+if (!isMatch) {
+    return { responsecode: 0, responsemsg: 'invalid_credentials', responsedata: [] };
+}
+```
+
+**TypeScript imports:**
+```typescript
+import { hashPassword, verifyPassword } from '../../utilities/hashing';
+```
+
+NEVER call `encrypt()` or `decrypt()` from `encryption.js` for password fields.
+NEVER store the raw plaintext password.
+NEVER store an AES-encrypted password — AES is reversible and not safe for password storage.
 
 ### Session generation (login/signup)
 When a function completes a successful login or signup:

package/tasks/generate-notification.task.md

@@ -15,6 +15,18 @@ instance is exported.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `utilities/notification.ts`:**
+Same email/FCM notification utilities as JS variant with typed function signatures.
+All function parameters and returns explicitly typed.
+
+**JavaScript — generate `utilities/notification.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `firebase-admin` — imported as `admin`. Used for FCM push