create-forgeon 0.2.7 → 0.2.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-forgeon",
-  "version": "0.2.7",
+  "version": "0.2.8",
   "description": "Forgeon project generator CLI",
   "license": "MIT",
   "author": "Forgeon",

package/src/modules/executor.test.mjs

@@ -5,7 +5,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { addModule } from './executor.mjs';
-import { syncIntegrations } from './sync-integrations.mjs';
+import { scanIntegrations, syncIntegrations } from './sync-integrations.mjs';
 import { scaffoldProject } from '../core/scaffold.mjs';
 
 function mkTmp(prefix) {
@@ -1145,6 +1145,80 @@ describe('addModule', () => {
     }
   });
 
+  it('detects and applies jwt-auth + rbac claims integration explicitly', () => {
+    const targetRoot = mkTmp('forgeon-module-jwt-rbac-');
+    const projectRoot = path.join(targetRoot, 'demo-jwt-rbac');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-jwt-rbac',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: false,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({
+        moduleId: 'rbac',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      addModule({
+        moduleId: 'jwt-auth',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      const scan = scanIntegrations({
+        targetRoot: projectRoot,
+        relatedModuleId: 'jwt-auth',
+      });
+      assert.equal(scan.groups.some((group) => group.id === 'auth-rbac-claims'), true);
+
+      const syncResult = syncIntegrations({
+        targetRoot: projectRoot,
+        packageRoot,
+        groupIds: ['auth-rbac-claims'],
+      });
+      const claimsPair = syncResult.summary.find((item) => item.id === 'auth-rbac-claims');
+      assert.ok(claimsPair);
+      assert.equal(claimsPair.result.applied, true);
+
+      const authContracts = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'auth-contracts', 'src', 'index.ts'),
+        'utf8',
+      );
+      assert.match(authContracts, /permissions\?: string\[\];/);
+
+      const authService = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'auth-api', 'src', 'auth.service.ts'),
+        'utf8',
+      );
+      assert.match(authService, /permissions: \['health\.rbac'\]/);
+      assert.match(authService, /permissions: user\.permissions,/);
+      assert.match(
+        authService,
+        /permissions: Array\.isArray\(payload\.permissions\) \? payload\.permissions : \[\],/,
+      );
+
+      const authController = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'auth-api', 'src', 'auth.controller.ts'),
+        'utf8',
+      );
+      assert.match(
+        authController,
+        /permissions: Array\.isArray\(payload\.permissions\) \? payload\.permissions : \[\],/,
+      );
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
   it('applies logger then jwt-auth on db/i18n-disabled scaffold without breaking health controller syntax', () => {
     const targetRoot = mkTmp('forgeon-module-jwt-nodb-noi18n-');
     const projectRoot = path.join(targetRoot, 'demo-jwt-nodb-noi18n');

package/src/modules/sync-integrations.mjs

@@ -68,6 +68,29 @@ function isAuthPersistencePending(rootDir) {
   return !(hasModuleWiring && hasSchema && hasStoreFile && hasMigration);
 }
 
+function isAuthRbacPending(rootDir) {
+  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
+  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
+  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
+
+  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
+    return false;
+  }
+
+  const authContracts = fs.readFileSync(authContractsPath, 'utf8');
+  const authService = fs.readFileSync(authServicePath, 'utf8');
+  const authController = fs.readFileSync(authControllerPath, 'utf8');
+
+  const hasContracts = authContracts.includes('permissions?: string[];');
+  const hasDemoClaims = authService.includes("permissions: ['health.rbac']");
+  const hasPayloadClaims = authService.includes('permissions: user.permissions,');
+  const hasRefreshClaims = authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],');
+  const hasControllerClaims =
+    authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],');
+
+  return !(hasContracts && hasDemoClaims && hasPayloadClaims && hasRefreshClaims && hasControllerClaims);
+}
+
 const INTEGRATION_GROUPS = [
   {
     id: 'auth-persistence',
@@ -83,6 +106,20 @@ const INTEGRATION_GROUPS = [
     isPending: (rootDir) => isAuthPersistencePending(rootDir),
     apply: syncJwtDbPrisma,
   },
+  {
+    id: 'auth-rbac-claims',
+    title: 'Auth Claims Integration',
+    modules: ['jwt-auth', 'rbac'],
+    description: [
+      'Extend AuthUser with optional permissions in @forgeon/auth-contracts',
+      'Add demo RBAC claims to jwt-auth login and token payloads',
+      'Expose permissions in auth refresh and /me responses',
+      'Update JWT auth README note about RBAC demo claims',
+    ],
+    isAvailable: (detected) => detected.jwtAuth && detected.rbac,
+    isPending: (rootDir) => isAuthRbacPending(rootDir),
+    apply: syncJwtRbacClaims,
+  },
 ];
 
 function detectModules(rootDir) {
@@ -93,6 +130,9 @@ function detectModules(rootDir) {
     jwtAuth:
       fs.existsSync(path.join(rootDir, 'packages', 'auth-api', 'package.json')) ||
       appModuleText.includes("from '@forgeon/auth-api'"),
+    rbac:
+      fs.existsSync(path.join(rootDir, 'packages', 'rbac', 'package.json')) ||
+      appModuleText.includes("from '@forgeon/rbac'"),
     dbPrisma:
       fs.existsSync(path.join(rootDir, 'packages', 'db-prisma', 'package.json')) ||
       appModuleText.includes("from '@forgeon/db-prisma'"),
@@ -216,6 +256,109 @@ function syncJwtDbPrisma({ rootDir, packageRoot, changedFiles }) {
   return { applied: true };
 }
 
+function syncJwtRbacClaims({ rootDir, changedFiles }) {
+  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
+  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
+  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
+  const readmePath = path.join(rootDir, 'README.md');
+
+  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
+    return { applied: false, reason: 'auth package files are missing' };
+  }
+
+  let touched = false;
+
+  let authContracts = fs.readFileSync(authContractsPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthContracts = authContracts;
+  if (!authContracts.includes('permissions?: string[];')) {
+    authContracts = authContracts.replace(
+      '  roles: string[];',
+      `  roles: string[];
+  permissions?: string[];`,
+    );
+  }
+  if (authContracts !== originalAuthContracts) {
+    fs.writeFileSync(authContractsPath, `${authContracts.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authContractsPath);
+    touched = true;
+  }
+
+  let authService = fs.readFileSync(authServicePath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthService = authService;
+  authService = authService.replace(
+    /roles: \['user'\],/g,
+    `roles: ['admin'],
+      permissions: ['health.rbac'],`,
+  );
+  if (!authService.includes('permissions: user.permissions,')) {
+    authService = authService.replace(
+      '      roles: user.roles,',
+      `      roles: user.roles,
+      permissions: user.permissions,`,
+    );
+  }
+  if (!authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
+    authService = authService.replace(
+      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
+      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
+    );
+  }
+  if (!authService.includes('demoPermissions: [')) {
+    authService = authService.replace(
+      "      demoEmail: this.configService.demoEmail,",
+      `      demoEmail: this.configService.demoEmail,
+      demoPermissions: ['health.rbac'],`,
+    );
+  }
+  if (authService !== originalAuthService) {
+    fs.writeFileSync(authServicePath, `${authService.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authServicePath);
+    touched = true;
+  }
+
+  let authController = fs.readFileSync(authControllerPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthController = authController;
+  if (!authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
+    authController = authController.replace(
+      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
+      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
+    );
+  }
+  if (authController !== originalAuthController) {
+    fs.writeFileSync(authControllerPath, `${authController.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authControllerPath);
+    touched = true;
+  }
+
+  if (fs.existsSync(readmePath)) {
+    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
+    const originalReadme = readme;
+    if (!readme.includes('- RBAC integration: demo auth tokens include `health.rbac` permission')) {
+      const marker = 'Default demo credentials:';
+      if (readme.includes(marker)) {
+        readme = readme.replace(
+          marker,
+          `- RBAC integration: demo auth tokens include \`health.rbac\` permission
+
+Default demo credentials:`,
+        );
+      }
+    }
+    if (readme !== originalReadme) {
+      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
+      changedFiles.add(readmePath);
+      touched = true;
+    }
+  }
+
+  if (!touched) {
+    return { applied: false, reason: 'already synced' };
+  }
+  return { applied: true };
+}
+
 export function syncIntegrations({ targetRoot, packageRoot, groupIds = null }) {
   const rootDir = path.resolve(targetRoot);
   const changedFiles = new Set();

package/src/run-add-module.mjs

@@ -94,7 +94,7 @@ function ensureSyncTooling({ packageRoot, targetRoot }) {
   );
   const targetScript = path.join(targetRoot, 'scripts', 'forgeon-sync-integrations.mjs');
 
-  if (fs.existsSync(sourceScript) && !fs.existsSync(targetScript)) {
+  if (fs.existsSync(sourceScript)) {
     fs.mkdirSync(path.dirname(targetScript), { recursive: true });
     fs.copyFileSync(sourceScript, targetScript);
   }

package/templates/base/README.md

@@ -37,6 +37,7 @@ pnpm forgeon:sync-integrations
 ```
 
 Current sync coverage:
+- `jwt-auth + rbac`: extends demo auth tokens with the `health.rbac` permission.
 - `jwt-auth + db-prisma`: wires persistent refresh-token storage for auth.
 
 `create-forgeon add <module>` scans for relevant integration groups and can apply them immediately.

package/templates/base/scripts/forgeon-sync-integrations.mjs

@@ -53,6 +53,9 @@ function detectModules(rootDir) {
     jwtAuth:
       fs.existsSync(path.join(rootDir, 'packages', 'auth-api', 'package.json')) ||
       appModuleText.includes("from '@forgeon/auth-api'"),
+    rbac:
+      fs.existsSync(path.join(rootDir, 'packages', 'rbac', 'package.json')) ||
+      appModuleText.includes("from '@forgeon/rbac'"),
     dbPrisma:
       fs.existsSync(path.join(rootDir, 'packages', 'db-prisma', 'package.json')) ||
       appModuleText.includes("from '@forgeon/db-prisma'"),
@@ -179,6 +182,109 @@ function syncJwtDbPrisma({ rootDir, changedFiles }) {
   return { applied: true };
 }
 
+function syncJwtRbacClaims({ rootDir, changedFiles }) {
+  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
+  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
+  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
+  const readmePath = path.join(rootDir, 'README.md');
+
+  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
+    return { applied: false, reason: 'auth package files are missing' };
+  }
+
+  let touched = false;
+
+  let authContracts = fs.readFileSync(authContractsPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthContracts = authContracts;
+  if (!authContracts.includes('permissions?: string[];')) {
+    authContracts = authContracts.replace(
+      '  roles: string[];',
+      `  roles: string[];
+  permissions?: string[];`,
+    );
+  }
+  if (authContracts !== originalAuthContracts) {
+    fs.writeFileSync(authContractsPath, `${authContracts.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authContractsPath);
+    touched = true;
+  }
+
+  let authService = fs.readFileSync(authServicePath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthService = authService;
+  authService = authService.replace(
+    /roles: \['user'\],/g,
+    `roles: ['admin'],
+      permissions: ['health.rbac'],`,
+  );
+  if (!authService.includes('permissions: user.permissions,')) {
+    authService = authService.replace(
+      '      roles: user.roles,',
+      `      roles: user.roles,
+      permissions: user.permissions,`,
+    );
+  }
+  if (!authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
+    authService = authService.replace(
+      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
+      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
+    );
+  }
+  if (!authService.includes('demoPermissions: [')) {
+    authService = authService.replace(
+      "      demoEmail: this.configService.demoEmail,",
+      `      demoEmail: this.configService.demoEmail,
+      demoPermissions: ['health.rbac'],`,
+    );
+  }
+  if (authService !== originalAuthService) {
+    fs.writeFileSync(authServicePath, `${authService.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authServicePath);
+    touched = true;
+  }
+
+  let authController = fs.readFileSync(authControllerPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthController = authController;
+  if (!authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
+    authController = authController.replace(
+      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
+      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
+    );
+  }
+  if (authController !== originalAuthController) {
+    fs.writeFileSync(authControllerPath, `${authController.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authControllerPath);
+    touched = true;
+  }
+
+  if (fs.existsSync(readmePath)) {
+    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
+    const originalReadme = readme;
+    if (!readme.includes('- RBAC integration: demo auth tokens include `health.rbac` permission')) {
+      const marker = 'Default demo credentials:';
+      if (readme.includes(marker)) {
+        readme = readme.replace(
+          marker,
+          `- RBAC integration: demo auth tokens include \`health.rbac\` permission
+
+Default demo credentials:`,
+        );
+      }
+    }
+    if (readme !== originalReadme) {
+      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
+      changedFiles.add(readmePath);
+      touched = true;
+    }
+  }
+
+  if (!touched) {
+    return { applied: false, reason: 'already synced' };
+  }
+  return { applied: true };
+}
+
 function run() {
   const rootDir = process.cwd();
   const changedFiles = new Set();
@@ -197,6 +303,18 @@ function run() {
     });
   }
 
+  if (detected.jwtAuth && detected.rbac) {
+    summary.push({
+      feature: 'jwt-auth + rbac',
+      result: syncJwtRbacClaims({ rootDir, changedFiles }),
+    });
+  } else {
+    summary.push({
+      feature: 'jwt-auth + rbac',
+      result: { applied: false, reason: 'required modules are not both installed' },
+    });
+  }
+
   console.log('[forgeon:sync-integrations] done');
   for (const item of summary) {
     if (item.result.applied) {