create-forgeon 0.3.15 → 0.3.17

package/src/modules/executor.test.mjs

@@ -1,4 +1,4 @@
-import { describe, it } from 'node:test';
+import { describe, it } from 'node:test';
 import assert from 'node:assert/strict';
 import fs from 'node:fs';
 import os from 'node:os';
@@ -18,6 +18,21 @@ function createMinimalForgeonProject(targetRoot) {
   fs.writeFileSync(path.join(targetRoot, 'pnpm-workspace.yaml'), 'packages:\n  - apps/*\n', 'utf8');
 }
 
+function readFile(filePath) {
+  return fs.readFileSync(filePath, 'utf8');
+}
+
+function readWebProbes(projectRoot) {
+  return readFile(path.join(projectRoot, 'apps', 'web', 'src', 'probes.ts'));
+}
+
+function assertWebProbeShell(projectRoot) {
+  const appTsx = readFile(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'));
+  assert.match(appTsx, /id="probes"/);
+  assert.match(appTsx, /from '\.\/probes'/);
+  return appTsx;
+}
+
 function assertDbPrismaWiring(projectRoot) {
   const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
   assert.match(appModule, /dbPrismaConfig/);
@@ -75,10 +90,12 @@ function assertRateLimitWiring(projectRoot) {
   assert.match(healthController, /@Get\('rate-limit'\)/);
   assert.match(healthController, /TOO_MANY_REQUESTS/);
 
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
+  const appTsx = assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
   assert.match(appTsx, /cache: 'no-store'/);
-  assert.match(appTsx, /Check rate limit \(click repeatedly\)/);
-  assert.match(appTsx, /Rate limit probe response/);
+  assert.match(probesTs, /"id": "rate-limit"/);
+  assert.match(probesTs, /"buttonLabel": "Check rate limit \(click repeatedly\)"/);
+  assert.match(probesTs, /"resultTitle": "Rate limit probe response"/);
 
   const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
   assert.match(readme, /## Rate Limit Module/);
@@ -109,9 +126,11 @@ function assertQueueWiring(projectRoot) {
   assert.match(healthController, /@Get\('queue'\)/);
   assert.match(healthController, /queueService\.getProbeStatus/);
 
-  const webApp = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(webApp, /Check queue health/);
-  assert.match(webApp, /Queue probe response/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "queue"/);
+  assert.match(probesTs, /"buttonLabel": "Check queue health"/);
+  assert.match(probesTs, /"resultTitle": "Queue probe response"/);
 
   const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
   assert.match(apiEnv, /QUEUE_ENABLED=true/);
@@ -156,9 +175,11 @@ function assertSchedulerWiring(projectRoot) {
   assert.match(healthController, /@Get\('scheduler'\)/);
   assert.match(healthController, /schedulerService\.getProbeStatus/);
 
-  const webApp = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(webApp, /Check scheduler health/);
-  assert.match(webApp, /Scheduler probe response/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "scheduler"/);
+  assert.match(probesTs, /"buttonLabel": "Check scheduler health"/);
+  assert.match(probesTs, /"resultTitle": "Scheduler probe response"/);
 
   const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
   assert.match(apiEnv, /SCHEDULER_ENABLED=true/);
@@ -200,169 +221,254 @@ function assertRbacWiring(projectRoot) {
   assert.match(healthController, /@Get\('rbac'\)/);
   assert.match(healthController, /@Permissions\('health\.rbac'\)/);
 
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check RBAC access/);
-  assert.match(appTsx, /RBAC probe response/);
-  assert.match(appTsx, /x-forgeon-permissions/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "rbac"/);
+  assert.match(probesTs, /"buttonLabel": "Check RBAC access"/);
+  assert.match(probesTs, /"resultTitle": "RBAC probe response"/);
+  assert.match(probesTs, /x-forgeon-permissions/);
 
   const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
   assert.match(readme, /## RBAC \/ Permissions Module/);
   assert.match(readme, /installs independently/i);
-  assert.match(readme, /jwt-auth.*optional/i);
-}
-
-function assertFilesWiring(projectRoot, expectedStorageDriver = 'local') {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesConfig/);
-  assert.match(appModule, /filesEnvSchema/);
-  assert.match(appModule, /ForgeonFilesModule/);
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files\/package\.json packages\/files\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files packages\/files/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_ENABLED=true/);
-  assert.match(apiEnv, new RegExp(`FILES_STORAGE_DRIVER=${expectedStorageDriver}`));
-  assert.match(apiEnv, /FILES_PUBLIC_BASE_PATH=\/files/);
-  assert.match(apiEnv, /FILES_MAX_FILE_SIZE_BYTES=10485760/);
-  assert.match(apiEnv, /FILES_ALLOWED_MIME_PREFIXES=image\/,application\/pdf,text\//);
-
-  const healthController = fs.readFileSync(
-    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
-    'utf8',
-  );
-  assert.match(healthController, /@Post\('files'\)/);
-  assert.match(healthController, /@Get\('files-variants'\)/);
-  assert.match(healthController, /filesService\.createProbeRecord/);
-  assert.match(healthController, /filesService\.getVariantsProbeStatus/);
-  assert.match(healthController, /filesService\.deleteByPublicId/);
-
-  const filesController = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
-    'utf8',
-  );
-  assert.match(filesController, /@Query\('variant'\) variantQuery\?: string/);
-  assert.match(filesController, /parseVariant\(variantQuery\)/);
-  assert.match(filesController, /@Delete\(':publicId'\)/);
-
-  const filesService = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
-    'utf8',
-  );
-  assert.match(filesService, /getOrCreateBlob/);
-  assert.match(filesService, /cleanupReferencedBlobs/);
-  assert.match(filesService, /isUniqueConstraintError/);
-  assert.match(filesService, /fileBlob\.deleteMany/);
-  assert.match(filesService, /variants:\s*\{[\s\S]*?none:\s*\{[\s\S]*?\}/);
-  assert.match(filesService, /prisma\.fileBlob/);
-
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check files probe \(create metadata\)/);
-  assert.match(appTsx, /Check files variants capability/);
-  assert.match(appTsx, /Files probe response/);
-  assert.match(appTsx, /Files variants probe response/);
-
-  const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
-  assert.match(schema, /model FileRecord \{/);
-  assert.match(schema, /variants\s+FileVariant\[\]/);
-  assert.match(schema, /model FileVariant \{/);
-  assert.match(schema, /model FileBlob \{/);
-  assert.match(schema, /blobId\s+String/);
-  assert.match(schema, /@@unique\(\[hash,\s*size,\s*mimeType,\s*storageDriver\]\)/);
-  assert.match(schema, /@@unique\(\[fileId,\s*variantKey\]\)/);
-  assert.match(schema, /publicId\s+String\s+@unique/);
-  assert.match(schema, /@@index\(\[ownerType,\s*ownerId,\s*createdAt\]\)/);
-
-  const migration = path.join(
-    projectRoot,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '20260306_files_file_record',
-    'migration.sql',
-  );
-  assert.equal(fs.existsSync(migration), true);
-
-  const variantMigration = path.join(
-    projectRoot,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '20260306_files_file_variant',
-    'migration.sql',
-  );
-  assert.equal(fs.existsSync(variantMigration), true);
-}
-
-function assertFilesLocalWiring(projectRoot) {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesLocalConfig/);
-  assert.match(appModule, /filesLocalEnvSchemaZod/);
-  assert.match(appModule, /FilesLocalConfigModule/);
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files-local/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files-local build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files-local\/package\.json packages\/files-local\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files-local packages\/files-local/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-local build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_LOCAL_ROOT=storage\/uploads/);
-
-  const gitignore = fs.readFileSync(path.join(projectRoot, '.gitignore'), 'utf8');
-  assert.match(gitignore, /storage\//);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /files_data:\/app\/storage/);
-  assert.match(compose, /^\s{2}files_data:\s*$/m);
-}
-
-function assertFilesS3Wiring(projectRoot) {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesS3Config/);
-  assert.match(appModule, /filesS3EnvSchemaZod/);
-  assert.match(appModule, /FilesS3ConfigModule/);
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files-s3/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files-s3 build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files-s3\/package\.json packages\/files-s3\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files-s3 packages\/files-s3/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-s3 build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
-  assert.match(apiEnv, /FILES_S3_PROVIDER_PRESET=minio/);
-  assert.match(apiEnv, /FILES_S3_BUCKET=forgeon-files/);
-  assert.match(apiEnv, /FILES_S3_REGION=/);
-  assert.match(apiEnv, /FILES_S3_ENDPOINT=/);
-  assert.match(apiEnv, /FILES_S3_FORCE_PATH_STYLE=/);
-  assert.match(apiEnv, /FILES_S3_MAX_ATTEMPTS=3/);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /FILES_S3_PROVIDER_PRESET: \$\{FILES_S3_PROVIDER_PRESET\}/);
-  assert.match(compose, /FILES_S3_MAX_ATTEMPTS: \$\{FILES_S3_MAX_ATTEMPTS\}/);
-
-  const filesS3Package = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-s3', 'package.json'),
-    'utf8',
-  );
-  assert.match(filesS3Package, /@aws-sdk\/client-s3/);
+  assert.match(readme, /accounts.*optional/i);
 }
 
+function assertFilesWiring(projectRoot, expectedStorageDriver = 'local') {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesConfig/);
+  assert.match(appModule, /filesEnvSchema/);
+  assert.match(appModule, /ForgeonFilesModule\.register\(\{/);
+  assert.match(appModule, /ForgeonFilesDbPrismaModule/);
+  if (expectedStorageDriver === 's3') {
+    assert.match(appModule, /ForgeonFilesS3StorageModule/);
+    assert.doesNotMatch(appModule, /imports: \[ForgeonFilesDbPrismaModule, ForgeonFilesLocalStorageModule\]/);
+  } else {
+    assert.match(appModule, /ForgeonFilesLocalStorageModule/);
+  }
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files\/package\.json packages\/files\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files packages\/files/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_ENABLED=true/);
+  assert.match(apiEnv, new RegExp('FILES_STORAGE_DRIVER=' + expectedStorageDriver));
+  assert.match(apiEnv, /FILES_PUBLIC_BASE_PATH=\/files/);
+  assert.match(apiEnv, /FILES_MAX_FILE_SIZE_BYTES=10485760/);
+  assert.match(apiEnv, /FILES_ALLOWED_MIME_PREFIXES=image\/,application\/pdf,text\//);
+
+  const healthController = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
+    'utf8',
+  );
+  assert.match(healthController, /@Post\('files'\)/);
+  assert.match(healthController, /@Get\('files-variants'\)/);
+  assert.match(healthController, /filesService\.createProbeRecord/);
+  assert.match(healthController, /filesService\.getVariantsProbeStatus/);
+  assert.match(healthController, /filesService\.deleteByPublicId/);
+
+  const filesController = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
+    'utf8',
+  );
+  assert.match(filesController, /@Query\('variant'\) variantQuery\?: string/);
+  assert.match(filesController, /parseVariant\(variantQuery\)/);
+  assert.match(filesController, /@Delete\(':publicId'\)/);
+
+  const filesService = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
+    'utf8',
+  );
+  assert.match(filesService, /FILES_PERSISTENCE_PORT/);
+  assert.match(filesService, /FILES_STORAGE_ADAPTER/);
+  assert.match(filesService, /getOrCreateBlob/);
+  assert.match(filesService, /cleanupReferencedBlobs/);
+  assert.match(filesService, /isUniqueConstraintError/);
+  assert.match(filesService, /storageAdapter\.put/);
+  assert.match(filesService, /persistence\.createBlob/);
+  assert.match(filesService, /persistence\.deleteBlobIfUnreferenced/);
+  assert.doesNotMatch(filesService, /PrismaService/);
+  assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
+
+  const filesPorts = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.ports.ts'),
+    'utf8',
+  );
+  assert.match(filesPorts, /FILES_PERSISTENCE_PORT/);
+  assert.match(filesPorts, /FILES_STORAGE_ADAPTER/);
+  assert.match(filesPorts, /interface FilesPersistencePort/);
+  assert.match(filesPorts, /interface FilesStorageAdapter/);
+
+  const filesModule = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'forgeon-files.module.ts'),
+    'utf8',
+  );
+  assert.match(filesModule, /ForgeonFilesModuleOptions/);
+  assert.match(filesModule, /static register\(options: ForgeonFilesModuleOptions = \{\}\)/);
+  assert.match(filesModule, /FILES_PERSISTENCE_PORT/);
+  assert.match(filesModule, /FILES_STORAGE_ADAPTER/);
+
+  const filesPackage = fs.readFileSync(path.join(projectRoot, 'packages', 'files', 'package.json'), 'utf8');
+  assert.doesNotMatch(filesPackage, /@forgeon\/db-prisma/);
+
+  const prismaFilesStore = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'files', 'prisma-files-persistence.store.ts'),
+    'utf8',
+  );
+  assert.match(prismaFilesStore, /PrismaService/);
+  assert.match(prismaFilesStore, /FILES_PERSISTENCE_PORT/);
+  assert.match(prismaFilesStore, /fileBlob\.deleteMany/);
+
+  const prismaFilesModule = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'files', 'forgeon-files-db-prisma.module.ts'),
+    'utf8',
+  );
+  assert.match(prismaFilesModule, /ForgeonFilesDbPrismaModule/);
+  assert.match(prismaFilesModule, /DbPrismaModule/);
+  assert.match(prismaFilesModule, /FILES_PERSISTENCE_PORT/);
+
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "files"/);
+  assert.match(probesTs, /"buttonLabel": "Check files probe \(create metadata\)"/);
+  assert.match(probesTs, /"resultTitle": "Files probe response"/);
+  assert.match(probesTs, /"id": "files-variants"/);
+  assert.match(probesTs, /"buttonLabel": "Check files variants capability"/);
+  assert.match(probesTs, /"resultTitle": "Files variants probe response"/);
+
+  const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
+  assert.match(schema, /model FileRecord \{/);
+  assert.match(schema, /variants\s+FileVariant\[\]/);
+  assert.match(schema, /model FileVariant \{/);
+  assert.match(schema, /model FileBlob \{/);
+  assert.match(schema, /blobId\s+String/);
+  assert.match(schema, /@@unique\(\[hash,\s*size,\s*mimeType,\s*storageDriver\]\)/);
+  assert.match(schema, /@@unique\(\[fileId,\s*variantKey\]\)/);
+  assert.match(schema, /publicId\s+String\s+@unique/);
+  assert.match(schema, /@@index\(\[ownerType,\s*ownerId,\s*createdAt\]\)/);
+
+  const migration = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'prisma',
+    'migrations',
+    '20260306_files_file_record',
+    'migration.sql',
+  );
+  assert.equal(fs.existsSync(migration), true);
+
+  const variantMigration = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'prisma',
+    'migrations',
+    '20260306_files_file_variant',
+    'migration.sql',
+  );
+  assert.equal(fs.existsSync(variantMigration), true);
+}
+
+function assertFilesLocalWiring(projectRoot) {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesLocalConfig/);
+  assert.match(appModule, /filesLocalEnvSchemaZod/);
+  assert.match(appModule, /FilesLocalConfigModule/);
+  assert.match(appModule, /ForgeonFilesLocalStorageModule/);
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files-local/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files-local build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files-local\/package\.json packages\/files-local\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files-local packages\/files-local/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-local build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_LOCAL_ROOT=storage\/uploads/);
+
+  const localModule = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-local', 'src', 'forgeon-files-local-storage.module.ts'),
+    'utf8',
+  );
+  assert.match(localModule, /ForgeonFilesLocalStorageModule/);
+  assert.match(localModule, /FORGEON_FILES_STORAGE_ADAPTER/);
+
+  const localAdapter = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-local', 'src', 'local-files-storage.adapter.ts'),
+    'utf8',
+  );
+  assert.match(localAdapter, /readonly driver = 'local'/);
+  assert.match(localAdapter, /createReadStream/);
+  assert.match(localAdapter, /writeFile/);
+
+  const gitignore = fs.readFileSync(path.join(projectRoot, '.gitignore'), 'utf8');
+  assert.match(gitignore, /storage\//);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /files_data:\/app\/storage/);
+  assert.match(compose, /^\s{2}files_data:\s*$/m);
+}
+
+function assertFilesS3Wiring(projectRoot) {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesS3Config/);
+  assert.match(appModule, /filesS3EnvSchemaZod/);
+  assert.match(appModule, /FilesS3ConfigModule/);
+  assert.match(appModule, /ForgeonFilesS3StorageModule/);
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files-s3/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files-s3 build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files-s3\/package\.json packages\/files-s3\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files-s3 packages\/files-s3/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-s3 build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
+  assert.match(apiEnv, /FILES_S3_PROVIDER_PRESET=minio/);
+  assert.match(apiEnv, /FILES_S3_BUCKET=forgeon-files/);
+  assert.match(apiEnv, /FILES_S3_REGION=/);
+  assert.match(apiEnv, /FILES_S3_ENDPOINT=/);
+  assert.match(apiEnv, /FILES_S3_FORCE_PATH_STYLE=/);
+  assert.match(apiEnv, /FILES_S3_MAX_ATTEMPTS=3/);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /FILES_S3_PROVIDER_PRESET: \$\{FILES_S3_PROVIDER_PRESET\}/);
+  assert.match(compose, /FILES_S3_MAX_ATTEMPTS: \$\{FILES_S3_MAX_ATTEMPTS\}/);
+
+  const filesS3Package = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'package.json'),
+    'utf8',
+  );
+  assert.match(filesS3Package, /@aws-sdk\/client-s3/);
+
+  const s3Module = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'src', 'forgeon-files-s3-storage.module.ts'),
+    'utf8',
+  );
+  assert.match(s3Module, /ForgeonFilesS3StorageModule/);
+  assert.match(s3Module, /FORGEON_FILES_STORAGE_ADAPTER/);
+
+  const s3Adapter = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'src', 's3-files-storage.adapter.ts'),
+    'utf8',
+  );
+  assert.match(s3Adapter, /readonly driver = 's3'/);
+  assert.match(s3Adapter, /@aws-sdk\/client-s3/);
+  assert.match(s3Adapter, /loadS3Module/);
+}
+
 function assertFilesAccessWiring(projectRoot) {
   const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
   assert.match(appModule, /ForgeonFilesAccessModule/);
@@ -410,10 +516,12 @@ function assertFilesAccessWiring(projectRoot) {
   assert.match(healthController, /extractFilesAccessSubject/);
   assert.match(healthController, /filesAccessService\.canRead/);
 
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check files access/);
-  assert.match(appTsx, /Files access probe response/);
-  assert.match(appTsx, /x-forgeon-user-id/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "files-access"/);
+  assert.match(probesTs, /"buttonLabel": "Check files access"/);
+  assert.match(probesTs, /"resultTitle": "Files access probe response"/);
+  assert.match(probesTs, /x-forgeon-user-id/);
 
   const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
   assert.match(readme, /## Files Access Module/);
@@ -436,7 +544,8 @@ function assertFilesQuotasWiring(projectRoot) {
   );
 
   const filesPackage = fs.readFileSync(path.join(projectRoot, 'packages', 'files', 'package.json'), 'utf8');
-  assert.match(filesPackage, /@forgeon\/files-quotas/);
+  assert.doesNotMatch(filesPackage, /@forgeon\/files-quotas/);
+  assert.match(filesPackage, /@nestjs\/core/);
 
   const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
   assert.match(
@@ -455,7 +564,9 @@ function assertFilesQuotasWiring(projectRoot) {
     path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
     'utf8',
   );
-  assert.match(filesController, /FilesQuotasService/);
+  assert.match(filesController, /ModuleRef/);
+  assert.match(filesController, /FORGEON_FILES_UPLOAD_QUOTA_SERVICE/);
+  assert.match(filesController, /getFilesUploadQuotaService/);
   assert.match(filesController, /filesQuotasService\.assertUploadAllowed/);
 
   const healthController = fs.readFileSync(
@@ -465,9 +576,11 @@ function assertFilesQuotasWiring(projectRoot) {
   assert.match(healthController, /@Get\('files-quotas'\)/);
   assert.match(healthController, /filesQuotasService\.getProbeStatus/);
 
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check files quotas/);
-  assert.match(appTsx, /Files quotas probe response/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "files-quotas"/);
+  assert.match(probesTs, /"buttonLabel": "Check files quotas"/);
+  assert.match(probesTs, /"resultTitle": "Files quotas probe response"/);
 
   const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
   assert.match(apiEnv, /FILES_QUOTAS_ENABLED=true/);
@@ -552,9 +665,11 @@ function assertFilesImageWiring(projectRoot) {
   assert.match(healthController, /@Get\('files-image'\)/);
   assert.match(healthController, /filesImageService\.getProbeStatus/);
 
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check files image sanitize/);
-  assert.match(appTsx, /Files image probe response/);
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "files-image"/);
+  assert.match(probesTs, /"buttonLabel": "Check files image sanitize"/);
+  assert.match(probesTs, /"resultTitle": "Files image probe response"/);
 
   const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
   assert.match(apiEnv, /FILES_IMAGE_ENABLED=true/);
@@ -591,68 +706,78 @@ function assertFilesImageWiring(projectRoot) {
   assert.match(readme, /metadata is stripped before storage/i);
 }
 
-function assertJwtAuthWiring(projectRoot, withPrismaStore) {
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/auth-api/);
-  assert.match(apiPackage, /@forgeon\/auth-contracts/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/auth-contracts build/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/auth-api build/);
-
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /authConfig/);
-  assert.match(appModule, /authEnvSchema/);
-  assert.match(appModule, /ForgeonAuthModule\.register\(/);
-  if (withPrismaStore) {
-    assert.match(appModule, /AUTH_REFRESH_TOKEN_STORE/);
-    assert.match(appModule, /PrismaAuthRefreshTokenStore/);
-  } else {
-    assert.doesNotMatch(appModule, /PrismaAuthRefreshTokenStore/);
-  }
-
-  const healthController = fs.readFileSync(
-    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
-    'utf8',
-  );
-  assert.match(healthController, /@Get\('auth'\)/);
-  assert.match(healthController, /authService\.getProbeStatus/);
-  assert.doesNotMatch(healthController, /,\s*,/);
-
-  const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-  assert.match(appTsx, /Check JWT auth probe/);
-  assert.match(appTsx, /Auth probe response/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(
-    apiDockerfile,
-    /COPY packages\/auth-contracts\/package\.json packages\/auth-contracts\/package\.json/,
-  );
-  assert.match(apiDockerfile, /COPY packages\/auth-api\/package\.json packages\/auth-api\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/auth-contracts packages\/auth-contracts/);
-  assert.match(apiDockerfile, /COPY packages\/auth-api packages\/auth-api/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/auth-contracts build/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/auth-api build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /JWT_ACCESS_SECRET=/);
-  assert.match(apiEnv, /JWT_REFRESH_SECRET=/);
-  assert.match(apiEnv, /AUTH_DEMO_EMAIL=/);
-  assert.match(apiEnv, /AUTH_DEMO_PASSWORD=/);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /JWT_ACCESS_SECRET: \$\{JWT_ACCESS_SECRET\}/);
-  assert.match(compose, /JWT_REFRESH_SECRET: \$\{JWT_REFRESH_SECRET\}/);
-
-  const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-  assert.match(readme, /## JWT Auth Module/);
-
-  const authServiceSource = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'auth-api', 'src', 'auth.service.ts'),
-    'utf8',
-  );
-  assert.match(authServiceSource, /import type \{/);
-  assert.doesNotMatch(authServiceSource, /import\s*\{\s*AUTH_ERROR_CODES/);
-}
-
+function assertAccountsWiring(projectRoot) {
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/accounts-api/);
+  assert.match(apiPackage, /@forgeon\/accounts-contracts/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-contracts build/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-api build/);
+
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /authConfig/);
+  assert.match(appModule, /authEnvSchema/);
+  assert.match(appModule, /ForgeonAccountsDbPrismaModule/);
+  assert.match(appModule, /ForgeonAccountsModule\.register\(\{/);
+  assert.match(appModule, /UsersModule\.register\(\{\}\)/);
+  assert.doesNotMatch(appModule, /AUTH_REFRESH_TOKEN_STORE/);
+
+  const healthController = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
+    'utf8',
+  );
+  assert.match(healthController, /@Get\('auth'\)/);
+  assert.match(healthController, /authService\.getProbeStatus/);
+  assert.doesNotMatch(healthController, /,\s*,/);
+
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "auth"/);
+  assert.match(probesTs, /"buttonLabel": "Check accounts probe"/);
+  assert.match(probesTs, /"resultTitle": "Accounts probe response"/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(
+    apiDockerfile,
+    /COPY packages\/accounts-contracts\/package\.json packages\/accounts-contracts\/package\.json/,
+  );
+  assert.match(apiDockerfile, /COPY packages\/accounts-api\/package\.json packages\/accounts-api\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/accounts-contracts packages\/accounts-contracts/);
+  assert.match(apiDockerfile, /COPY packages\/accounts-api packages\/accounts-api/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-contracts build/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-api build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /JWT_ACCESS_SECRET=/);
+  assert.match(apiEnv, /JWT_REFRESH_SECRET=/);
+  assert.match(apiEnv, /AUTH_ARGON2_MEMORY_COST=/);
+  assert.match(apiEnv, /AUTH_ARGON2_PARALLELISM=/);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /JWT_ACCESS_SECRET: \$\{JWT_ACCESS_SECRET\}/);
+  assert.match(compose, /JWT_REFRESH_SECRET: \$\{JWT_REFRESH_SECRET\}/);
+  assert.match(compose, /AUTH_ARGON2_MEMORY_COST: \$\{AUTH_ARGON2_MEMORY_COST\}/);
+
+  const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+  assert.match(readme, /## Accounts Module/);
+  assert.match(readme, /owner-scoped user routes/);
+  assert.match(readme, /AccountsEmailPort/);
+
+  const authServiceSource = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.service.ts'),
+    'utf8',
+  );
+  assert.match(authServiceSource, /import type \{ RegisterRequest \} from '@forgeon\/accounts-contracts';/);
+
+  const prismaStorePath = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'src',
+    'accounts',
+    'prisma-accounts-persistence.store.ts',
+  );
+  assert.equal(fs.existsSync(prismaStorePath), true);
+}
 function stripDbPrismaArtifacts(projectRoot) {
   const dbPackageDir = path.join(projectRoot, 'packages', 'db-prisma');
   if (fs.existsSync(dbPackageDir)) {
@@ -1188,6 +1313,16 @@ describe('addModule', () => {
       assert.match(loggerModule, /ForgeonHttpLoggingMiddleware/);
       assert.match(loggerModule, /consumer\.apply\(RequestIdMiddleware, ForgeonHttpLoggingMiddleware\)\.forRoutes\('\*'\);/);
 
+      const loggerIndex = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'logger', 'src', 'index.ts'),
+        'utf8',
+      );
+      assert.doesNotMatch(loggerIndex, /http-logging\.interceptor/);
+      assert.equal(
+        fs.existsSync(path.join(projectRoot, 'packages', 'logger', 'src', 'http-logging.interceptor.ts')),
+        false,
+      );
+
       const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
       assert.match(apiEnv, /LOGGER_LEVEL=log/);
       assert.match(apiEnv, /LOGGER_HTTP_ENABLED=true/);
@@ -1405,17 +1540,21 @@ describe('addModule', () => {
         packageRoot,
       });
 
-      const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-      assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
-
-      const filesService = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
-        'utf8',
-      );
-      assert.match(filesService, /storeS3/);
-      assert.match(filesService, /openS3/);
-      assert.match(filesService, /deleteS3/);
-      assert.match(filesService, /@aws-sdk\/client-s3/);
+      const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+      assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
+
+      const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+      assert.match(appModule, /ForgeonFilesS3StorageModule/);
+      assert.doesNotMatch(appModule, /imports: \[ForgeonFilesDbPrismaModule, ForgeonFilesLocalStorageModule\]/);
+
+      const filesService = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
+        'utf8',
+      );
+      assert.doesNotMatch(filesService, /storeS3/);
+      assert.doesNotMatch(filesService, /openS3/);
+      assert.doesNotMatch(filesService, /deleteS3/);
+      assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
     } finally {
       fs.rmSync(targetRoot, { recursive: true, force: true });
     }
@@ -1604,8 +1743,9 @@ describe('addModule', () => {
       assert.match(healthController, /@Get\('files-access'\)/);
       assert.match(healthController, /@Get\('files-quotas'\)/);
 
-      const appTsx = fs.readFileSync(path.join(projectRoot, 'apps', 'web', 'src', 'App.tsx'), 'utf8');
-      const filesChecks = appTsx.match(/Check files /g) ?? [];
+      assertWebProbeShell(projectRoot);
+      const probesTs = readWebProbes(projectRoot);
+      const filesChecks = probesTs.match(/"buttonLabel": "Check files /g) ?? [];
       assert.equal(filesChecks.length, 5);
     } finally {
       fs.rmSync(targetRoot, { recursive: true, force: true });
@@ -1925,6 +2065,51 @@ describe('addModule', () => {
     }
   });
 
+
+  it('applies i18n after probe modules and preserves managed probe registry entries', () => {
+    const targetRoot = mkTmp('forgeon-module-i18n-probes-');
+    const projectRoot = path.join(targetRoot, 'demo-i18n-probes');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-i18n-probes',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({ moduleId: 'rate-limit', targetRoot: projectRoot, packageRoot });
+      addModule({ moduleId: 'rbac', targetRoot: projectRoot, packageRoot });
+
+      const probesBeforeI18n = readWebProbes(projectRoot);
+      assert.match(probesBeforeI18n, /"id": "rate-limit"/);
+      assert.match(probesBeforeI18n, /"id": "rbac"/);
+
+      const i18nResult = addModule({
+        moduleId: 'i18n',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      assert.equal(i18nResult.applied, true);
+
+      const probesAfterI18n = readWebProbes(projectRoot);
+      assert.match(probesAfterI18n, /"id": "rate-limit"/);
+      assert.match(probesAfterI18n, /"id": "rbac"/);
+
+      const rateLimitIndex = probesAfterI18n.indexOf('"id": "rate-limit"');
+      const rbacIndex = probesAfterI18n.indexOf('"id": "rbac"');
+      assert.equal(rbacIndex >= 0 && rateLimitIndex > rbacIndex, true);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
   it('applies swagger -> logger -> i18n and keeps all module wiring', () => {
     const targetRoot = mkTmp('forgeon-module-mixed-order-');
     const projectRoot = path.join(targetRoot, 'demo-mixed-order');
@@ -1979,239 +2164,175 @@ describe('addModule', () => {
     }
   });
 
-  it('applies jwt-auth with db-prisma as stateless first, then wires persistence via explicit sync', () => {
-    const targetRoot = mkTmp('forgeon-module-jwt-db-');
-    const projectRoot = path.join(targetRoot, 'demo-jwt-db');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-jwt-db',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: true,
-        i18nEnabled: true,
-        proxy: 'caddy',
-      });
-
-      const result = addModule({
-        moduleId: 'jwt-auth',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      assert.equal(result.applied, true);
-      assertJwtAuthWiring(projectRoot, false);
-
-      const syncResult = syncIntegrations({ targetRoot: projectRoot, packageRoot });
-      const dbPair = syncResult.summary.find((item) => item.id === 'auth-persistence');
-      assert.ok(dbPair);
-      assert.equal(dbPair.result.applied, true);
-      assert.equal(syncResult.changedFiles.length > 0, true);
-
-      assertJwtAuthWiring(projectRoot, true);
-
-      const storeFile = path.join(
-        projectRoot,
-        'apps',
-        'api',
-        'src',
-        'auth',
-        'prisma-auth-refresh-token.store.ts',
-      );
-      assert.equal(fs.existsSync(storeFile), true);
-
-      const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
-      assert.match(schema, /refreshTokenHash/);
-
-      const migrationPath = path.join(
-        projectRoot,
-        'apps',
-        'api',
-        'prisma',
-        'migrations',
-        '0002_auth_refresh_token_hash',
-        'migration.sql',
-      );
-      assert.equal(fs.existsSync(migrationPath), true);
-
-      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-      assert.match(readme, /refresh token persistence: enabled/);
-      assert.match(readme, /db-adapter/);
-      assert.match(readme, /current provider: `db-prisma`/);
-      assert.match(readme, /0002_auth_refresh_token_hash/);
-
-      const moduleDoc = fs.readFileSync(result.docsPath, 'utf8');
-      assert.match(moduleDoc, /Status: implemented/);
-      assert.match(moduleDoc, /db-adapter/);
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('applies jwt-auth without db and keeps stateless fallback until pair sync is available', () => {
-    const targetRoot = mkTmp('forgeon-module-jwt-nodb-');
-    const projectRoot = path.join(targetRoot, 'demo-jwt-nodb');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-jwt-nodb',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: true,
-        i18nEnabled: false,
-        proxy: 'caddy',
-      });
-
-      stripDbPrismaArtifacts(projectRoot);
-
-      const result = addModule({
-        moduleId: 'jwt-auth',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      assert.equal(result.applied, true);
-      assertJwtAuthWiring(projectRoot, false);
-      assert.equal(
-        fs.existsSync(path.join(projectRoot, 'apps', 'api', 'src', 'auth', 'prisma-auth-refresh-token.store.ts')),
-        false,
-      );
-
-      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-      assert.match(readme, /refresh token persistence: disabled/);
-      assert.match(readme, /db-adapter/);
-      assert.match(readme, /create-forgeon add db-prisma/);
-
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('detects and applies jwt-auth + rbac claims integration explicitly', () => {
-    const targetRoot = mkTmp('forgeon-module-jwt-rbac-');
-    const projectRoot = path.join(targetRoot, 'demo-jwt-rbac');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-jwt-rbac',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: false,
-        i18nEnabled: false,
-        proxy: 'caddy',
-      });
-
-      addModule({
-        moduleId: 'rbac',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-      addModule({
-        moduleId: 'jwt-auth',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      const scan = scanIntegrations({
-        targetRoot: projectRoot,
-        relatedModuleId: 'jwt-auth',
-      });
-      assert.equal(scan.groups.some((group) => group.id === 'auth-rbac-claims'), true);
-
-      const syncResult = syncIntegrations({
-        targetRoot: projectRoot,
-        packageRoot,
-        groupIds: ['auth-rbac-claims'],
-      });
-      const claimsPair = syncResult.summary.find((item) => item.id === 'auth-rbac-claims');
-      assert.ok(claimsPair);
-      assert.equal(claimsPair.result.applied, true);
-
-      const authContracts = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'auth-contracts', 'src', 'index.ts'),
-        'utf8',
-      );
-      assert.match(authContracts, /permissions\?: string\[\];/);
-
-      const authService = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'auth-api', 'src', 'auth.service.ts'),
-        'utf8',
-      );
-      assert.match(authService, /permissions: \['health\.rbac'\]/);
-      assert.match(authService, /permissions: user\.permissions,/);
-      assert.match(
-        authService,
-        /permissions: Array\.isArray\(payload\.permissions\) \? payload\.permissions : \[\],/,
-      );
-
-      const authController = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'auth-api', 'src', 'auth.controller.ts'),
-        'utf8',
-      );
-      assert.match(
-        authController,
-        /permissions: Array\.isArray\(payload\.permissions\) \? payload\.permissions : \[\],/,
-      );
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('scans auth persistence as db-adapter participant while remaining triggerable from db-prisma install order', () => {
-    const targetRoot = mkTmp('forgeon-module-jwt-db-scan-');
-    const projectRoot = path.join(targetRoot, 'demo-jwt-db-scan');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-jwt-db-scan',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: false,
-        i18nEnabled: false,
-        proxy: 'caddy',
-      });
-
-      addModule({
-        moduleId: 'jwt-auth',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-      addModule({
-        moduleId: 'db-prisma',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      const scan = scanIntegrations({
-        targetRoot: projectRoot,
-        relatedModuleId: 'db-prisma',
-      });
-      const persistenceGroup = scan.groups.find((group) => group.id === 'auth-persistence');
-
-      assert.ok(persistenceGroup);
-      assert.deepEqual(persistenceGroup.modules, ['jwt-auth', 'db-adapter']);
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('applies logger then jwt-auth on db/i18n-disabled scaffold without breaking health controller syntax', () => {
+  it('applies accounts with db-prisma and wires the DB-backed runtime immediately', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-db-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-db');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-db',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: true,
+        proxy: 'caddy',
+      });
+
+      const result = addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      assert.equal(result.applied, true);
+      assertAccountsWiring(projectRoot);
+
+      const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
+      assert.match(schema, /model UserProfile/);
+      assert.match(schema, /model UserSettings/);
+      assert.match(schema, /model AuthIdentity/);
+      assert.match(schema, /model AuthCredential/);
+      assert.match(schema, /model AuthRefreshToken/);
+      assert.doesNotMatch(schema, /roles\s+/i);
+      assert.doesNotMatch(schema, /permissions\s+/i);
+
+      const migrationPath = path.join(
+        projectRoot,
+        'apps',
+        'api',
+        'prisma',
+        'migrations',
+        '0002_accounts_core',
+        'migration.sql',
+      );
+      assert.equal(fs.existsSync(migrationPath), true);
+
+      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+      assert.match(readme, /POST \/api\/auth\/register/);
+      assert.match(readme, /POST \/api\/auth\/password-reset\/request/);
+      assert.match(readme, /\/api\/users\/:id\/settings/);
+
+      const moduleDoc = fs.readFileSync(result.docsPath, 'utf8');
+      assert.match(moduleDoc, /Status: implemented/);
+      assert.match(moduleDoc, /db-adapter/);
+      assert.match(moduleDoc, /owner-scoped/);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
+  it('detects and applies accounts-rbac compatibility sync explicitly', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-rbac-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-rbac',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({
+        moduleId: 'rbac',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      const scan = scanIntegrations({
+        targetRoot: projectRoot,
+        relatedModuleId: 'accounts',
+      });
+      assert.equal(scan.groups.some((group) => group.id === 'accounts-rbac'), true);
+
+      const syncResult = syncIntegrations({
+        targetRoot: projectRoot,
+        packageRoot,
+        groupIds: ['accounts-rbac'],
+      });
+      const claimsPair = syncResult.summary.find((item) => item.id === 'accounts-rbac');
+      assert.ok(claimsPair);
+      assert.equal(claimsPair.result.applied, true);
+
+      const contracts = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'accounts-contracts', 'src', 'index.ts'),
+        'utf8',
+      );
+      assert.match(contracts, /roles\?: string\[\];/);
+      assert.match(contracts, /permissions\?: string\[\];/);
+
+      const authTypes = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.types.ts'),
+        'utf8',
+      );
+      assert.match(authTypes, /roles\?: string\[\];/);
+      assert.match(authTypes, /permissions\?: string\[\];/);
+
+      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+      assert.match(readme, /forgeon:accounts:rbac:start/);
+      assert.match(readme, /base accounts schema remains free of roles and permissions/);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
+  it('scans accounts-rbac compatibility when accounts and rbac are both installed', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-rbac-scan-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac-scan');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-rbac-scan',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      addModule({
+        moduleId: 'rbac',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      const scan = scanIntegrations({
+        targetRoot: projectRoot,
+        relatedModuleId: 'rbac',
+      });
+      const compatibilityGroup = scan.groups.find((group) => group.id === 'accounts-rbac');
+
+      assert.ok(compatibilityGroup);
+      assert.deepEqual(compatibilityGroup.modules, ['accounts', 'rbac']);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+  it('applies logger then accounts on db/i18n-disabled scaffold without breaking health controller syntax', () => {
     const targetRoot = mkTmp('forgeon-module-jwt-nodb-noi18n-');
     const projectRoot = path.join(targetRoot, 'demo-jwt-nodb-noi18n');
     const templateRoot = path.join(packageRoot, 'templates', 'base');
@@ -2235,7 +2356,7 @@ describe('addModule', () => {
         packageRoot,
       });
       addModule({
-        moduleId: 'jwt-auth',
+        moduleId: 'accounts',
         targetRoot: projectRoot,
         packageRoot,
       });
@@ -2259,7 +2380,7 @@ describe('addModule', () => {
     }
   });
 
-  it('keeps health controller valid for add sequence jwt-auth -> logger -> swagger -> i18n -> db-prisma on db/i18n-disabled scaffold', () => {
+  it('keeps health controller valid for add sequence accounts -> logger -> swagger -> i18n -> db-prisma on db/i18n-disabled scaffold', () => {
     const targetRoot = mkTmp('forgeon-module-seq-health-valid-');
     const projectRoot = path.join(targetRoot, 'demo-seq-health-valid');
     const templateRoot = path.join(packageRoot, 'templates', 'base');
@@ -2277,7 +2398,7 @@ describe('addModule', () => {
         proxy: 'caddy',
       });
 
-      for (const moduleId of ['jwt-auth', 'logger', 'swagger', 'i18n', 'db-prisma']) {
+      for (const moduleId of ['accounts', 'logger', 'swagger', 'i18n', 'db-prisma']) {
         addModule({ moduleId, targetRoot: projectRoot, packageRoot });
       }
 
@@ -2312,9 +2433,9 @@ describe('addModule', () => {
     }
   });
 
-  it('applies swagger then jwt-auth without forcing swagger dependency in auth-api', () => {
-    const targetRoot = mkTmp('forgeon-module-jwt-swagger-');
-    const projectRoot = path.join(targetRoot, 'demo-jwt-swagger');
+  it('applies swagger then accounts without forcing swagger dependency in accounts-api', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-swagger-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-swagger');
     const templateRoot = path.join(packageRoot, 'templates', 'base');
 
     try {
@@ -2322,7 +2443,7 @@ describe('addModule', () => {
         templateRoot,
         packageRoot,
         targetRoot: projectRoot,
-        projectName: 'demo-jwt-swagger',
+        projectName: 'demo-accounts-swagger',
         frontend: 'react',
         db: 'prisma',
         dbPrismaEnabled: false,
@@ -2336,15 +2457,15 @@ describe('addModule', () => {
         packageRoot,
       });
       addModule({
-        moduleId: 'jwt-auth',
+        moduleId: 'accounts',
         targetRoot: projectRoot,
         packageRoot,
       });
 
-      const authApiPackage = JSON.parse(
-        fs.readFileSync(path.join(projectRoot, 'packages', 'auth-api', 'package.json'), 'utf8'),
+      const accountsApiPackage = JSON.parse(
+        fs.readFileSync(path.join(projectRoot, 'packages', 'accounts-api', 'package.json'), 'utf8'),
       );
-      assert.equal(Object.hasOwn(authApiPackage.dependencies ?? {}, '@nestjs/swagger'), false);
+      assert.equal(Object.hasOwn(accountsApiPackage.dependencies ?? {}, '@nestjs/swagger'), false);
     } finally {
       fs.rmSync(targetRoot, { recursive: true, force: true });
     }
@@ -2368,7 +2489,7 @@ describe('addModule', () => {
         proxy: 'caddy',
       });
 
-      for (const moduleId of ['jwt-auth', 'logger', 'swagger', 'rate-limit', 'i18n', 'db-prisma']) {
+      for (const moduleId of ['accounts', 'logger', 'swagger', 'rate-limit', 'i18n', 'db-prisma']) {
         addModule({ moduleId, targetRoot: projectRoot, packageRoot });
       }
 
@@ -2405,7 +2526,7 @@ describe('addModule', () => {
         proxy: 'caddy',
       });
 
-      for (const moduleId of ['jwt-auth', 'logger', 'rate-limit', 'rbac', 'swagger', 'i18n', 'db-prisma']) {
+      for (const moduleId of ['accounts', 'logger', 'rate-limit', 'rbac', 'swagger', 'i18n', 'db-prisma']) {
         addModule({ moduleId, targetRoot: projectRoot, packageRoot });
       }
 
@@ -2503,3 +2624,13 @@ describe('addModule', () => {
 });
 
 
+
+
+
+
+
+
+
+
+
+