create-forgeon 0.2.5 → 0.2.7

package/src/modules/registry.mjs

@@ -39,9 +39,45 @@ const MODULE_PRESETS = {
     description: 'JWT auth preset with contracts/api module split, guard+strategy, and DB-aware refresh token storage wiring.',
     docFragments: ['00_title', '10_overview', '20_scope', '90_status_implemented'],
   },
-  queue: {
-    id: 'queue',
-    label: 'Queue Worker',
+  'rate-limit': {
+    id: 'rate-limit',
+    label: 'Rate Limit',
+    category: 'auth-security',
+    implemented: true,
+    description: 'Request throttling preset with env-based limits, proxy-aware trust, and a runtime probe endpoint.',
+    docFragments: [
+      '00_title',
+      '10_overview',
+      '20_idea',
+      '30_what_it_adds',
+      '40_how_it_works',
+      '50_how_to_use',
+      '60_configuration',
+      '70_operational_notes',
+      '90_status_implemented',
+    ],
+  },
+  rbac: {
+    id: 'rbac',
+    label: 'RBAC / Permissions',
+    category: 'auth-security',
+    implemented: true,
+    description: 'Role and permission decorators with a Nest guard and a protected probe endpoint.',
+    docFragments: [
+      '00_title',
+      '10_overview',
+      '20_idea',
+      '30_what_it_adds',
+      '40_how_it_works',
+      '50_how_to_use',
+      '60_configuration',
+      '70_operational_notes',
+      '90_status_implemented',
+    ],
+  },
+  queue: {
+    id: 'queue',
+    label: 'Queue Worker',
     category: 'background-jobs',
     implemented: false,
     description: 'Queue processing preset (BullMQ-style app wiring).',

package/src/run-add-module.mjs

@@ -7,14 +7,81 @@ import { addModule } from './modules/executor.mjs';
 import { listModulePresets } from './modules/registry.mjs';
 import { printModuleAdded, runIntegrationFlow } from './integrations/flow.mjs';
 import { writeJson } from './utils/fs.mjs';
-
+
 function printModuleList() {
   const modules = listModulePresets();
   console.log('Available modules:');
   for (const moduleItem of modules) {
     const status = moduleItem.implemented ? 'implemented' : 'planned';
     console.log(`- ${moduleItem.id} (${status}) - ${moduleItem.description}`);
-  }
+  }
+}
+
+function toSortedObject(value) {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return {};
+  }
+
+  return Object.fromEntries(
+    Object.entries(value).sort(([left], [right]) => left.localeCompare(right)),
+  );
+}
+
+function collectDependencyManifestState(targetRoot) {
+  const state = new Map();
+  if (!fs.existsSync(targetRoot)) {
+    return state;
+  }
+
+  const queue = [targetRoot];
+  const skipDirs = new Set(['node_modules', '.git', 'dist', 'build']);
+
+  while (queue.length > 0) {
+    const currentDir = queue.shift();
+    const entries = fs.readdirSync(currentDir, { withFileTypes: true });
+
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        if (!skipDirs.has(entry.name)) {
+          queue.push(path.join(currentDir, entry.name));
+        }
+        continue;
+      }
+
+      if (!entry.isFile() || entry.name !== 'package.json') {
+        continue;
+      }
+
+      const filePath = path.join(currentDir, entry.name);
+      const packageJson = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+      const snapshot = {
+        name: packageJson.name ?? null,
+        dependencies: toSortedObject(packageJson.dependencies),
+        devDependencies: toSortedObject(packageJson.devDependencies),
+        optionalDependencies: toSortedObject(packageJson.optionalDependencies),
+        peerDependencies: toSortedObject(packageJson.peerDependencies),
+        onlyBuiltDependencies: Array.isArray(packageJson.pnpm?.onlyBuiltDependencies)
+          ? [...packageJson.pnpm.onlyBuiltDependencies].sort()
+          : [],
+      };
+
+      state.set(path.relative(targetRoot, filePath), JSON.stringify(snapshot));
+    }
+  }
+
+  return state;
+}
+
+function getChangedDependencyManifestPaths(beforeState, afterState) {
+  const changed = [];
+
+  for (const [filePath, nextSnapshot] of afterState.entries()) {
+    if (beforeState.get(filePath) !== nextSnapshot) {
+      changed.push(filePath);
+    }
+  }
+
+  return changed.sort();
 }
 
 function ensureSyncTooling({ packageRoot, targetRoot }) {
@@ -64,10 +131,11 @@ export async function runAddModule(argv = process.argv.slice(2)) {
     throw new Error('Module id is required. Use `create-forgeon add --list` to see available modules.');
   }
 
-  const srcDir = path.dirname(fileURLToPath(import.meta.url));
-  const packageRoot = path.resolve(srcDir, '..');
-  const targetRoot = path.resolve(process.cwd(), options.project);
-
+  const srcDir = path.dirname(fileURLToPath(import.meta.url));
+  const packageRoot = path.resolve(srcDir, '..');
+  const targetRoot = path.resolve(process.cwd(), options.project);
+  const dependencyManifestStateBefore = collectDependencyManifestState(targetRoot);
+
   const result = addModule({
     moduleId: options.moduleId,
     targetRoot,
@@ -80,4 +148,13 @@ export async function runAddModule(argv = process.argv.slice(2)) {
     packageRoot,
     relatedModuleId: result.preset.id,
   });
+
+  const dependencyManifestStateAfter = collectDependencyManifestState(targetRoot);
+  const changedDependencyManifestPaths = getChangedDependencyManifestPaths(
+    dependencyManifestStateBefore,
+    dependencyManifestStateAfter,
+  );
+  if (changedDependencyManifestPaths.length > 0) {
+    console.log('Next: run pnpm install');
+  }
 }

package/templates/base/README.md

@@ -37,9 +37,9 @@ pnpm forgeon:sync-integrations
 ```
 
 Current sync coverage:
-- `jwt-auth + swagger`: adds OpenAPI decorators for auth controller/DTOs.
+- `jwt-auth + db-prisma`: wires persistent refresh-token storage for auth.
 
-`create-forgeon add <module>` also runs integration sync automatically (best effort).
+`create-forgeon add <module>` scans for relevant integration groups and can apply them immediately.
 
 ## i18n Configuration
 

package/templates/base/docs/AI/MODULE_SPEC.md

@@ -4,11 +4,15 @@
 
 Define one repeatable fullstack pattern for Forgeon add-modules.
 
-Each feature module should be split into:
+Most feature modules should be split into:
 
-1. `@forgeon/<feature>-contracts`
-2. `@forgeon/<feature>-api`
-3. `@forgeon/<feature>-web`
+1. `@forgeon/<feature>-contracts`
+2. `@forgeon/<feature>-api`
+3. `@forgeon/<feature>-web`
+
+Exception:
+
+- backend-only infrastructure or security modules may use a single runtime package (`@forgeon/<feature>`) when shared contracts and a dedicated web package add no real value.
 
 ## 1) Contracts Package
 
@@ -63,6 +67,7 @@ Must contain:
 - Contracts package can be imported from both sides without circular dependencies.
 - Contracts package exports are stable from `dist/index` entrypoint.
 - Module has docs under `docs/AI/MODULES/<module-id>.md`.
+- Module docs must explain: why it exists, what it adds, how it works, how to use it, how to configure it, and current operational limits.
 - If module behavior can be runtime-checked, it also includes API+Web probe hooks (see `docs/AI/MODULE_CHECKS.md`).
 - If i18n is enabled, module-specific namespaces must be created and wired for both API and web.
 - If module is added before i18n, namespace templates must still be prepared and applied when i18n is installed later.

package/templates/module-fragments/rate-limit/00_title.md

@@ -0,0 +1 @@
+# {{MODULE_LABEL}}

package/templates/module-fragments/rate-limit/10_overview.md

@@ -0,0 +1,6 @@
+## Overview
+
+- Id: `{{MODULE_ID}}`
+- Category: `{{MODULE_CATEGORY}}`
+- Status: {{MODULE_STATUS}}
+- Description: {{MODULE_DESCRIPTION}}

package/templates/module-fragments/rate-limit/20_idea.md

@@ -0,0 +1,11 @@
+## Idea / Why
+
+This module adds a simple first-line request throttle to the API.
+
+It exists to reduce three common classes of problems:
+
+1. burst traffic from accidental frontend loops
+2. low-cost abuse against public endpoints
+3. brute-force style retries against auth endpoints
+
+It is intentionally small and predictable. The goal is not to replace a WAF, CDN, or distributed rate limiter. The goal is to give every Forgeon project a safe baseline that can be installed in one step.

package/templates/module-fragments/rate-limit/30_what_it_adds.md

@@ -0,0 +1,10 @@
+## What It Adds
+
+- `@forgeon/rate-limit` workspace package
+- env-backed throttle configuration
+- global Nest throttler guard wiring
+- reverse-proxy trust toggle for Caddy / Nginx deployments
+- `GET /api/health/rate-limit` probe endpoint
+- frontend probe button on the generated home page
+
+This module is API-first. It does not add shared contracts or a web package in v1 because the runtime value is in backend request throttling, not in reusable client-side types.

package/templates/module-fragments/rate-limit/40_how_it_works.md

@@ -0,0 +1,13 @@
+## How It Works
+
+Implementation details:
+
+- `RateLimitConfigService` reads `THROTTLE_*` env values through `@nestjs/config`.
+- `ForgeonRateLimitModule` registers `ThrottlerModule` globally.
+- A global guard applies the throttle rules to incoming HTTP requests.
+- When `THROTTLE_TRUST_PROXY=true`, the module enables Express `trust proxy` through the active HTTP adapter so client IPs are resolved correctly behind reverse proxies.
+
+Error behavior:
+
+- throttled requests return HTTP `429`
+- the existing Forgeon error envelope wraps the response as `TOO_MANY_REQUESTS`

package/templates/module-fragments/rate-limit/50_how_to_use.md

@@ -0,0 +1,21 @@
+## How To Use
+
+Install:
+
+```bash
+npx create-forgeon@latest add rate-limit
+pnpm install
+```
+
+Verify:
+
+1. start the project
+2. open the generated frontend
+3. click `Check rate limit (click repeatedly)` multiple times within the throttle window
+4. observe the transition from `200` to `429`
+
+You can also hit the probe route directly:
+
+```bash
+GET /api/health/rate-limit
+```

package/templates/module-fragments/rate-limit/60_configuration.md

@@ -0,0 +1,15 @@
+## Configuration
+
+Environment keys:
+
+- `THROTTLE_ENABLED=true`
+- `THROTTLE_TTL=10`
+- `THROTTLE_LIMIT=3`
+- `THROTTLE_TRUST_PROXY=false`
+
+Meaning:
+
+- `THROTTLE_ENABLED`: hard on/off switch
+- `THROTTLE_TTL`: throttle window in seconds
+- `THROTTLE_LIMIT`: maximum requests allowed inside that window
+- `THROTTLE_TRUST_PROXY`: use forwarded client IPs when behind Caddy / Nginx

package/templates/module-fragments/rate-limit/70_operational_notes.md

@@ -0,0 +1,10 @@
+## Operational Notes
+
+Current scope:
+
+- in-memory throttling only
+- one global baseline policy
+- no Redis / distributed storage
+- no route-specific policy DSL in v1
+
+That means this module is appropriate for local development, simple deployments, and as a base preset. If a project later needs distributed throttling or different policies per route or user, this module should be extended rather than replaced blindly.

package/templates/module-fragments/rate-limit/90_status_implemented.md

@@ -0,0 +1,3 @@
+## Status
+
+Implemented in the current scaffold.

package/templates/module-fragments/rbac/00_title.md

@@ -0,0 +1 @@
+# {{MODULE_LABEL}}

package/templates/module-fragments/rbac/10_overview.md

@@ -0,0 +1,6 @@
+## Overview
+
+- Id: `{{MODULE_ID}}`
+- Category: `{{MODULE_CATEGORY}}`
+- Status: {{MODULE_STATUS}}
+- Description: {{MODULE_DESCRIPTION}}

package/templates/module-fragments/rbac/20_idea.md

@@ -0,0 +1,9 @@
+## Idea / Why
+
+This module adds a minimal authorization layer for backend routes.
+
+It exists to answer one simple question consistently:
+
+- does the current caller have the required role or permission for this endpoint?
+
+The module intentionally stays small. It does not try to become a general policy engine. It provides a stable baseline for backend access checks and leaves more advanced patterns to separate modules if they are ever needed.

package/templates/module-fragments/rbac/30_what_it_adds.md

@@ -0,0 +1,11 @@
+## What It Adds
+
+- `@forgeon/rbac` runtime package
+- `@Roles(...)` decorator
+- `@Permissions(...)` decorator
+- `ForgeonRbacGuard`
+- helper utilities for role and permission checks
+- a protected probe route: `GET /api/health/rbac`
+- a frontend probe button that sends a valid permission header
+
+This module is backend-first. It does not include frontend route guards. If frontend access-control helpers are needed later, they should live in a separate module.

package/templates/module-fragments/rbac/40_how_it_works.md

@@ -0,0 +1,20 @@
+## How It Works
+
+Implementation details:
+
+- decorators store required roles and permissions as Nest metadata
+- `ForgeonRbacGuard` reads that metadata with `Reflector`
+- the guard checks `request.user` first
+- if no user payload is available, it can also read test headers:
+  - `x-forgeon-roles`
+  - `x-forgeon-permissions`
+
+Decision rules in v1:
+
+- roles: any required role is enough
+- permissions: all required permissions must be present
+
+Failure path:
+
+- denied access throws `403`
+- the existing Forgeon error envelope wraps it as `FORBIDDEN`

package/templates/module-fragments/rbac/50_how_to_use.md

@@ -0,0 +1,19 @@
+## How To Use
+
+Install:
+
+```bash
+npx create-forgeon@latest add rbac
+pnpm install
+```
+
+Verify:
+
+1. start the project
+2. click `Check RBAC access` on the generated frontend
+3. the request should return `200`
+
+Manual forbidden-path check:
+
+1. call `GET /api/health/rbac` without the `x-forgeon-permissions` header
+2. the request should return `403`

package/templates/module-fragments/rbac/60_configuration.md

@@ -0,0 +1,9 @@
+## Configuration
+
+This module has no dedicated environment variables in v1.
+
+Behavior is controlled by:
+
+- route decorators (`@Roles`, `@Permissions`)
+- the active request payload (`request.user`)
+- optional testing headers (`x-forgeon-roles`, `x-forgeon-permissions`)

package/templates/module-fragments/rbac/70_operational_notes.md

@@ -0,0 +1,10 @@
+## Operational Notes
+
+Current scope:
+
+- no policy engine
+- no database-backed role or permission store
+- no admin UI
+- no frontend route-guard package in this module
+
+This is a stable baseline module, not a placeholder for a future “v2”. If access-control needs grow later, this module can be extended carefully or paired with a separate specialized module.

package/templates/module-fragments/rbac/90_status_implemented.md

@@ -0,0 +1,3 @@
+## Status
+
+Implemented in the current scaffold.

package/templates/module-presets/rate-limit/packages/rate-limit/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@forgeon/rate-limit",
+  "version": "0.1.0",
+  "private": true,
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "dependencies": {
+    "@nestjs/common": "^11.0.1",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/core": "^11.0.1",
+    "@nestjs/throttler": "^6.4.0",
+    "rxjs": "^7.8.1",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.7",
+    "typescript": "^5.7.3"
+  }
+}

package/templates/module-presets/rate-limit/packages/rate-limit/src/forgeon-rate-limit.module.ts

@@ -0,0 +1,50 @@
+import { Module, OnModuleInit } from '@nestjs/common';
+import { APP_GUARD, HttpAdapterHost } from '@nestjs/core';
+import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
+import { RateLimitConfigModule } from './rate-limit-config.module';
+import { RateLimitConfigService } from './rate-limit-config.service';
+
+@Module({
+  imports: [
+    RateLimitConfigModule,
+    ThrottlerModule.forRootAsync({
+      imports: [RateLimitConfigModule],
+      inject: [RateLimitConfigService],
+      useFactory: (config: RateLimitConfigService) => ({
+        errorMessage: 'Too many requests. Please try again later.',
+        skipIf: () => !config.enabled,
+        throttlers: [
+          {
+            ttl: config.ttlMs,
+            limit: config.limit,
+          },
+        ],
+      }),
+    }),
+  ],
+  providers: [
+    {
+      provide: APP_GUARD,
+      useClass: ThrottlerGuard,
+    },
+  ],
+  exports: [RateLimitConfigModule],
+})
+export class ForgeonRateLimitModule implements OnModuleInit {
+  constructor(
+    private readonly rateLimitConfig: RateLimitConfigService,
+    private readonly httpAdapterHost: HttpAdapterHost,
+  ) {}
+
+  onModuleInit(): void {
+    if (!this.rateLimitConfig.trustProxy) {
+      return;
+    }
+
+    const adapter = this.httpAdapterHost.httpAdapter;
+    const instance = adapter?.getInstance?.();
+    if (instance && typeof instance.set === 'function') {
+      instance.set('trust proxy', true);
+    }
+  }
+}

package/templates/module-presets/rate-limit/packages/rate-limit/src/index.ts

@@ -0,0 +1,5 @@
+export * from './forgeon-rate-limit.module';
+export * from './rate-limit-config.loader';
+export * from './rate-limit-config.module';
+export * from './rate-limit-config.service';
+export * from './rate-limit-env.schema';

package/templates/module-presets/rate-limit/packages/rate-limit/src/rate-limit-config.loader.ts

@@ -0,0 +1,25 @@
+import { registerAs } from '@nestjs/config';
+import { parseRateLimitEnv } from './rate-limit-env.schema';
+
+export const RATE_LIMIT_CONFIG_NAMESPACE = 'rateLimit';
+
+export interface RateLimitConfigValues {
+  enabled: boolean;
+  ttlSeconds: number;
+  limit: number;
+  trustProxy: boolean;
+}
+
+export const rateLimitConfig = registerAs(
+  RATE_LIMIT_CONFIG_NAMESPACE,
+  (): RateLimitConfigValues => {
+    const env = parseRateLimitEnv(process.env);
+
+    return {
+      enabled: env.THROTTLE_ENABLED,
+      ttlSeconds: env.THROTTLE_TTL,
+      limit: env.THROTTLE_LIMIT,
+      trustProxy: env.THROTTLE_TRUST_PROXY,
+    };
+  },
+);

package/templates/module-presets/rate-limit/packages/rate-limit/src/rate-limit-config.module.ts

@@ -0,0 +1,8 @@
+import { Module } from '@nestjs/common';
+import { RateLimitConfigService } from './rate-limit-config.service';
+
+@Module({
+  providers: [RateLimitConfigService],
+  exports: [RateLimitConfigService],
+})
+export class RateLimitConfigModule {}

package/templates/module-presets/rate-limit/packages/rate-limit/src/rate-limit-config.service.ts

@@ -0,0 +1,35 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import {
+  RATE_LIMIT_CONFIG_NAMESPACE,
+  RateLimitConfigValues,
+} from './rate-limit-config.loader';
+
+@Injectable()
+export class RateLimitConfigService {
+  constructor(private readonly configService: ConfigService) {}
+
+  get enabled(): boolean {
+    return this.configService.getOrThrow<boolean>(`${RATE_LIMIT_CONFIG_NAMESPACE}.enabled`);
+  }
+
+  get ttlSeconds(): RateLimitConfigValues['ttlSeconds'] {
+    return this.configService.getOrThrow<RateLimitConfigValues['ttlSeconds']>(
+      `${RATE_LIMIT_CONFIG_NAMESPACE}.ttlSeconds`,
+    );
+  }
+
+  get ttlMs(): number {
+    return this.ttlSeconds * 1000;
+  }
+
+  get limit(): RateLimitConfigValues['limit'] {
+    return this.configService.getOrThrow<RateLimitConfigValues['limit']>(
+      `${RATE_LIMIT_CONFIG_NAMESPACE}.limit`,
+    );
+  }
+
+  get trustProxy(): boolean {
+    return this.configService.getOrThrow<boolean>(`${RATE_LIMIT_CONFIG_NAMESPACE}.trustProxy`);
+  }
+}

package/templates/module-presets/rate-limit/packages/rate-limit/src/rate-limit-env.schema.ts

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+
+export const rateLimitEnvSchema = z
+  .object({
+    THROTTLE_ENABLED: z.coerce.boolean().default(true),
+    THROTTLE_TTL: z.coerce.number().int().positive().default(10),
+    THROTTLE_LIMIT: z.coerce.number().int().positive().default(3),
+    THROTTLE_TRUST_PROXY: z.coerce.boolean().default(false),
+  })
+  .passthrough();
+
+export type RateLimitEnv = z.infer<typeof rateLimitEnvSchema>;
+
+export function parseRateLimitEnv(input: Record<string, unknown>): RateLimitEnv {
+  return rateLimitEnvSchema.parse(input);
+}

package/templates/module-presets/rate-limit/packages/rate-limit/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.node.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"]
+}

package/templates/module-presets/rbac/packages/rbac/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@forgeon/rbac",
+  "version": "0.1.0",
+  "private": true,
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "dependencies": {
+    "@nestjs/common": "^11.0.1",
+    "@nestjs/core": "^11.0.1",
+    "reflect-metadata": "^0.2.2"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.7",
+    "typescript": "^5.7.3"
+  }
+}