create-forgeon 0.1.34 → 0.1.36

package/src/modules/logger.mjs

@@ -71,6 +71,48 @@ function upsertEnvLines(filePath, lines) {
   fs.writeFileSync(filePath, next.replace(/^\n/, ''), 'utf8');
 }
 
+function ensureLoadItem(content, itemName) {
+  const pattern = /load:\s*\[([^\]]*)\]/m;
+  const match = content.match(pattern);
+  if (!match) {
+    return content;
+  }
+
+  const rawList = match[1];
+  const items = rawList
+    .split(',')
+    .map((item) => item.trim())
+    .filter(Boolean);
+
+  if (!items.includes(itemName)) {
+    items.push(itemName);
+  }
+
+  const next = `load: [${items.join(', ')}]`;
+  return content.replace(pattern, next);
+}
+
+function ensureValidatorSchema(content, schemaName) {
+  const pattern = /validate:\s*createEnvValidator\(\[([^\]]*)\]\)/m;
+  const match = content.match(pattern);
+  if (!match) {
+    return content;
+  }
+
+  const rawList = match[1];
+  const items = rawList
+    .split(',')
+    .map((item) => item.trim())
+    .filter(Boolean);
+
+  if (!items.includes(schemaName)) {
+    items.push(schemaName);
+  }
+
+  const next = `validate: createEnvValidator([${items.join(', ')}])`;
+  return content.replace(pattern, next);
+}
+
 function patchApiPackage(targetRoot) {
   const packagePath = path.join(targetRoot, 'apps', 'api', 'package.json');
   if (!fs.existsSync(packagePath)) {
@@ -141,28 +183,32 @@ function patchAppModule(targetRoot) {
 
   let content = fs.readFileSync(filePath, 'utf8').replace(/\r\n/g, '\n');
 
-  content = ensureLineAfter(
-    content,
-    "import { dbPrismaConfig, dbPrismaEnvSchema, DbPrismaModule } from '@forgeon/db-prisma';",
-    "import { ForgeonLoggerModule, loggerConfig, loggerEnvSchema } from '@forgeon/logger';",
-  );
+  if (!content.includes("from '@forgeon/logger';")) {
+    if (content.includes("import { ForgeonSwaggerModule, swaggerConfig, swaggerEnvSchema } from '@forgeon/swagger';")) {
+      content = ensureLineAfter(
+        content,
+        "import { ForgeonSwaggerModule, swaggerConfig, swaggerEnvSchema } from '@forgeon/swagger';",
+        "import { ForgeonLoggerModule, loggerConfig, loggerEnvSchema } from '@forgeon/logger';",
+      );
+    } else if (
+      content.includes("import { dbPrismaConfig, dbPrismaEnvSchema, DbPrismaModule } from '@forgeon/db-prisma';")
+    ) {
+      content = ensureLineAfter(
+        content,
+        "import { dbPrismaConfig, dbPrismaEnvSchema, DbPrismaModule } from '@forgeon/db-prisma';",
+        "import { ForgeonLoggerModule, loggerConfig, loggerEnvSchema } from '@forgeon/logger';",
+      );
+    } else {
+      content = ensureLineAfter(
+        content,
+        "import { ConfigModule } from '@nestjs/config';",
+        "import { ForgeonLoggerModule, loggerConfig, loggerEnvSchema } from '@forgeon/logger';",
+      );
+    }
+  }
 
-  content = content.replace(
-    'load: [coreConfig, dbPrismaConfig, i18nConfig],',
-    'load: [coreConfig, dbPrismaConfig, i18nConfig, loggerConfig],',
-  );
-  content = content.replace(
-    'load: [coreConfig, dbPrismaConfig],',
-    'load: [coreConfig, dbPrismaConfig, loggerConfig],',
-  );
-  content = content.replace(
-    'validate: createEnvValidator([coreEnvSchema, dbPrismaEnvSchema, i18nEnvSchema]),',
-    'validate: createEnvValidator([coreEnvSchema, dbPrismaEnvSchema, i18nEnvSchema, loggerEnvSchema]),',
-  );
-  content = content.replace(
-    'validate: createEnvValidator([coreEnvSchema, dbPrismaEnvSchema]),',
-    'validate: createEnvValidator([coreEnvSchema, dbPrismaEnvSchema, loggerEnvSchema]),',
-  );
+  content = ensureLoadItem(content, 'loggerConfig');
+  content = ensureValidatorSchema(content, 'loggerEnvSchema');
 
   content = ensureLineAfter(content, '    CoreErrorsModule,', '    ForgeonLoggerModule,');
 
@@ -177,16 +223,19 @@ function patchApiDockerfile(targetRoot) {
 
   let content = fs.readFileSync(dockerfilePath, 'utf8').replace(/\r\n/g, '\n');
 
+  const packageAnchor = content.includes('COPY packages/db-prisma/package.json packages/db-prisma/package.json')
+    ? 'COPY packages/db-prisma/package.json packages/db-prisma/package.json'
+    : 'COPY packages/core/package.json packages/core/package.json';
   content = ensureLineAfter(
     content,
-    'COPY packages/db-prisma/package.json packages/db-prisma/package.json',
+    packageAnchor,
     'COPY packages/logger/package.json packages/logger/package.json',
   );
-  content = ensureLineAfter(
-    content,
-    'COPY packages/db-prisma packages/db-prisma',
-    'COPY packages/logger packages/logger',
-  );
+
+  const sourceAnchor = content.includes('COPY packages/db-prisma packages/db-prisma')
+    ? 'COPY packages/db-prisma packages/db-prisma'
+    : 'COPY packages/core packages/core';
+  content = ensureLineAfter(content, sourceAnchor, 'COPY packages/logger packages/logger');
 
   content = content.replace(/^RUN pnpm --filter @forgeon\/logger build\r?\n?/gm, '');
   content = ensureLineBefore(

package/src/modules/registry.mjs

@@ -1,4 +1,12 @@
 const MODULE_PRESETS = {
+  'db-prisma': {
+    id: 'db-prisma',
+    label: 'DB Prisma',
+    category: 'database-layer',
+    implemented: true,
+    description: 'Prisma/Postgres module wiring with env config, scripts, and DB probe endpoint.',
+    docFragments: ['00_title', '10_overview', '20_scope', '90_status_implemented'],
+  },
   i18n: {
     id: 'i18n',
     label: 'I18n',
@@ -24,13 +32,13 @@ const MODULE_PRESETS = {
     docFragments: ['00_title', '10_overview', '20_scope', '90_status_implemented'],
   },
   'jwt-auth': {
-    id: 'jwt-auth',
-    label: 'JWT Auth',
-    category: 'auth-security',
-    implemented: false,
-    description: 'JWT auth preset with guards and passport strategy wiring.',
-    docFragments: ['00_title', '10_overview', '20_scope', '90_status_planned'],
-  },
+    id: 'jwt-auth',
+    label: 'JWT Auth',
+    category: 'auth-security',
+    implemented: true,
+    description: 'JWT auth preset with contracts/api module split, guard+strategy, and DB-aware refresh token storage wiring.',
+    docFragments: ['00_title', '10_overview', '20_scope', '90_status_implemented'],
+  },
   queue: {
     id: 'queue',
     label: 'Queue Worker',

package/src/modules/swagger.mjs

@@ -197,6 +197,12 @@ function patchAppModule(targetRoot) {
         "import { dbPrismaConfig, dbPrismaEnvSchema, DbPrismaModule } from '@forgeon/db-prisma';",
         "import { ForgeonSwaggerModule, swaggerConfig, swaggerEnvSchema } from '@forgeon/swagger';",
       );
+    } else {
+      content = ensureLineAfter(
+        content,
+        "import { ConfigModule } from '@nestjs/config';",
+        "import { ForgeonSwaggerModule, swaggerConfig, swaggerEnvSchema } from '@forgeon/swagger';",
+      );
     }
   }
 
@@ -218,7 +224,9 @@ function patchApiDockerfile(targetRoot) {
 
   const packageAnchor = content.includes('COPY packages/logger/package.json packages/logger/package.json')
     ? 'COPY packages/logger/package.json packages/logger/package.json'
-    : 'COPY packages/db-prisma/package.json packages/db-prisma/package.json';
+    : content.includes('COPY packages/db-prisma/package.json packages/db-prisma/package.json')
+      ? 'COPY packages/db-prisma/package.json packages/db-prisma/package.json'
+      : 'COPY packages/core/package.json packages/core/package.json';
   content = ensureLineAfter(
     content,
     packageAnchor,
@@ -227,7 +235,9 @@ function patchApiDockerfile(targetRoot) {
 
   const sourceAnchor = content.includes('COPY packages/logger packages/logger')
     ? 'COPY packages/logger packages/logger'
-    : 'COPY packages/db-prisma packages/db-prisma';
+    : content.includes('COPY packages/db-prisma packages/db-prisma')
+      ? 'COPY packages/db-prisma packages/db-prisma'
+      : 'COPY packages/core packages/core';
   content = ensureLineAfter(content, sourceAnchor, 'COPY packages/swagger packages/swagger');
 
   content = content.replace(/^RUN pnpm --filter @forgeon\/swagger build\r?\n?/gm, '');

package/templates/module-fragments/db-prisma/00_title.md

@@ -0,0 +1,6 @@
+# {{MODULE_LABEL}}
+
+- Id: `{{MODULE_ID}}`
+- Category: `{{MODULE_CATEGORY}}`
+- Status: {{MODULE_STATUS}}
+

package/templates/module-fragments/db-prisma/10_overview.md

@@ -0,0 +1,10 @@
+## Overview
+
+Adds Prisma/Postgres database wiring to the API.
+
+Included parts:
+- `@forgeon/db-prisma` package
+- Prisma schema + migration files in `apps/api/prisma`
+- API scripts for `prisma generate/migrate/studio/seed`
+- DB health probe endpoint wiring
+

package/templates/module-fragments/db-prisma/20_scope.md

@@ -0,0 +1,14 @@
+## Applied Scope
+
+- Adds `packages/db-prisma` workspace package
+- Restores/creates `apps/api/prisma` schema and migrations
+- Wires db config/env schema into API `ConfigModule` load/validation
+- Registers `DbPrismaModule` in API `AppModule`
+- Ensures `PrismaService` is available in health controller (`POST /api/health/db`)
+- Updates API scripts and dependencies for Prisma workflows
+- Updates API Docker build steps to include db package and prisma generate
+- Ensures `DATABASE_URL` in:
+  - `apps/api/.env.example`
+  - `infra/docker/.env.example`
+  - `infra/docker/compose.yml`
+

package/templates/module-fragments/db-prisma/90_status_implemented.md

@@ -0,0 +1,4 @@
+## Status
+
+Implemented and applied by `create-forgeon add db-prisma`.
+

package/templates/module-fragments/jwt-auth/20_scope.md

@@ -1,7 +1,17 @@
-## Scope (Planned)
-
-Planned implementation target:
-
-1. Add reusable auth package wiring under `packages/*`.
-2. Add NestJS guard + strategy integration in `apps/api`.
-3. Add env docs and usage examples.
+## Scope
+
+Implemented scope:
+
+1. Split into reusable packages:
+   - `@forgeon/auth-contracts`
+   - `@forgeon/auth-api`
+2. API runtime:
+   - JWT login/refresh/logout/me endpoints
+   - `JwtStrategy` + `JwtAuthGuard`
+   - `authConfig` + `authEnvSchema` wiring through root `ConfigModule` validator chain
+3. DB behavior:
+   - if supported DB adapter is present (`db-prisma`), refresh token hash persistence is auto-wired
+   - if DB is missing/unsupported, module installs in stateless mode and prints red warning
+4. Module checks:
+   - API probe endpoint: `GET /api/health/auth`
+   - default web probe button + result block

package/templates/module-fragments/jwt-auth/90_status_implemented.md

@@ -0,0 +1,7 @@
+## Current State
+
+Status: implemented.
+
+Notes:
+- DB adapter auto-detection is currently implemented for `db-prisma`.
+- Unknown/missing DB adapter falls back to stateless refresh flow with explicit warning.

package/templates/module-presets/jwt-auth/apps/api/prisma/migrations/0002_auth_refresh_token_hash/migration.sql

@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "User"
+ADD COLUMN "refreshTokenHash" TEXT;

package/templates/module-presets/jwt-auth/apps/api/src/auth/prisma-auth-refresh-token.store.ts

@@ -0,0 +1,36 @@
+import {
+  AuthRefreshTokenStore,
+} from '@forgeon/auth-api';
+import { PrismaService } from '@forgeon/db-prisma';
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class PrismaAuthRefreshTokenStore implements AuthRefreshTokenStore {
+  readonly kind = 'prisma';
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  async saveRefreshTokenHash(subject: string, hash: string): Promise<void> {
+    await this.prisma.user.upsert({
+      where: { email: subject },
+      create: { email: subject, refreshTokenHash: hash },
+      update: { refreshTokenHash: hash },
+      select: { id: true },
+    });
+  }
+
+  async getRefreshTokenHash(subject: string): Promise<string | null> {
+    const user = await this.prisma.user.findUnique({
+      where: { email: subject },
+      select: { refreshTokenHash: true },
+    });
+    return user?.refreshTokenHash ?? null;
+  }
+
+  async removeRefreshTokenHash(subject: string): Promise<void> {
+    await this.prisma.user.updateMany({
+      where: { email: subject },
+      data: { refreshTokenHash: null },
+    });
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@forgeon/auth-api",
+  "version": "0.1.0",
+  "private": true,
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "dependencies": {
+    "@forgeon/auth-contracts": "workspace:*",
+    "@nestjs/common": "^11.0.1",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/jwt": "^11.0.1",
+    "@nestjs/passport": "^11.0.5",
+    "bcryptjs": "^2.4.3",
+    "class-validator": "^0.14.1",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/bcryptjs": "^2.4.6",
+    "@types/node": "^22.10.7",
+    "@types/passport-jwt": "^4.0.1",
+    "typescript": "^5.7.3"
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth-config.loader.ts

@@ -0,0 +1,27 @@
+import { registerAs } from '@nestjs/config';
+import { parseAuthEnv } from './auth-env.schema';
+
+export const AUTH_CONFIG_NAMESPACE = 'auth';
+
+export interface AuthConfigValues {
+  accessSecret: string;
+  accessExpiresIn: string;
+  refreshSecret: string;
+  refreshExpiresIn: string;
+  bcryptRounds: number;
+  demoEmail: string;
+  demoPassword: string;
+}
+
+export const authConfig = registerAs(AUTH_CONFIG_NAMESPACE, (): AuthConfigValues => {
+  const env = parseAuthEnv(process.env);
+  return {
+    accessSecret: env.JWT_ACCESS_SECRET,
+    accessExpiresIn: env.JWT_ACCESS_EXPIRES_IN,
+    refreshSecret: env.JWT_REFRESH_SECRET,
+    refreshExpiresIn: env.JWT_REFRESH_EXPIRES_IN,
+    bcryptRounds: env.AUTH_BCRYPT_ROUNDS,
+    demoEmail: env.AUTH_DEMO_EMAIL.toLowerCase(),
+    demoPassword: env.AUTH_DEMO_PASSWORD,
+  };
+});

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth-config.module.ts

@@ -0,0 +1,8 @@
+import { Module } from '@nestjs/common';
+import { AuthConfigService } from './auth-config.service';
+
+@Module({
+  providers: [AuthConfigService],
+  exports: [AuthConfigService],
+})
+export class AuthConfigModule {}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth-config.service.ts

@@ -0,0 +1,36 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { AUTH_CONFIG_NAMESPACE } from './auth-config.loader';
+
+@Injectable()
+export class AuthConfigService {
+  constructor(private readonly configService: ConfigService) {}
+
+  get accessSecret(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.accessSecret`);
+  }
+
+  get accessExpiresIn(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.accessExpiresIn`);
+  }
+
+  get refreshSecret(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.refreshSecret`);
+  }
+
+  get refreshExpiresIn(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.refreshExpiresIn`);
+  }
+
+  get bcryptRounds(): number {
+    return this.configService.getOrThrow<number>(`${AUTH_CONFIG_NAMESPACE}.bcryptRounds`);
+  }
+
+  get demoEmail(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.demoEmail`);
+  }
+
+  get demoPassword(): string {
+    return this.configService.getOrThrow<string>(`${AUTH_CONFIG_NAMESPACE}.demoPassword`);
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth-env.schema.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+
+export const authEnvSchema = z
+  .object({
+    JWT_ACCESS_SECRET: z.string().trim().min(16).default('forgeon-access-secret-change-me'),
+    JWT_ACCESS_EXPIRES_IN: z.string().trim().min(2).default('15m'),
+    JWT_REFRESH_SECRET: z.string().trim().min(16).default('forgeon-refresh-secret-change-me'),
+    JWT_REFRESH_EXPIRES_IN: z.string().trim().min(2).default('7d'),
+    AUTH_BCRYPT_ROUNDS: z.coerce.number().int().min(4).max(15).default(10),
+    AUTH_DEMO_EMAIL: z.string().trim().email().default('demo@forgeon.local'),
+    AUTH_DEMO_PASSWORD: z.string().min(8).default('forgeon-demo-password'),
+  })
+  .passthrough();
+
+export type AuthEnv = z.infer<typeof authEnvSchema>;
+
+export function parseAuthEnv(input: Record<string, unknown>): AuthEnv {
+  return authEnvSchema.parse(input);
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth-refresh-token.store.ts

@@ -0,0 +1,23 @@
+import { Injectable } from '@nestjs/common';
+
+export const AUTH_REFRESH_TOKEN_STORE = Symbol('AUTH_REFRESH_TOKEN_STORE');
+
+export interface AuthRefreshTokenStore {
+  readonly kind: string;
+  saveRefreshTokenHash(subject: string, hash: string): Promise<void>;
+  getRefreshTokenHash(subject: string): Promise<string | null>;
+  removeRefreshTokenHash(subject: string): Promise<void>;
+}
+
+@Injectable()
+export class NoopAuthRefreshTokenStore implements AuthRefreshTokenStore {
+  readonly kind = 'none';
+
+  async saveRefreshTokenHash(): Promise<void> {}
+
+  async getRefreshTokenHash(): Promise<string | null> {
+    return null;
+  }
+
+  async removeRefreshTokenHash(): Promise<void> {}
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth.controller.ts

@@ -0,0 +1,71 @@
+import { AuthUser } from '@forgeon/auth-contracts';
+import {
+  Body,
+  Controller,
+  Get,
+  Post,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { LoginDto, RefreshDto } from './dto';
+import { JwtAuthGuard } from './jwt-auth.guard';
+import { AuthJwtPayload } from './auth.types';
+
+type RequestWithUser = { user?: AuthJwtPayload };
+
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Post('login')
+  login(@Body() body: LoginDto) {
+    return this.authService.login(body);
+  }
+
+  @Post('refresh')
+  refresh(@Body() body: RefreshDto) {
+    return this.authService.refresh(body);
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Post('logout')
+  async logout(@Req() request: RequestWithUser) {
+    const user = this.getRequestUser(request);
+    await this.authService.logout(user);
+    return {
+      status: 'ok',
+      tokenStore: this.authService.getTokenStoreKind(),
+    };
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Get('me')
+  me(@Req() request: RequestWithUser) {
+    const user = this.getRequestUser(request);
+    return {
+      user: this.toAuthUser(user),
+      tokenStore: this.authService.getTokenStoreKind(),
+    };
+  }
+
+  private getRequestUser(request: RequestWithUser): AuthJwtPayload {
+    const user = request.user;
+    if (!user || typeof user.sub !== 'string' || typeof user.email !== 'string') {
+      return {
+        sub: 'unknown',
+        email: 'unknown@invalid.local',
+        roles: ['user'],
+      };
+    }
+    return user;
+  }
+
+  private toAuthUser(payload: AuthJwtPayload): AuthUser {
+    return {
+      sub: payload.sub,
+      email: payload.email,
+      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+    };
+  }
+}