create-davepi-app 0.1.0

package/templates/content/seed.js

@@ -0,0 +1,97 @@
+'use strict';
+require('dotenv').config();
+
+const port = process.env.API_PORT || 5050;
+const base = `http://127.0.0.1:${port}`;
+const DEMO_EMAIL = 'demo@example.com';
+const DEMO_PASSWORD = 'demo-password!';
+
+async function fetchJson(path, opts = {}) {
+  const res = await fetch(base + path, {
+    ...opts,
+    headers: { 'Content-Type': 'application/json', ...(opts.headers || {}) },
+  });
+  const text = await res.text();
+  let body;
+  try { body = text ? JSON.parse(text) : null; } catch { body = text; }
+  return { status: res.status, body };
+}
+
+async function ensureDemoUser() {
+  let r = await fetchJson('/login', {
+    method: 'POST',
+    body: JSON.stringify({ email: DEMO_EMAIL, password: DEMO_PASSWORD }),
+  });
+  if (r.status === 200) return r.body.accessToken;
+  r = await fetchJson('/register', {
+    method: 'POST',
+    body: JSON.stringify({
+      first_name: 'Demo', last_name: 'User',
+      email: DEMO_EMAIL, password: DEMO_PASSWORD,
+    }),
+  });
+  if (r.status !== 201) throw new Error(`register: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body.accessToken;
+}
+
+async function post(path, body, auth) {
+  const r = await fetchJson(path, { method: 'POST', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 201) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function put(path, body, auth) {
+  const r = await fetchJson(path, { method: 'PUT', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 200) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function main() {
+  const token = await ensureDemoUser();
+  const auth = { Authorization: `Bearer ${token}` };
+
+  const eng = await post('/api/v1/category', {
+    name: 'Engineering',
+    description: 'Posts about how we build the product.',
+  }, auth);
+  const launches = await post('/api/v1/category', {
+    name: 'Launches',
+    description: 'Product announcements and changelogs.',
+  }, auth);
+
+  const a1 = await post('/api/v1/article', {
+    title: 'How we ship',
+    body: 'A short post about our weekly cadence.',
+    excerpt: 'Once a week, end-to-end.',
+    categoryId: eng._id,
+    tags: ['process', 'team'],
+    authorName: 'Demo',
+  }, auth);
+  await put(`/api/v1/article/${a1._id}`, { status: 'review' }, auth);
+  await put(`/api/v1/article/${a1._id}`, {
+    status: 'published',
+    publishedAt: new Date(),
+  }, auth);
+
+  await post('/api/v1/article', {
+    title: 'Draft: notes for a Q2 retrospective',
+    body: 'TBD.',
+    categoryId: eng._id,
+  }, auth);
+
+  await post('/api/v1/article', {
+    title: 'Launch: scaffolder + templates',
+    body: 'Run `npx create-davepi-app my-app --template crm` and you\'re running.',
+    categoryId: launches._id,
+    tags: ['launch'],
+    authorName: 'Demo',
+  }, auth);
+
+  process.stdout.write(`Seeded 2 categories, 3 articles (1 published, 2 draft) as ${DEMO_EMAIL}.\n`);
+  process.stdout.write(`Sign in with: ${DEMO_EMAIL} / ${DEMO_PASSWORD}\n`);
+}
+
+main().catch((err) => {
+  process.stderr.write(`\nSeed failed: ${err.message}\n`);
+  process.exit(1);
+});

package/templates/crm/README.md

@@ -0,0 +1,59 @@
+# CRM template
+
+A minimal sales CRM. Demonstrates relations, state machines, computed fields, full-text search, file uploads, and aggregations — all features you'll learn by reading the schema files.
+
+## Resources
+
+| Resource | Purpose |
+|----------|---------|
+| `account` | Companies you sell to. `name` and `description` are full-text searchable. Carries an optional logo (image, ≤2MB, public). Has `contacts` (hasMany), `deals` (hasMany), and `primaryContact` (hasOne where `isPrimary: true`). |
+| `contact` | People at an account. `parentAccountId` joins to `account`. `fullName` is a computed field. |
+| `deal` | Opportunity in flight. `stage` is a state machine: `lead → qualified → proposal → negotiation → won` (or `lost` from any earlier stage; `lost` can be re-opened). |
+| `activity` | Touchpoints (call / email / meeting / note). Optionally tied to a contact or a deal. |
+
+## Aggregations
+
+- `deal.pipelineByStage` — total amount + count grouped by deal stage. Cached 30s.
+- `deal.wonByMonth` — won-deal totals grouped by close month. Cached 60s.
+
+## Worked example
+
+```bash
+TOKEN=$(curl -s -X POST http://localhost:5050/login \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"a@b.com","password":"pw12345!"}' | jq -r .accessToken)
+
+# 1. Create an account
+ACCT=$(curl -s -X POST http://localhost:5050/api/v1/account \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d '{"name":"Acme","industry":"manufacturing","employees":250}' | jq -r ._id)
+
+# 2. Add a contact
+curl -s -X POST http://localhost:5050/api/v1/contact \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d "{\"parentAccountId\":\"$ACCT\",\"firstName\":\"Jane\",\"lastName\":\"Doe\",\"email\":\"jane@acme.com\",\"isPrimary\":true}"
+
+# 3. Create a deal — initial state stamped to "lead"
+DEAL=$(curl -s -X POST http://localhost:5050/api/v1/deal \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d "{\"parentAccountId\":\"$ACCT\",\"title\":\"Q1 expansion\",\"amount\":50000}" | jq -r ._id)
+
+# 4. Move it forward
+curl -s -X PUT "http://localhost:5050/api/v1/deal/$DEAL" \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d '{"stage":"qualified"}'
+
+# 5. Get the deal with its account populated
+curl "http://localhost:5050/api/v1/deal/$DEAL?__include=account" \
+  -H "Authorization: Bearer $TOKEN" | jq
+
+# 6. Pipeline view
+curl http://localhost:5050/api/v1/deal/aggregations/pipelineByStage \
+  -H "Authorization: Bearer $TOKEN" | jq
+```
+
+## With Claude Code
+
+Open the project, the `.mcp.json` is already configured. Try:
+
+> Add a `lostReason` field to deal that's only populated when stage is `lost`, and an aggregation that groups `lost` deals by reason.

package/templates/crm/schema/versions/v1/account.js

@@ -0,0 +1,22 @@
+module.exports = {
+  path: 'account',
+  collection: 'account',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    { name: 'name', type: String, required: true, searchable: true, searchWeight: 5 },
+    { name: 'industry', type: String },
+    { name: 'website', type: String },
+    { name: 'description', type: String, searchable: true },
+    { name: 'employees', type: Number },
+    { name: 'logo', type: 'File', file: { maxBytes: 2 * 1024 * 1024, accept: ['image/*'], access: 'public' } },
+  ],
+  relations: {
+    contacts: { hasMany: 'contact', foreignKey: 'parentAccountId' },
+    deals: { hasMany: 'deal', foreignKey: 'parentAccountId' },
+    primaryContact: {
+      hasOne: 'contact',
+      foreignKey: 'parentAccountId',
+      where: { isPrimary: true },
+    },
+  },
+};

package/templates/crm/schema/versions/v1/activity.js

@@ -0,0 +1,20 @@
+module.exports = {
+  path: 'activity',
+  collection: 'activity',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    { name: 'type', type: String, required: true }, // call | email | meeting | note
+    { name: 'subject', type: String, required: true, searchable: true },
+    { name: 'body', type: String, searchable: true },
+    { name: 'occurredAt', type: Date, default: Date.now },
+    // Optional pointers into the parent record. An activity is
+    // typically attached to either a contact OR a deal — both are
+    // optional so a free-form note is also valid.
+    { name: 'contactId', type: String },
+    { name: 'dealId', type: String },
+  ],
+  relations: {
+    contact: { belongsTo: 'contact', localKey: 'contactId' },
+    deal: { belongsTo: 'deal', localKey: 'dealId' },
+  },
+};

package/templates/crm/schema/versions/v1/contact.js

@@ -0,0 +1,28 @@
+module.exports = {
+  path: 'contact',
+  collection: 'contact',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    // NB: not `accountId` — the framework auto-stamps `accountId` on
+    // every record from the JWT user_id (legacy quirk), so a manual
+    // foreign key needs a different name. parentAccountId is what we
+    // use to point at the parent account.
+    { name: 'parentAccountId', type: String, required: true },
+    { name: 'firstName', type: String, required: true, searchable: true },
+    { name: 'lastName', type: String, required: true, searchable: true, searchWeight: 3 },
+    {
+      name: 'fullName',
+      type: String,
+      computed: (r) => [r.firstName, r.lastName].filter(Boolean).join(' '),
+      description: 'First and last name joined.',
+    },
+    { name: 'email', type: String, searchable: true },
+    { name: 'phone', type: String },
+    { name: 'role', type: String },
+    { name: 'isPrimary', type: Boolean, default: false },
+  ],
+  relations: {
+    account: { belongsTo: 'account', localKey: 'parentAccountId' },
+    activities: { hasMany: 'activity', foreignKey: 'contactId' },
+  },
+};

package/templates/crm/schema/versions/v1/deal.js

@@ -0,0 +1,72 @@
+module.exports = {
+  path: 'deal',
+  collection: 'deal',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    { name: 'parentAccountId', type: String, required: true },
+    { name: 'title', type: String, required: true, searchable: true, searchWeight: 5 },
+    { name: 'amount', type: Number, required: true },
+    { name: 'currency', type: String, default: 'USD' },
+    { name: 'expectedCloseAt', type: Date },
+    { name: 'closedAt', type: Date },
+    {
+      // The classic CRM funnel as a state machine. The framework
+      // rejects undeclared transitions and surfaces the available
+      // next states on every read so the admin SPA renders the
+      // right action buttons automatically.
+      name: 'stage',
+      type: String,
+      stateMachine: {
+        initial: 'lead',
+        states: ['lead', 'qualified', 'proposal', 'negotiation', 'won', 'lost'],
+        transitions: {
+          lead: ['qualified', 'lost'],
+          qualified: ['proposal', 'lost'],
+          proposal: ['negotiation', 'won', 'lost'],
+          negotiation: ['won', 'lost'],
+          won: [],
+          lost: ['lead'],
+        },
+      },
+    },
+  ],
+  relations: {
+    account: { belongsTo: 'account', localKey: 'parentAccountId' },
+    activities: { hasMany: 'activity', foreignKey: 'dealId' },
+  },
+  aggregations: [
+    {
+      name: 'pipelineByStage',
+      description: 'Total amount and count grouped by deal stage.',
+      pipeline: [
+        { $group: { _id: '$stage', total: { $sum: '$amount' }, count: { $sum: 1 } } },
+        { $sort: { total: -1 } },
+      ],
+      cache: { ttlSeconds: 30 },
+    },
+    {
+      name: 'wonByMonth',
+      description: 'Sum of won-deal amounts grouped by close month.',
+      // `closedAt` is optional, so $year/$month would throw on rows
+      // where the field is null or missing. The $type filter keeps
+      // only documents whose closedAt is actually a Date — anything
+      // else (null, missing, accidental string) is excluded before
+      // it reaches the date operators.
+      pipeline: [
+        { $match: { stage: 'won', closedAt: { $type: 'date' } } },
+        {
+          $group: {
+            _id: {
+              year: { $year: '$closedAt' },
+              month: { $month: '$closedAt' },
+            },
+            total: { $sum: '$amount' },
+            count: { $sum: 1 },
+          },
+        },
+        { $sort: { '_id.year': 1, '_id.month': 1 } },
+      ],
+      cache: { ttlSeconds: 60 },
+    },
+  ],
+};

package/templates/crm/seed.js

@@ -0,0 +1,124 @@
+'use strict';
+require('dotenv').config();
+
+const port = process.env.API_PORT || 5050;
+const base = `http://127.0.0.1:${port}`;
+const DEMO_EMAIL = 'demo@example.com';
+const DEMO_PASSWORD = 'demo-password!';
+
+async function fetchJson(path, opts = {}) {
+  const res = await fetch(base + path, {
+    ...opts,
+    headers: { 'Content-Type': 'application/json', ...(opts.headers || {}) },
+  });
+  const text = await res.text();
+  let body;
+  try { body = text ? JSON.parse(text) : null; } catch { body = text; }
+  return { status: res.status, body };
+}
+
+async function ensureDemoUser() {
+  let r = await fetchJson('/login', {
+    method: 'POST',
+    body: JSON.stringify({ email: DEMO_EMAIL, password: DEMO_PASSWORD }),
+  });
+  if (r.status === 200) return r.body.accessToken;
+  r = await fetchJson('/register', {
+    method: 'POST',
+    body: JSON.stringify({
+      first_name: 'Demo',
+      last_name: 'User',
+      email: DEMO_EMAIL,
+      password: DEMO_PASSWORD,
+    }),
+  });
+  if (r.status !== 201) throw new Error(`register: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body.accessToken;
+}
+
+async function post(path, body, auth) {
+  const r = await fetchJson(path, { method: 'POST', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 201) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function put(path, body, auth) {
+  const r = await fetchJson(path, { method: 'PUT', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 200) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function main() {
+  const token = await ensureDemoUser();
+  const auth = { Authorization: `Bearer ${token}` };
+
+  const acme = await post('/api/v1/account', {
+    name: 'Acme Industrial',
+    industry: 'manufacturing',
+    employees: 250,
+    description: 'Long-running industrial customer; multi-site rollout.',
+  }, auth);
+
+  const globex = await post('/api/v1/account', {
+    name: 'Globex Logistics',
+    industry: 'transport',
+    employees: 1200,
+  }, auth);
+
+  await post('/api/v1/contact', {
+    parentAccountId: acme._id,
+    firstName: 'Jane',
+    lastName: 'Doe',
+    email: 'jane@acme.example',
+    role: 'CTO',
+    isPrimary: true,
+  }, auth);
+  await post('/api/v1/contact', {
+    parentAccountId: acme._id,
+    firstName: 'John',
+    lastName: 'Smith',
+    email: 'john@acme.example',
+    role: 'VP Eng',
+  }, auth);
+  await post('/api/v1/contact', {
+    parentAccountId: globex._id,
+    firstName: 'Maria',
+    lastName: 'Lopez',
+    email: 'maria@globex.example',
+    role: 'CIO',
+    isPrimary: true,
+  }, auth);
+
+  const dealA = await post('/api/v1/deal', {
+    parentAccountId: acme._id,
+    title: 'Q1 expansion',
+    amount: 50000,
+    expectedCloseAt: new Date(Date.now() + 30 * 24 * 3600e3),
+  }, auth);
+  await put(`/api/v1/deal/${dealA._id}`, { stage: 'qualified' }, auth);
+  await put(`/api/v1/deal/${dealA._id}`, { stage: 'proposal' }, auth);
+
+  const dealB = await post('/api/v1/deal', {
+    parentAccountId: globex._id,
+    title: 'EU rollout',
+    amount: 120000,
+  }, auth);
+  await put(`/api/v1/deal/${dealB._id}`, { stage: 'qualified' }, auth);
+
+  const dealClosed = await post('/api/v1/deal', {
+    parentAccountId: acme._id,
+    title: 'Renewal 2024',
+    amount: 75000,
+  }, auth);
+  await put(`/api/v1/deal/${dealClosed._id}`, { stage: 'qualified' }, auth);
+  await put(`/api/v1/deal/${dealClosed._id}`, { stage: 'proposal' }, auth);
+  await put(`/api/v1/deal/${dealClosed._id}`, { stage: 'won', closedAt: new Date() }, auth);
+
+  process.stdout.write(`Seeded 2 accounts, 3 contacts, 3 deals as ${DEMO_EMAIL}.\n`);
+  process.stdout.write(`Sign in with: ${DEMO_EMAIL} / ${DEMO_PASSWORD}\n`);
+}
+
+main().catch((err) => {
+  process.stderr.write(`\nSeed failed: ${err.message}\n`);
+  process.exit(1);
+});

package/templates/ticketing/README.md

@@ -0,0 +1,46 @@
+# Ticketing template
+
+A help-desk skeleton with **two state machines on one schema** (status + priority), full-text search, an internal-only comment field gated by ACL, and aggregations for triage views.
+
+## Resources
+
+| Resource | Purpose |
+|----------|---------|
+| `ticket` | The work item. `status` flows `open → in_progress → resolved → closed` (with reopen). `priority` flows `low ↔ normal ↔ high ↔ urgent` (no skipping levels). |
+| `comment` | Replies on a ticket. `internal` is a flag gated by field-level ACL (`read: ['staff','admin']`) — non-staff callers don't see the flag. Note: this hides the **flag**, not the comment body. To make staff-only notes truly invisible to customers (no body, no metadata), model them as a separate resource so they never appear in `list` queries. |
+
+## Aggregations
+
+- `ticket.byStatus` — counts grouped by status. Cached 15s.
+- `ticket.urgentOpen` — currently-burning tickets, newest first. Capped at 50.
+
+## Worked example
+
+```bash
+TOKEN=$(curl -s -X POST http://localhost:5050/login \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"a@b.com","password":"pw12345!"}' | jq -r .accessToken)
+
+# Create a ticket — initial status = "open", initial priority = "normal"
+T=$(curl -s -X POST http://localhost:5050/api/v1/ticket \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d '{"title":"Login broken","body":"500 on /login","reporterId":"u1"}' | jq -r ._id)
+
+# Take it
+curl -s -X PUT "http://localhost:5050/api/v1/ticket/$T" \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d '{"status":"in_progress","assigneeId":"u2"}'
+
+# Try to skip stages — rejected with 400 INVALID_TRANSITION
+curl -s -X PUT "http://localhost:5050/api/v1/ticket/$T" \
+  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
+  -d '{"priority":"urgent"}'    # normal → urgent isn't allowed; must go via high
+
+# Triage view
+curl http://localhost:5050/api/v1/ticket/aggregations/byStatus \
+  -H "Authorization: Bearer $TOKEN" | jq
+```
+
+## With Claude Code
+
+> Add an SLA computed field to ticket: number of minutes since `createdAt` if status isn't `resolved`/`closed`, else 0.

package/templates/ticketing/schema/versions/v1/comment.js

@@ -0,0 +1,26 @@
+module.exports = {
+  path: 'comment',
+  collection: 'comment',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    { name: 'ticketId', type: String, required: true },
+    { name: 'body', type: String, required: true, searchable: true },
+    {
+      name: 'internal',
+      type: Boolean,
+      default: false,
+      // The `internal` flag itself is hidden from callers without
+      // staff/admin roles via field-level ACL. NB: this hides the
+      // FLAG, not the comment body — field-level ACL only strips
+      // the named field. To make staff-only notes truly private to
+      // customers, model them as a separate resource so list/get
+      // queries never return them, or apply a list-time filter in
+      // a custom route. See the README walkthrough.
+      acl: { read: ['staff', 'admin'] },
+    },
+    { name: 'authorName', type: String },
+  ],
+  relations: {
+    ticket: { belongsTo: 'ticket', localKey: 'ticketId' },
+  },
+};

package/templates/ticketing/schema/versions/v1/ticket.js

@@ -0,0 +1,65 @@
+module.exports = {
+  path: 'ticket',
+  collection: 'ticket',
+  fields: [
+    { name: 'userId', type: String, required: true },
+    { name: 'title', type: String, required: true, searchable: true, searchWeight: 5 },
+    { name: 'body', type: String, searchable: true },
+    {
+      name: 'priority',
+      type: String,
+      stateMachine: {
+        // priority is also a state machine — escalation has rules.
+        initial: 'normal',
+        states: ['low', 'normal', 'high', 'urgent'],
+        transitions: {
+          low: ['normal'],
+          normal: ['low', 'high'],
+          high: ['normal', 'urgent'],
+          urgent: ['high'],
+        },
+      },
+    },
+    {
+      name: 'status',
+      type: String,
+      stateMachine: {
+        initial: 'open',
+        states: ['open', 'in_progress', 'resolved', 'closed', 'reopened'],
+        transitions: {
+          open: ['in_progress', 'closed'],
+          in_progress: ['resolved', 'open'],
+          resolved: ['closed', 'reopened'],
+          closed: ['reopened'],
+          reopened: ['in_progress', 'closed'],
+        },
+      },
+    },
+    { name: 'assigneeId', type: String },
+    { name: 'reporterId', type: String, required: true },
+    { name: 'resolvedAt', type: Date },
+  ],
+  relations: {
+    comments: { hasMany: 'comment', foreignKey: 'ticketId' },
+  },
+  aggregations: [
+    {
+      name: 'byStatus',
+      description: 'Ticket count grouped by current status.',
+      pipeline: [
+        { $group: { _id: '$status', count: { $sum: 1 } } },
+        { $sort: { count: -1 } },
+      ],
+      cache: { ttlSeconds: 15 },
+    },
+    {
+      name: 'urgentOpen',
+      description: 'Open or in-progress urgent tickets, newest first.',
+      pipeline: [
+        { $match: { priority: 'urgent', status: { $in: ['open', 'in_progress'] } } },
+        { $sort: { createdAt: -1 } },
+      ],
+      maxResults: 50,
+    },
+  ],
+};

package/templates/ticketing/seed.js

@@ -0,0 +1,97 @@
+'use strict';
+require('dotenv').config();
+
+const port = process.env.API_PORT || 5050;
+const base = `http://127.0.0.1:${port}`;
+const DEMO_EMAIL = 'demo@example.com';
+const DEMO_PASSWORD = 'demo-password!';
+
+async function fetchJson(path, opts = {}) {
+  const res = await fetch(base + path, {
+    ...opts,
+    headers: { 'Content-Type': 'application/json', ...(opts.headers || {}) },
+  });
+  const text = await res.text();
+  let body;
+  try { body = text ? JSON.parse(text) : null; } catch { body = text; }
+  return { status: res.status, body };
+}
+
+async function ensureDemoUser() {
+  let r = await fetchJson('/login', {
+    method: 'POST',
+    body: JSON.stringify({ email: DEMO_EMAIL, password: DEMO_PASSWORD }),
+  });
+  if (r.status === 200) return r.body.accessToken;
+  r = await fetchJson('/register', {
+    method: 'POST',
+    body: JSON.stringify({
+      first_name: 'Demo', last_name: 'User',
+      email: DEMO_EMAIL, password: DEMO_PASSWORD,
+    }),
+  });
+  if (r.status !== 201) throw new Error(`register: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body.accessToken;
+}
+
+async function post(path, body, auth) {
+  const r = await fetchJson(path, { method: 'POST', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 201) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function put(path, body, auth) {
+  const r = await fetchJson(path, { method: 'PUT', headers: auth, body: JSON.stringify(body) });
+  if (r.status !== 200) throw new Error(`${path}: ${r.status} ${JSON.stringify(r.body)}`);
+  return r.body;
+}
+
+async function main() {
+  const token = await ensureDemoUser();
+  const auth = { Authorization: `Bearer ${token}` };
+
+  // Mix of states + priorities so the byStatus / urgentOpen
+  // aggregations have something interesting to return.
+  const open = await post('/api/v1/ticket', {
+    title: 'Login broken on mobile Safari',
+    body: 'Steps: open / on iOS 17, tap login, get blank page.',
+    reporterId: 'demo',
+  }, auth);
+
+  const inProgress = await post('/api/v1/ticket', {
+    title: 'Slow query on /accounts list',
+    body: 'p95 hit 3s after the last deploy.',
+    reporterId: 'demo',
+  }, auth);
+  await put(`/api/v1/ticket/${inProgress._id}`, { status: 'in_progress', priority: 'high' }, auth);
+
+  const urgent = await post('/api/v1/ticket', {
+    title: 'Outage: webhook delivery failing',
+    body: 'Stripe webhooks bouncing 500 since 14:00 UTC.',
+    reporterId: 'demo',
+  }, auth);
+  await put(`/api/v1/ticket/${urgent._id}`, { priority: 'high' }, auth);
+  await put(`/api/v1/ticket/${urgent._id}`, { priority: 'urgent', status: 'in_progress' }, auth);
+
+  const resolved = await post('/api/v1/ticket', {
+    title: 'Typo in welcome email',
+    body: 'Says "Welome".',
+    reporterId: 'demo',
+  }, auth);
+  await put(`/api/v1/ticket/${resolved._id}`, { status: 'in_progress' }, auth);
+  await put(`/api/v1/ticket/${resolved._id}`, { status: 'resolved', resolvedAt: new Date() }, auth);
+
+  await post('/api/v1/comment', {
+    ticketId: inProgress._id,
+    body: 'Looks like the new index isn\'t being used. Investigating.',
+    authorName: 'Demo',
+  }, auth);
+
+  process.stdout.write(`Seeded 4 tickets across all states + 1 comment as ${DEMO_EMAIL}.\n`);
+  process.stdout.write(`Sign in with: ${DEMO_EMAIL} / ${DEMO_PASSWORD}\n`);
+}
+
+main().catch((err) => {
+  process.stderr.write(`\nSeed failed: ${err.message}\n`);
+  process.exit(1);
+});