codeninja 3.2.0 → 4.0.1

package/ide/vscode/.vscode/instructions/reactjs.instructions.md

@@ -0,0 +1,42 @@
+---
+applyTo: "**/*.jsx,**/src/**"
+---
+
+# codeninja — ReactJS Architecture Standards
+
+## apiClient.js — 4 Responsibilities
+1. Static headers: `api-key`, `Accept-Language`, `Content-Type: text/plain`
+2. Request interceptor: AES-encrypt body + attach encrypted token from localStorage
+3. Response interceptor (success): decrypt + parse JSON; responsecode -1 → logout
+4. Response interceptor (error): ERR_NETWORK/401 → logout + error message
+
+## apiHandler.js Standard
+- One exported async function per backend endpoint
+- No try/catch, no decryption (interceptors handle it)
+- All API paths here — never in page components
+
+## Backend Linking Rule
+ReactJS CANNOT be initialized without a linked NodeJS backend.
+Inherits from linked service: `encryption_key`, `encryption_iv`, `api_key`, `port`.
+NEVER ask user for these — always read from `context.services[linked_service]`.
+
+## Vanilla CSS Only
+- Per-page: `<PageName>.module.css`
+- Global: `public/assets/css/style.css`
+- No Tailwind, no CSS-in-JS
+
+## .env Standard
+```
+REACT_APP_BASE_URL=http://localhost:<linked_port>/api/v1/
+REACT_APP_API_KEY=<inherited>
+REACT_APP_KEY=<inherited>
+REACT_APP_IV=<inherited>
+```
+
+## Wave Generation Order
+Before generating any file, read `.codeninja/tasks/generate-react-*.task.md`.
+
+Wave 1: package.json, .env, .gitignore, README.md, public/index.html, public/assets/css/style.css, .htaccess (root + public)
+Wave 2: src/api/apiClient.js, src/api/apiHandler.js
+Wave 3: src/pages/Welcome/index.jsx, src/pages/Welcome/Welcome.module.css, src/App.jsx, src/index.jsx
+Wave 4: Dockerfile, nginx.conf, .dockerignore

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "codeninja",
-    "version": "3.2.0",
-    "description": "AI agent scaffolding system — NodeJS, ReactJS, and database projects. IDE-aware: installs Antigravity slash commands, Cursor rules, or VS Code Copilot instructions automatically.",
+    "version": "4.0.1",
+    "description": "AI agent scaffolding system — NodeJS (JS/TS), ReactJS, and database projects. Multi-agent architecture with true parallel sub-agents. Supports Prisma ORM, TypeScript, and bcrypt/argon2 password hashing. IDE-aware: Claude Code, Antigravity, Cursor, VS Code.",
     "private": false,
     "bin": {
         "codeninja": "cli.js"

package/tasks/ask-hashing-library.task.md

@@ -0,0 +1,31 @@
+---
+type: task
+name: ask-hashing-library
+---
+
+Condition: only run if `context.current_init.init_mode == "manual"` AND
+`context.current_init.project_type == "nodejs"`.
+In fast mode, `generate-fast-defaults` sets `hashing_library = "bcryptjs"`
+automatically — skip this task.
+
+Ask the user exactly this question:
+
+"Which password hashing library should this service use?"
+
+Present options:
+1. bcryptjs — pure JavaScript, no native bindings, easier to install (recommended)
+2. argon2 — stronger algorithm, requires native build tools
+
+Wait for user selection.
+
+Store result in: `context.current_init.hashing_library`
+- Option 1 → "bcryptjs"
+- Option 2 → "argon2"
+
+Show confirmation based on selection:
+- bcryptjs → "bcryptjs will be added to package.json. Passwords will be hashed
+  with bcrypt (SALT_ROUNDS = 12)."
+- argon2 → "argon2 will be added to package.json. Passwords will be hashed
+  with argon2id. Native build tools (node-gyp) must be available."
+
+Do not ask any other question in this task.

package/tasks/ask-language-type.task.md

@@ -0,0 +1,26 @@
+---
+type: task
+name: ask-language-type
+---
+
+# Task: ask-language-type
+
+Condition: only run if `context.current_init.project_type == "nodejs"`.
+Skip entirely for reactjs and database-only projects.
+
+If `context.current_init.init_mode == "fast"` → skip this task,
+set `context.current_init.language = "javascript"` silently, return.
+
+Ask: "What language would you like to use for this service?"
+
+Options:
+1. JavaScript (default) — CommonJS require/module.exports, .js files, no build step
+2. TypeScript — import/export, type annotations, .ts files, compiled to dist/
+
+Guidance:
+- JavaScript: simpler setup, runs directly with node, faster to start
+- TypeScript: type safety, better IDE autocomplete, recommended for larger teams
+
+Stores: `context.current_init.language` ("javascript" | "typescript")
+
+Do not ask any other question in this task.

package/tasks/ask-new-module-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-new-module-name
+---
+
+# Task: ask-new-module-name
+
+Ask: "Enter the new name for '[context.current_refactor.old_module_name]':"
+- Validate: must not already exist in the service — error if conflict
+- Use PascalCase (e.g., "UserOrders" not "userorders")
+- Stores: `context.current_refactor.new_module_name`
+
+Do not ask any other question in this task.

package/tasks/ask-new-service-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-new-service-name
+---
+
+# Task: ask-new-service-name
+
+Ask: "Enter the new name for '[context.current_refactor.old_service_name]':"
+- Validate: must not already exist in `context.services` — error if conflict
+- Validate: lowercase, no spaces (suggest replacing spaces with hyphens)
+- Stores: `context.current_refactor.new_service_name`
+
+Do not ask any other question in this task.

package/tasks/ask-old-module-name.task.md

@@ -0,0 +1,15 @@
+---
+type: task
+name: ask-old-module-name
+---
+
+# Task: ask-old-module-name
+
+Read the target service name from: `context.current_refactor.old_service_name` (set by ask-old-service-name).
+
+Ask: "Enter the current module name to rename:"
+- Show available modules from `context.services[<service>].modules`
+- Validate: must exist in the service — error if not found
+- Stores: `context.current_refactor.old_module_name`
+
+Do not ask any other question in this task.

package/tasks/ask-old-service-name.task.md

@@ -0,0 +1,13 @@
+---
+type: task
+name: ask-old-service-name
+---
+
+# Task: ask-old-service-name
+
+Ask: "Enter the current service name to rename:"
+- Show available service names from `context.services` as options
+- Validate: name must exist in `context.services` — error if not found
+- Stores: `context.current_refactor.old_service_name`
+
+Do not ask any other question in this task.

package/tasks/ask-orm-type.task.md

@@ -0,0 +1,26 @@
+---
+type: task
+name: ask-orm-type
+---
+
+# Task: ask-orm-type
+
+Condition: if `context.current_init.init_mode == "fast"` → skip this task,
+set `context.db.orm = "none"` silently, return.
+
+Ask: "How would you like to interact with the database?"
+
+Options:
+1. Raw driver (default) — direct SQL with pg / mysql2 / mongoose; generates config/database.js
+2. Prisma ORM — schema-first ORM; generates prisma/schema.prisma + config/prisma.js
+
+Guidance to show the user:
+- Raw driver: full SQL control, better for complex queries and existing DBA workflows
+- Prisma: type-safe queries, auto-generated client, faster development (pairs well with TypeScript)
+
+If `context.db.orm` is already set from a previous service init, ask:
+"Existing services use [current value]. Keep the same? (yes / change)"
+
+Stores: `context.db.orm` ("none" | "prisma")
+
+Do not ask any other question in this task.

package/tasks/collect-seed-data.task.md

@@ -0,0 +1,19 @@
+---
+type: task
+name: collect-seed-data
+---
+
+# Task: collect-seed-data
+
+Orchestrates seed row collection for `context.current_db.table_name`.
+
+Step 1 — Run task: `ask-seed-rows-count`
+- Stores: `context.current_db.seed_count`
+
+Step 2 — Repeat `context.current_db.seed_count` times:
+Run task: `ask-seed-row-values`
+- Appends each completed row to: `context.current_db.seed_rows[]`
+
+After all rows are collected, show preview:
+"Seed data collected: [N] rows for [table_name]"
+Return to calling workflow.

package/tasks/generate-app.task.md

@@ -14,6 +14,48 @@ starts.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `app.ts` + `server.ts`:**
+
+`app.ts`:
+```typescript
+import express, { Application } from 'express';
+import cors from 'cors';
+import helmet from 'helmet';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const app: Application = express();
+
+app.use(cors({ origin: process.env.ALLOWED_ORIGINS?.split(',') }));
+app.use(helmet());
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+export default app;
+```
+
+`server.ts` (entry point):
+```typescript
+import app from './app';
+import { router as v1Router } from './modules/v1/route_manager';
+
+app.use('/api/v1', v1Router);
+
+const PORT = parseInt(process.env.PORT || '3000', 10);
+app.listen(PORT, () => {
+    console.log(`[${process.env.PROJECT_NAME}] running on port ${PORT}`);
+});
+```
+
+**JavaScript — generate `app.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `dotenv` — called as `require('dotenv').config()` on the very first

package/tasks/generate-common.task.md

@@ -15,6 +15,19 @@ config/database.js. The object is named `common` and exported directly.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/common.ts`:**
+Same content as JS variant but with typed exports.
+Use `export const GLOBALS = Object.freeze({ ... } as const);`
+All function signatures typed.
+
+**JavaScript — generate `config/common.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `./database` — imported as `con`. Used by all database functions.

package/tasks/generate-constants.task.md

@@ -15,6 +15,19 @@ using Object.freeze so no file can accidentally mutate it at runtime.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/constants.ts`:**
+Same content as JS variant.
+Use `export const` for all exported values.
+Add type annotations where helpful: `export const PORT: number = parseInt(process.env.PORT || '3000', 10);`
+
+**JavaScript — generate `config/constants.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies
 
 No imports from within the service. Only reads from process.env which

package/tasks/generate-database.task.md

@@ -15,6 +15,38 @@ the correct implementation.
 
 ---
 
+## ORM Branch
+
+Read `context.db.orm` before generating anything.
+
+**If `orm == "prisma"`:**
+- Do NOT generate `config/database.js` or `config/database.ts`
+- Instead: run task `generate-prisma-schema` then run task `generate-prisma-client`
+- Update `.env` to use `DATABASE_URL` instead of individual DB_HOST/PORT/NAME/USER/PASS:
+  - PostgreSQL: `DATABASE_URL="postgresql://<user>:<password>@<host>:<port>/<db_name>?schema=public"`
+  - MySQL: `DATABASE_URL="mysql://<user>:<password>@<host>:<port>/<db_name>"`
+  - MongoDB: `DATABASE_URL="mongodb+srv://<user>:<password>@<cluster>/<db_name>?retryWrites=true&w=majority"`
+- Skip the rest of this task after running those two tasks.
+
+**If `orm == "none"`:**
+- Continue with raw driver generation below (existing behavior).
+
+---
+
+## Language Branch (raw driver path only — Prisma path already handles JS/TS in generate-prisma-client)
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `config/database.ts`:**
+Same pool/connection setup as JS but with typed imports.
+PostgreSQL: `import { Pool, PoolConfig } from 'pg';`
+MySQL: `import mysql from 'mysql2/promise';`
+MongoDB: `import mongoose from 'mongoose';`
+
+**JavaScript — generate `config/database.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `../logger/logging` — imported as `log`. Used for connection error

package/tasks/generate-encryption.task.md

@@ -6,6 +6,34 @@ agent: nodejs-agent
 
 # File: utilities/encryption.js
 
+## SCOPE: Transport Encryption Only
+
+`utilities/encryption.js` (or `.ts`) handles AES-256-CBC **transport encryption only**:
+- Encrypting outgoing API response payloads
+- Decrypting incoming encrypted request payloads
+- Encrypting/decrypting session tokens for transmission
+
+**This file does NOT handle passwords.** Password hashing is handled exclusively by
+`utilities/hashing.js` (see task: generate-hashing). Never import encryption functions
+for password storage. Never store an AES-encrypted password — passwords must be
+bcrypt/argon2 hashed (one-way, irreversible).
+
+---
+
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `utilities/encryption.ts`:**
+Same AES-256-CBC encrypt/decrypt functions as JS variant.
+Use `import CryptoJS from 'crypto-js';` (or `import cryptlib from 'cryptlib';` for app client type).
+All function signatures typed: `export function encrypt(data: unknown): string`
+and `export function decrypt(ciphertext: string): unknown`.
+
+**JavaScript — generate `utilities/encryption.js` (existing behavior — see below)**
+
+---
+
 ## Purpose
 Single source of truth for all encryption and decryption operations in the
 service. All other files that need to encrypt or decrypt call this module.

package/tasks/generate-fast-defaults.task.md

@@ -50,6 +50,13 @@ Validate after generation:
 - encryption_iv must equal the first 16 characters of encryption_key —
   re-derive if not
 
+### Language and Hashing Library
+- `language` → "javascript" (TypeScript requires manual selection — never auto-picked in fast mode)
+- `hashing_library` → "bcryptjs" (fast mode default — pure JS, no native build tools required)
+
+### ORM Default (nodejs only, if not already set)
+- `context.db.orm` → "none" if not already set (raw driver — Prisma requires manual selection)
+
 ### Redis Config (nodejs only — skip for reactjs)
 - `context.current_init.redis_host` → `"localhost"`
 - `context.current_init.redis_port` → `6379`

package/tasks/generate-hashing.task.md

@@ -0,0 +1,180 @@
+---
+type: task
+name: generate-hashing
+agent: nodejs-agent
+---
+
+# File: utilities/hashing.js OR utilities/hashing.ts
+
+## Purpose
+Single source of truth for all password hashing and verification in the service.
+All code that needs to hash or verify a password calls this module.
+No other file in the service imports bcryptjs or argon2 directly.
+This file handles one-way password storage ONLY.
+
+## SCOPE BOUNDARY
+
+NEVER use `encryption.js` / `decrypt` / AES / KEY / IV in this file.
+This is not transport encryption — it is irreversible password hashing.
+Do not import or reference `../utilities/encryption` from this file.
+
+---
+
+## Active library and language
+
+Read `context.current_init.hashing_library` (or
+`context.services[<name>].hashing_library`) — value is `"bcryptjs"` or
+`"argon2"`.
+
+Read `context.current_init.language` (or `context.services[<name>].language`)
+— value is `"javascript"` or `"typescript"`.
+
+Generate the matching variant below. Do not emit unused variants.
+
+---
+
+## JavaScript — bcryptjs variant
+
+```javascript
+const bcrypt = require('bcryptjs');
+
+const SALT_ROUNDS = 12;
+
+/**
+ * Hashes a plaintext password using bcrypt.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The bcrypt hash string.
+ */
+async function hashPassword(plaintext) {
+    return bcrypt.hash(plaintext, SALT_ROUNDS);
+}
+
+/**
+ * Verifies a plaintext password against a stored bcrypt hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored bcrypt hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+async function verifyPassword(plaintext, hash) {
+    return bcrypt.compare(plaintext, hash);
+}
+
+module.exports = { hashPassword, verifyPassword };
+```
+
+---
+
+## JavaScript — argon2 variant
+
+```javascript
+const argon2 = require('argon2');
+
+/**
+ * Hashes a plaintext password using argon2id.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The argon2 hash string.
+ */
+async function hashPassword(plaintext) {
+    return argon2.hash(plaintext, { type: argon2.argon2id });
+}
+
+/**
+ * Verifies a plaintext password against a stored argon2 hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored argon2 hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+async function verifyPassword(plaintext, hash) {
+    return argon2.verify(hash, plaintext);
+}
+
+module.exports = { hashPassword, verifyPassword };
+```
+
+---
+
+## TypeScript — bcryptjs variant
+
+```typescript
+import bcrypt from 'bcryptjs';
+
+const SALT_ROUNDS = 12;
+
+/**
+ * Hashes a plaintext password using bcrypt.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The bcrypt hash string.
+ */
+export async function hashPassword(plaintext: string): Promise<string> {
+    return bcrypt.hash(plaintext, SALT_ROUNDS);
+}
+
+/**
+ * Verifies a plaintext password against a stored bcrypt hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored bcrypt hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
+    return bcrypt.compare(plaintext, hash);
+}
+```
+
+---
+
+## TypeScript — argon2 variant
+
+```typescript
+import argon2 from 'argon2';
+
+/**
+ * Hashes a plaintext password using argon2id.
+ *
+ * @param {string} plaintext - The raw password string to hash.
+ * @returns {Promise<string>} The argon2 hash string.
+ */
+export async function hashPassword(plaintext: string): Promise<string> {
+    return argon2.hash(plaintext, { type: argon2.argon2id });
+}
+
+/**
+ * Verifies a plaintext password against a stored argon2 hash.
+ *
+ * @param {string} plaintext - The raw password to verify.
+ * @param {string} hash - The stored argon2 hash.
+ * @returns {Promise<boolean>} True if the password matches the hash.
+ */
+export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
+    return argon2.verify(hash, plaintext);
+}
+```
+
+---
+
+## Export
+
+JavaScript variants export via CommonJS:
+```
+module.exports = { hashPassword, verifyPassword }
+```
+
+TypeScript variants use named ES module exports (no default export).
+
+Every file that imports this module destructures exactly what it needs:
+`const { hashPassword, verifyPassword } = require('../utilities/hashing')`
+
+---
+
+## What This File Does NOT Do
+
+- Does not read `req` or `res` — no Express objects
+- Does not log — callers handle logging
+- Does not import `encryption.js` or use AES, KEY, or IV
+- Does not provide a `decrypt` or `unhash` function — hashing is irreversible
+- Does not conditionally skip hashing — always hashes when called

package/tasks/generate-headerValidator.task.md

@@ -17,6 +17,19 @@ delegated to `utilities/validator.js`.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `headerValidator.ts`:**
+All exports are typed middleware functions with signature `(req: Request, res: Response, next: NextFunction): void`.
+Use `import { Request, Response, NextFunction } from 'express';` at the top.
+All other logic identical to JS variant — same checks, same middleware order.
+
+**JavaScript — generate `headerValidator.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `../config/constants` — GLOBALS object containing API_KEY and other

package/tasks/generate-ioRedis.task.md

@@ -19,6 +19,26 @@ starting the service.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `utilities/ioRedis.ts`:**
+```typescript
+import Redis from 'ioredis';
+
+const redisClient = new Redis({
+    host: process.env.REDIS_HOST || 'localhost',
+    port: parseInt(process.env.REDIS_PORT || '6379', 10),
+});
+
+export default redisClient;
+```
+
+**JavaScript — generate `utilities/ioRedis.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `ioredis` — imported as `IORedis` (capital letters). The Redis client

package/tasks/generate-language-en.task.md

@@ -19,6 +19,18 @@ area. This makes it easy to find and add related messages together.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `languages/en.ts`:**
+Same message key/value object as JS variant.
+Use: `const messages: Record<string, string> = { ... }; export default messages;`
+
+**JavaScript — generate `languages/en.js` (existing behavior — see below)**
+
+---
+
 ## Structure and Sections
 
 ### Section 1 — Validator Messages

package/tasks/generate-logging.task.md

@@ -16,6 +16,18 @@ than 10 days.
 
 ---
 
+## Language Branch
+
+Read `context.current_init.language` (or `context.services[name].language`).
+
+**TypeScript — generate `logger/logging.ts`:**
+Same custom file-based logger as JS variant with typed function signatures.
+`export function log(message: string, level?: 'info' | 'error' | 'warn'): void`
+
+**JavaScript — generate `logger/logging.js` (existing behavior — see below)**
+
+---
+
 ## Dependencies to Import
 
 - `fs` — Node.js built-in. Used for file existence checks, directory