create-forgeon 0.3.20 → 0.3.21

package/src/modules/executor.test.mjs

@@ -234,239 +234,239 @@ function assertRbacWiring(projectRoot) {
   assert.match(readme, /accounts.*optional/i);
 }
 
-function assertFilesWiring(projectRoot, expectedStorageDriver = 'local') {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesConfig/);
-  assert.match(appModule, /filesEnvSchema/);
-  assert.match(appModule, /ForgeonFilesModule\.register\(\{/);
-  assert.doesNotMatch(appModule, /ForgeonFilesDbPrismaModule/);
-  if (expectedStorageDriver === 's3') {
-    assert.match(appModule, /ForgeonFilesS3StorageModule/);
-    assert.doesNotMatch(appModule, /ForgeonFilesLocalStorageModule/);
-  } else {
-    assert.match(appModule, /ForgeonFilesLocalStorageModule/);
-  }
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files\/package\.json packages\/files\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files packages\/files/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_ENABLED=true/);
-  assert.match(apiEnv, new RegExp('FILES_STORAGE_DRIVER=' + expectedStorageDriver));
-  assert.match(apiEnv, /FILES_PUBLIC_BASE_PATH=\/files/);
-  assert.match(apiEnv, /FILES_MAX_FILE_SIZE_BYTES=10485760/);
-  assert.match(apiEnv, /FILES_ALLOWED_MIME_PREFIXES=image\/,application\/pdf,text\//);
-
-  const healthController = fs.readFileSync(
-    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
-    'utf8',
-  );
-  assert.match(healthController, /@Post\('files'\)/);
-  assert.match(healthController, /@Get\('files-variants'\)/);
-  assert.match(healthController, /filesService\.createProbeRecord/);
-  assert.match(healthController, /filesService\.getVariantsProbeStatus/);
-  assert.match(healthController, /filesService\.deleteByPublicId/);
-
-  const filesController = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
-    'utf8',
-  );
-  assert.match(filesController, /@Query\('variant'\) variantQuery\?: string/);
-  assert.match(filesController, /parseVariant\(variantQuery\)/);
-  assert.match(filesController, /@Delete\(':publicId'\)/);
-
-  const filesService = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
-    'utf8',
-  );
-  assert.match(filesService, /FilesStore/);
-  assert.match(filesService, /FILES_STORAGE_ADAPTER/);
-  assert.match(filesService, /requireStorageAdapter/);
-  assert.match(filesService, /getOrCreateBlob/);
-  assert.match(filesService, /cleanupReferencedBlobs/);
-  assert.match(filesService, /isUniqueConstraintError/);
-  assert.match(filesService, /storageAdapter\.put/);
-  assert.match(filesService, /filesStore\.createBlob/);
-  assert.match(filesService, /filesStore\.deleteBlobIfUnreferenced/);
-  assert.doesNotMatch(filesService, /FILES_PERSISTENCE_PORT/);
-  assert.doesNotMatch(filesService, /PrismaService/);
-  assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
-
-  const filesPorts = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.ports.ts'),
-    'utf8',
-  );
-  assert.doesNotMatch(filesPorts, /FILES_PERSISTENCE_PORT/);
-  assert.doesNotMatch(filesPorts, /interface FilesPersistencePort/);
-  assert.match(filesPorts, /FILES_STORAGE_ADAPTER/);
-  assert.match(filesPorts, /interface FilesStorageAdapter/);
-
-  const filesStore = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.store.ts'),
-    'utf8',
-  );
-  assert.match(filesStore, /PrismaService/);
-  assert.match(filesStore, /fileBlob\.deleteMany/);
-
-  const filesModule = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'forgeon-files.module.ts'),
-    'utf8',
-  );
-  assert.match(filesModule, /ForgeonFilesModuleOptions/);
-  assert.match(filesModule, /static register\(options: ForgeonFilesModuleOptions = \{\}\)/);
-  assert.match(filesModule, /DbPrismaModule/);
-  assert.match(filesModule, /FilesStore/);
-  assert.doesNotMatch(filesModule, /FILES_PERSISTENCE_PORT/);
-
-  const filesPackage = fs.readFileSync(path.join(projectRoot, 'packages', 'files', 'package.json'), 'utf8');
-  assert.match(filesPackage, /@forgeon\/db-prisma/);
-
-  const prismaFilesDir = path.join(projectRoot, 'apps', 'api', 'src', 'files');
-  assert.equal(fs.existsSync(path.join(prismaFilesDir, 'prisma-files-persistence.store.ts')), false);
-  assert.equal(fs.existsSync(path.join(prismaFilesDir, 'forgeon-files-db-prisma.module.ts')), false);
-
-  assertWebProbeShell(projectRoot);
-  const probesTs = readWebProbes(projectRoot);
-  assert.match(probesTs, /"id": "files"/);
-  assert.match(probesTs, /"buttonLabel": "Check files probe \(create metadata\)"/);
-  assert.match(probesTs, /"resultTitle": "Files probe response"/);
-  assert.match(probesTs, /"id": "files-variants"/);
-  assert.match(probesTs, /"buttonLabel": "Check files variants capability"/);
-  assert.match(probesTs, /"resultTitle": "Files variants probe response"/);
-
-  const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
-  assert.match(schema, /model FileRecord \{/);
-  assert.match(schema, /variants\s+FileVariant\[\]/);
-  assert.match(schema, /model FileVariant \{/);
-  assert.match(schema, /model FileBlob \{/);
-  assert.match(schema, /blobId\s+String/);
-  assert.match(schema, /@@unique\(\[hash,\s*size,\s*mimeType,\s*storageDriver\]\)/);
-  assert.match(schema, /@@unique\(\[fileId,\s*variantKey\]\)/);
-  assert.match(schema, /publicId\s+String\s+@unique/);
-  assert.match(schema, /@@index\(\[ownerType,\s*ownerId,\s*createdAt\]\)/);
-
-  const migration = path.join(
-    projectRoot,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '20260306_files_file_record',
-    'migration.sql',
-  );
-  assert.equal(fs.existsSync(migration), true);
-
-  const variantMigration = path.join(
-    projectRoot,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '20260306_files_file_variant',
-    'migration.sql',
-  );
-  assert.equal(fs.existsSync(variantMigration), true);
-}
-
-function assertFilesLocalWiring(projectRoot) {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesLocalConfig/);
-  assert.match(appModule, /filesLocalEnvSchemaZod/);
-  assert.match(appModule, /FilesLocalConfigModule/);
-  assert.match(appModule, /ForgeonFilesLocalStorageModule/);
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files-local/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files-local build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files-local\/package\.json packages\/files-local\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files-local packages\/files-local/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-local build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_LOCAL_ROOT=storage\/uploads/);
-
-  const localModule = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-local', 'src', 'forgeon-files-local-storage.module.ts'),
-    'utf8',
-  );
-  assert.match(localModule, /ForgeonFilesLocalStorageModule/);
-  assert.match(localModule, /FORGEON_FILES_STORAGE_ADAPTER/);
-
-  const localAdapter = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-local', 'src', 'local-files-storage.adapter.ts'),
-    'utf8',
-  );
-  assert.match(localAdapter, /readonly driver = 'local'/);
-  assert.match(localAdapter, /createReadStream/);
-  assert.match(localAdapter, /writeFile/);
-
-  const gitignore = fs.readFileSync(path.join(projectRoot, '.gitignore'), 'utf8');
-  assert.match(gitignore, /storage\//);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /files_data:\/app\/storage/);
-  assert.match(compose, /^\s{2}files_data:\s*$/m);
-}
-
-function assertFilesS3Wiring(projectRoot) {
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /filesS3Config/);
-  assert.match(appModule, /filesS3EnvSchemaZod/);
-  assert.match(appModule, /FilesS3ConfigModule/);
-  assert.match(appModule, /ForgeonFilesS3StorageModule/);
-
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files-s3/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files-s3 build/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(apiDockerfile, /COPY packages\/files-s3\/package\.json packages\/files-s3\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/files-s3 packages\/files-s3/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-s3 build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
-  assert.match(apiEnv, /FILES_S3_PROVIDER_PRESET=minio/);
-  assert.match(apiEnv, /FILES_S3_BUCKET=forgeon-files/);
-  assert.match(apiEnv, /FILES_S3_REGION=/);
-  assert.match(apiEnv, /FILES_S3_ENDPOINT=/);
-  assert.match(apiEnv, /FILES_S3_FORCE_PATH_STYLE=/);
-  assert.match(apiEnv, /FILES_S3_MAX_ATTEMPTS=3/);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /FILES_S3_PROVIDER_PRESET: \$\{FILES_S3_PROVIDER_PRESET\}/);
-  assert.match(compose, /FILES_S3_MAX_ATTEMPTS: \$\{FILES_S3_MAX_ATTEMPTS\}/);
-
-  const filesS3Package = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-s3', 'package.json'),
-    'utf8',
-  );
-  assert.match(filesS3Package, /@aws-sdk\/client-s3/);
-
-  const s3Module = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-s3', 'src', 'forgeon-files-s3-storage.module.ts'),
-    'utf8',
-  );
-  assert.match(s3Module, /ForgeonFilesS3StorageModule/);
-  assert.match(s3Module, /FORGEON_FILES_STORAGE_ADAPTER/);
-
-  const s3Adapter = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files-s3', 'src', 's3-files-storage.adapter.ts'),
-    'utf8',
-  );
-  assert.match(s3Adapter, /readonly driver = 's3'/);
-  assert.match(s3Adapter, /@aws-sdk\/client-s3/);
-  assert.match(s3Adapter, /loadS3Module/);
-}
-
+function assertFilesWiring(projectRoot, expectedStorageDriver = 'local') {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesConfig/);
+  assert.match(appModule, /filesEnvSchema/);
+  assert.match(appModule, /ForgeonFilesModule\.register\(\{/);
+  assert.doesNotMatch(appModule, /ForgeonFilesDbPrismaModule/);
+  if (expectedStorageDriver === 's3') {
+    assert.match(appModule, /ForgeonFilesS3StorageModule/);
+    assert.doesNotMatch(appModule, /ForgeonFilesLocalStorageModule/);
+  } else {
+    assert.match(appModule, /ForgeonFilesLocalStorageModule/);
+  }
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files\/package\.json packages\/files\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files packages\/files/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_ENABLED=true/);
+  assert.match(apiEnv, new RegExp('FILES_STORAGE_DRIVER=' + expectedStorageDriver));
+  assert.match(apiEnv, /FILES_PUBLIC_BASE_PATH=\/files/);
+  assert.match(apiEnv, /FILES_MAX_FILE_SIZE_BYTES=10485760/);
+  assert.match(apiEnv, /FILES_ALLOWED_MIME_PREFIXES=image\/,application\/pdf,text\//);
+
+  const healthController = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
+    'utf8',
+  );
+  assert.match(healthController, /@Post\('files'\)/);
+  assert.match(healthController, /@Get\('files-variants'\)/);
+  assert.match(healthController, /filesService\.createProbeRecord/);
+  assert.match(healthController, /filesService\.getVariantsProbeStatus/);
+  assert.match(healthController, /filesService\.deleteByPublicId/);
+
+  const filesController = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
+    'utf8',
+  );
+  assert.match(filesController, /@Query\('variant'\) variantQuery\?: string/);
+  assert.match(filesController, /parseVariant\(variantQuery\)/);
+  assert.match(filesController, /@Delete\(':publicId'\)/);
+
+  const filesService = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
+    'utf8',
+  );
+  assert.match(filesService, /FilesStore/);
+  assert.match(filesService, /FILES_STORAGE_ADAPTER/);
+  assert.match(filesService, /requireStorageAdapter/);
+  assert.match(filesService, /getOrCreateBlob/);
+  assert.match(filesService, /cleanupReferencedBlobs/);
+  assert.match(filesService, /isUniqueConstraintError/);
+  assert.match(filesService, /storageAdapter\.put/);
+  assert.match(filesService, /filesStore\.createBlob/);
+  assert.match(filesService, /filesStore\.deleteBlobIfUnreferenced/);
+  assert.doesNotMatch(filesService, /FILES_PERSISTENCE_PORT/);
+  assert.doesNotMatch(filesService, /PrismaService/);
+  assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
+
+  const filesPorts = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.ports.ts'),
+    'utf8',
+  );
+  assert.doesNotMatch(filesPorts, /FILES_PERSISTENCE_PORT/);
+  assert.doesNotMatch(filesPorts, /interface FilesPersistencePort/);
+  assert.match(filesPorts, /FILES_STORAGE_ADAPTER/);
+  assert.match(filesPorts, /interface FilesStorageAdapter/);
+
+  const filesStore = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.store.ts'),
+    'utf8',
+  );
+  assert.match(filesStore, /PrismaService/);
+  assert.match(filesStore, /fileBlob\.deleteMany/);
+
+  const filesModule = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'forgeon-files.module.ts'),
+    'utf8',
+  );
+  assert.match(filesModule, /ForgeonFilesModuleOptions/);
+  assert.match(filesModule, /static register\(options: ForgeonFilesModuleOptions = \{\}\)/);
+  assert.match(filesModule, /DbPrismaModule/);
+  assert.match(filesModule, /FilesStore/);
+  assert.doesNotMatch(filesModule, /FILES_PERSISTENCE_PORT/);
+
+  const filesPackage = fs.readFileSync(path.join(projectRoot, 'packages', 'files', 'package.json'), 'utf8');
+  assert.match(filesPackage, /@forgeon\/db-prisma/);
+
+  const prismaFilesDir = path.join(projectRoot, 'apps', 'api', 'src', 'files');
+  assert.equal(fs.existsSync(path.join(prismaFilesDir, 'prisma-files-persistence.store.ts')), false);
+  assert.equal(fs.existsSync(path.join(prismaFilesDir, 'forgeon-files-db-prisma.module.ts')), false);
+
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "files"/);
+  assert.match(probesTs, /"buttonLabel": "Check files probe \(create metadata\)"/);
+  assert.match(probesTs, /"resultTitle": "Files probe response"/);
+  assert.match(probesTs, /"id": "files-variants"/);
+  assert.match(probesTs, /"buttonLabel": "Check files variants capability"/);
+  assert.match(probesTs, /"resultTitle": "Files variants probe response"/);
+
+  const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
+  assert.match(schema, /model FileRecord \{/);
+  assert.match(schema, /variants\s+FileVariant\[\]/);
+  assert.match(schema, /model FileVariant \{/);
+  assert.match(schema, /model FileBlob \{/);
+  assert.match(schema, /blobId\s+String/);
+  assert.match(schema, /@@unique\(\[hash,\s*size,\s*mimeType,\s*storageDriver\]\)/);
+  assert.match(schema, /@@unique\(\[fileId,\s*variantKey\]\)/);
+  assert.match(schema, /publicId\s+String\s+@unique/);
+  assert.match(schema, /@@index\(\[ownerType,\s*ownerId,\s*createdAt\]\)/);
+
+  const migration = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'prisma',
+    'migrations',
+    '20260306_files_file_record',
+    'migration.sql',
+  );
+  assert.equal(fs.existsSync(migration), true);
+
+  const variantMigration = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'prisma',
+    'migrations',
+    '20260306_files_file_variant',
+    'migration.sql',
+  );
+  assert.equal(fs.existsSync(variantMigration), true);
+}
+
+function assertFilesLocalWiring(projectRoot) {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesLocalConfig/);
+  assert.match(appModule, /filesLocalEnvSchemaZod/);
+  assert.match(appModule, /FilesLocalConfigModule/);
+  assert.match(appModule, /ForgeonFilesLocalStorageModule/);
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files-local/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files-local build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files-local\/package\.json packages\/files-local\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files-local packages\/files-local/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-local build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_LOCAL_ROOT=storage\/uploads/);
+
+  const localModule = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-local', 'src', 'forgeon-files-local-storage.module.ts'),
+    'utf8',
+  );
+  assert.match(localModule, /ForgeonFilesLocalStorageModule/);
+  assert.match(localModule, /FORGEON_FILES_STORAGE_ADAPTER/);
+
+  const localAdapter = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-local', 'src', 'local-files-storage.adapter.ts'),
+    'utf8',
+  );
+  assert.match(localAdapter, /readonly driver = 'local'/);
+  assert.match(localAdapter, /createReadStream/);
+  assert.match(localAdapter, /writeFile/);
+
+  const gitignore = fs.readFileSync(path.join(projectRoot, '.gitignore'), 'utf8');
+  assert.match(gitignore, /storage\//);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /files_data:\/app\/storage/);
+  assert.match(compose, /^\s{2}files_data:\s*$/m);
+}
+
+function assertFilesS3Wiring(projectRoot) {
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /filesS3Config/);
+  assert.match(appModule, /filesS3EnvSchemaZod/);
+  assert.match(appModule, /FilesS3ConfigModule/);
+  assert.match(appModule, /ForgeonFilesS3StorageModule/);
+
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files-s3/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files-s3 build/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(apiDockerfile, /COPY packages\/files-s3\/package\.json packages\/files-s3\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/files-s3 packages\/files-s3/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-s3 build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
+  assert.match(apiEnv, /FILES_S3_PROVIDER_PRESET=minio/);
+  assert.match(apiEnv, /FILES_S3_BUCKET=forgeon-files/);
+  assert.match(apiEnv, /FILES_S3_REGION=/);
+  assert.match(apiEnv, /FILES_S3_ENDPOINT=/);
+  assert.match(apiEnv, /FILES_S3_FORCE_PATH_STYLE=/);
+  assert.match(apiEnv, /FILES_S3_MAX_ATTEMPTS=3/);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /FILES_S3_PROVIDER_PRESET: \$\{FILES_S3_PROVIDER_PRESET\}/);
+  assert.match(compose, /FILES_S3_MAX_ATTEMPTS: \$\{FILES_S3_MAX_ATTEMPTS\}/);
+
+  const filesS3Package = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'package.json'),
+    'utf8',
+  );
+  assert.match(filesS3Package, /@aws-sdk\/client-s3/);
+
+  const s3Module = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'src', 'forgeon-files-s3-storage.module.ts'),
+    'utf8',
+  );
+  assert.match(s3Module, /ForgeonFilesS3StorageModule/);
+  assert.match(s3Module, /FORGEON_FILES_STORAGE_ADAPTER/);
+
+  const s3Adapter = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files-s3', 'src', 's3-files-storage.adapter.ts'),
+    'utf8',
+  );
+  assert.match(s3Adapter, /readonly driver = 's3'/);
+  assert.match(s3Adapter, /@aws-sdk\/client-s3/);
+  assert.match(s3Adapter, /loadS3Module/);
+}
+
 function assertFilesAccessWiring(projectRoot) {
   const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
   assert.match(appModule, /ForgeonFilesAccessModule/);
@@ -532,14 +532,14 @@ function assertFilesQuotasWiring(projectRoot) {
   assert.match(appModule, /filesQuotasEnvSchema/);
   assert.match(appModule, /ForgeonFilesQuotasModule/);
 
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/files-quotas/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/files-quotas build/);
-  assert.equal(
-    apiPackage.indexOf('pnpm --filter @forgeon/files-quotas build') <
-      apiPackage.indexOf('pnpm --filter @forgeon/files build'),
-    true,
-  );
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/files-quotas/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/files-quotas build/);
+  assert.equal(
+    apiPackage.indexOf('pnpm --filter @forgeon/files-quotas build') >
+      apiPackage.indexOf('pnpm --filter @forgeon/files build'),
+    true,
+  );
 
   const filesPackage = fs.readFileSync(path.join(projectRoot, 'packages', 'files', 'package.json'), 'utf8');
   assert.doesNotMatch(filesPackage, /@forgeon\/files-quotas/);
@@ -550,13 +550,13 @@ function assertFilesQuotasWiring(projectRoot) {
     apiDockerfile,
     /COPY packages\/files-quotas\/package\.json packages\/files-quotas\/package\.json/,
   );
-  assert.match(apiDockerfile, /COPY packages\/files-quotas packages\/files-quotas/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-quotas build/);
-  assert.equal(
-    apiDockerfile.indexOf('RUN pnpm --filter @forgeon/files-quotas build') <
-      apiDockerfile.indexOf('RUN pnpm --filter @forgeon/files build'),
-    true,
-  );
+  assert.match(apiDockerfile, /COPY packages\/files-quotas packages\/files-quotas/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/files-quotas build/);
+  assert.equal(
+    apiDockerfile.indexOf('RUN pnpm --filter @forgeon/files-quotas build') >
+      apiDockerfile.indexOf('RUN pnpm --filter @forgeon/files build'),
+    true,
+  );
 
   const filesController = fs.readFileSync(
     path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
@@ -617,19 +617,19 @@ function assertFilesImageWiring(projectRoot) {
   );
   assert.match(filesModule, /ForgeonFilesImageModule/);
 
-  const filesService = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
-    'utf8',
-  );
-  assert.match(filesService, /FilesImageService/);
-  assert.match(filesService, /filesImageService\.sanitizeForStorage/);
-  assert.match(filesService, /sanitizeForStorage\({/);
-  assert.match(filesService, /auditContext: input\.auditContext/);
-  assert.equal(
-    (filesService.match(/protected normalizeFileName\(originalName: string, extension: string, suffix\?: string\): string \{/g) ?? [])
-      .length,
-    1,
-  );
+  const filesService = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
+    'utf8',
+  );
+  assert.match(filesService, /FilesImageService/);
+  assert.match(filesService, /filesImageService\.sanitizeForStorage/);
+  assert.match(filesService, /sanitizeForStorage\({/);
+  assert.match(filesService, /auditContext: input\.auditContext/);
+  assert.equal(
+    (filesService.match(/protected normalizeFileName\(originalName: string, extension: string, suffix\?: string\): string \{/g) ?? [])
+      .length,
+    1,
+  );
 
   const filesController = fs.readFileSync(
     path.join(projectRoot, 'packages', 'files', 'src', 'files.controller.ts'),
@@ -709,108 +709,108 @@ function assertFilesImageWiring(projectRoot) {
   assert.match(readme, /metadata is stripped before storage/i);
 }
 
-function assertAccountsWiring(projectRoot) {
-  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
-  assert.match(apiPackage, /@forgeon\/accounts-api/);
-  assert.match(apiPackage, /@forgeon\/accounts-contracts/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-contracts build/);
-  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-api build/);
-
-  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-  assert.match(appModule, /authConfig/);
-  assert.match(appModule, /authEnvSchema/);
-  assert.match(appModule, /ForgeonAccountsModule\.register\(\{/);
-  assert.match(appModule, /UsersModule\.register\(\{\}\)/);
-  assert.doesNotMatch(appModule, /ACCOUNTS_PERSISTENCE_PORT/);
-  assert.doesNotMatch(appModule, /PrismaAccountsPersistenceStore/);
-  assert.doesNotMatch(appModule, /AUTH_REFRESH_TOKEN_STORE/);
-
-  const healthController = fs.readFileSync(
-    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
-    'utf8',
-  );
-  assert.match(healthController, /@Get\('auth'\)/);
-  assert.match(healthController, /authService\.getProbeStatus/);
-  assert.match(healthController, /\$queryRaw/);
-  assert.doesNotMatch(healthController, /data:\s*\{\s*email\s*\}/);
-  assert.doesNotMatch(healthController, /,\s*,/);
-
-  assertWebProbeShell(projectRoot);
-  const probesTs = readWebProbes(projectRoot);
-  assert.match(probesTs, /"id": "auth"/);
-  assert.match(probesTs, /"buttonLabel": "Check accounts probe"/);
-  assert.match(probesTs, /"resultTitle": "Accounts probe response"/);
-
-  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
-  assert.match(
-    apiDockerfile,
-    /COPY packages\/accounts-contracts\/package\.json packages\/accounts-contracts\/package\.json/,
-  );
-  assert.match(apiDockerfile, /COPY packages\/accounts-api\/package\.json packages\/accounts-api\/package\.json/);
-  assert.match(apiDockerfile, /COPY packages\/accounts-contracts packages\/accounts-contracts/);
-  assert.match(apiDockerfile, /COPY packages\/accounts-api packages\/accounts-api/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-contracts build/);
-  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-api build/);
-
-  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-  assert.match(apiEnv, /JWT_ACCESS_SECRET=/);
-  assert.match(apiEnv, /JWT_REFRESH_SECRET=/);
-  assert.match(apiEnv, /AUTH_ARGON2_MEMORY_COST=/);
-  assert.match(apiEnv, /AUTH_ARGON2_PARALLELISM=/);
-
-  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
-  assert.match(compose, /JWT_ACCESS_SECRET: \$\{JWT_ACCESS_SECRET\}/);
-  assert.match(compose, /JWT_REFRESH_SECRET: \$\{JWT_REFRESH_SECRET\}/);
-  assert.match(compose, /AUTH_ARGON2_MEMORY_COST: \$\{AUTH_ARGON2_MEMORY_COST\}/);
-
-  const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-  assert.match(readme, /## Accounts Module/);
-  assert.match(readme, /owner-scoped user routes/);
-  assert.match(readme, /AccountsEmailPort/);
-
-  const authServiceSource = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.service.ts'),
-    'utf8',
-  );
-  assert.match(authServiceSource, /import type \{ RegisterRequest \} from '@forgeon\/accounts-contracts';/);
-
-  const authCoreSource = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth-core.service.ts'),
-    'utf8',
-  );
-  assert.match(authCoreSource, /AuthStore/);
-  assert.doesNotMatch(authCoreSource, /ACCOUNTS_PERSISTENCE_PORT/);
-
-  const accountsApiPackage = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'accounts-api', 'package.json'),
-    'utf8',
-  );
-  assert.match(accountsApiPackage, /@forgeon\/db-prisma/);
-
-  const authStoreSource = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.store.ts'),
-    'utf8',
-  );
-  assert.match(authStoreSource, /PrismaService/);
-  assert.match(authStoreSource, /authRefreshToken\.updateMany/);
-
-  const usersStoreSource = fs.readFileSync(
-    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'users.store.ts'),
-    'utf8',
-  );
-  assert.match(usersStoreSource, /PrismaService/);
-  assert.match(usersStoreSource, /userProfile\.upsert/);
-
-  const prismaStorePath = path.join(
-    projectRoot,
-    'apps',
-    'api',
-    'src',
-    'accounts',
-    'prisma-accounts-persistence.store.ts',
-  );
-  assert.equal(fs.existsSync(prismaStorePath), false);
-}
+function assertAccountsWiring(projectRoot) {
+  const apiPackage = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'package.json'), 'utf8');
+  assert.match(apiPackage, /@forgeon\/accounts-api/);
+  assert.match(apiPackage, /@forgeon\/accounts-contracts/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-contracts build/);
+  assert.match(apiPackage, /pnpm --filter @forgeon\/accounts-api build/);
+
+  const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+  assert.match(appModule, /authConfig/);
+  assert.match(appModule, /authEnvSchema/);
+  assert.match(appModule, /ForgeonAccountsModule\.register\(\{/);
+  assert.match(appModule, /UsersModule\.register\(\{\}\)/);
+  assert.doesNotMatch(appModule, /ACCOUNTS_PERSISTENCE_PORT/);
+  assert.doesNotMatch(appModule, /PrismaAccountsPersistenceStore/);
+  assert.doesNotMatch(appModule, /AUTH_REFRESH_TOKEN_STORE/);
+
+  const healthController = fs.readFileSync(
+    path.join(projectRoot, 'apps', 'api', 'src', 'health', 'health.controller.ts'),
+    'utf8',
+  );
+  assert.match(healthController, /@Get\('auth'\)/);
+  assert.match(healthController, /authService\.getProbeStatus/);
+  assert.match(healthController, /\$queryRaw/);
+  assert.doesNotMatch(healthController, /data:\s*\{\s*email\s*\}/);
+  assert.doesNotMatch(healthController, /,\s*,/);
+
+  assertWebProbeShell(projectRoot);
+  const probesTs = readWebProbes(projectRoot);
+  assert.match(probesTs, /"id": "auth"/);
+  assert.match(probesTs, /"buttonLabel": "Check accounts probe"/);
+  assert.match(probesTs, /"resultTitle": "Accounts probe response"/);
+
+  const apiDockerfile = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'Dockerfile'), 'utf8');
+  assert.match(
+    apiDockerfile,
+    /COPY packages\/accounts-contracts\/package\.json packages\/accounts-contracts\/package\.json/,
+  );
+  assert.match(apiDockerfile, /COPY packages\/accounts-api\/package\.json packages\/accounts-api\/package\.json/);
+  assert.match(apiDockerfile, /COPY packages\/accounts-contracts packages\/accounts-contracts/);
+  assert.match(apiDockerfile, /COPY packages\/accounts-api packages\/accounts-api/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-contracts build/);
+  assert.match(apiDockerfile, /RUN pnpm --filter @forgeon\/accounts-api build/);
+
+  const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+  assert.match(apiEnv, /JWT_ACCESS_SECRET=/);
+  assert.match(apiEnv, /JWT_REFRESH_SECRET=/);
+  assert.match(apiEnv, /AUTH_ARGON2_MEMORY_COST=/);
+  assert.match(apiEnv, /AUTH_ARGON2_PARALLELISM=/);
+
+  const compose = fs.readFileSync(path.join(projectRoot, 'infra', 'docker', 'compose.yml'), 'utf8');
+  assert.match(compose, /JWT_ACCESS_SECRET: \$\{JWT_ACCESS_SECRET\}/);
+  assert.match(compose, /JWT_REFRESH_SECRET: \$\{JWT_REFRESH_SECRET\}/);
+  assert.match(compose, /AUTH_ARGON2_MEMORY_COST: \$\{AUTH_ARGON2_MEMORY_COST\}/);
+
+  const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+  assert.match(readme, /## Accounts Module/);
+  assert.match(readme, /owner-scoped user routes/);
+  assert.match(readme, /AccountsEmailPort/);
+
+  const authServiceSource = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.service.ts'),
+    'utf8',
+  );
+  assert.match(authServiceSource, /import type \{ RegisterRequest \} from '@forgeon\/accounts-contracts';/);
+
+  const authCoreSource = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth-core.service.ts'),
+    'utf8',
+  );
+  assert.match(authCoreSource, /AuthStore/);
+  assert.doesNotMatch(authCoreSource, /ACCOUNTS_PERSISTENCE_PORT/);
+
+  const accountsApiPackage = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'package.json'),
+    'utf8',
+  );
+  assert.match(accountsApiPackage, /@forgeon\/db-prisma/);
+
+  const authStoreSource = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.store.ts'),
+    'utf8',
+  );
+  assert.match(authStoreSource, /PrismaService/);
+  assert.match(authStoreSource, /authRefreshToken\.updateMany/);
+
+  const usersStoreSource = fs.readFileSync(
+    path.join(projectRoot, 'packages', 'accounts-api', 'src', 'users.store.ts'),
+    'utf8',
+  );
+  assert.match(usersStoreSource, /PrismaService/);
+  assert.match(usersStoreSource, /userProfile\.upsert/);
+
+  const prismaStorePath = path.join(
+    projectRoot,
+    'apps',
+    'api',
+    'src',
+    'accounts',
+    'prisma-accounts-persistence.store.ts',
+  );
+  assert.equal(fs.existsSync(prismaStorePath), false);
+}
 function stripDbPrismaArtifacts(projectRoot) {
   const dbPackageDir = path.join(projectRoot, 'packages', 'db-prisma');
   if (fs.existsSync(dbPackageDir)) {
@@ -1573,21 +1573,21 @@ describe('addModule', () => {
         packageRoot,
       });
 
-      const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
-      assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
-
-      const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
-      assert.match(appModule, /ForgeonFilesS3StorageModule/);
-      assert.doesNotMatch(appModule, /ForgeonFilesLocalStorageModule/);
-
-      const filesService = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
-        'utf8',
-      );
-      assert.doesNotMatch(filesService, /storeS3/);
-      assert.doesNotMatch(filesService, /openS3/);
-      assert.doesNotMatch(filesService, /deleteS3/);
-      assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
+      const apiEnv = fs.readFileSync(path.join(projectRoot, 'apps', 'api', '.env.example'), 'utf8');
+      assert.match(apiEnv, /FILES_STORAGE_DRIVER=s3/);
+
+      const appModule = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'src', 'app.module.ts'), 'utf8');
+      assert.match(appModule, /ForgeonFilesS3StorageModule/);
+      assert.doesNotMatch(appModule, /ForgeonFilesLocalStorageModule/);
+
+      const filesService = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'files', 'src', 'files.service.ts'),
+        'utf8',
+      );
+      assert.doesNotMatch(filesService, /storeS3/);
+      assert.doesNotMatch(filesService, /openS3/);
+      assert.doesNotMatch(filesService, /deleteS3/);
+      assert.doesNotMatch(filesService, /@aws-sdk\/client-s3/);
     } finally {
       fs.rmSync(targetRoot, { recursive: true, force: true });
     }
@@ -2197,178 +2197,178 @@ describe('addModule', () => {
     }
   });
 
-  it('applies accounts with db-prisma and wires the DB-backed runtime immediately', () => {
-    const targetRoot = mkTmp('forgeon-module-accounts-db-');
-    const projectRoot = path.join(targetRoot, 'demo-accounts-db');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-accounts-db',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: true,
-        i18nEnabled: true,
-        proxy: 'caddy',
-      });
-
-      const result = addModule({
-        moduleId: 'accounts',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      assert.equal(result.applied, true);
-      assertAccountsWiring(projectRoot);
-
-      const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
-      assert.match(schema, /model UserProfile/);
-      assert.match(schema, /model UserSettings/);
-      assert.match(schema, /model AuthIdentity/);
-      assert.match(schema, /model AuthCredential/);
-      assert.match(schema, /model AuthRefreshToken/);
-      assert.doesNotMatch(schema, /roles\s+/i);
-      assert.doesNotMatch(schema, /permissions\s+/i);
-
-      const migrationPath = path.join(
-        projectRoot,
-        'apps',
-        'api',
-        'prisma',
-        'migrations',
-        '0002_accounts_core',
-        'migration.sql',
-      );
-      assert.equal(fs.existsSync(migrationPath), true);
-
-      const seedSource = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'seed.ts'), 'utf8');
-      assert.match(seedSource, /Prisma\.dmmf/);
-      assert.match(seedSource, /userFields\.has\('email'\)/);
-
-      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-      assert.match(readme, /POST \/api\/auth\/register/);
-      assert.match(readme, /POST \/api\/auth\/password-reset\/request/);
-      assert.match(readme, /\/api\/users\/:id\/settings/);
-
-      const moduleDoc = fs.readFileSync(result.docsPath, 'utf8');
-      assert.match(moduleDoc, /Status: implemented/);
-      assert.match(moduleDoc, /db-adapter/);
-      assert.match(moduleDoc, /owner-scoped/);
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('detects and applies accounts-rbac compatibility sync explicitly', () => {
-    const targetRoot = mkTmp('forgeon-module-accounts-rbac-');
-    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-accounts-rbac',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: true,
-        i18nEnabled: false,
-        proxy: 'caddy',
-      });
-
-      addModule({
-        moduleId: 'rbac',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-      addModule({
-        moduleId: 'accounts',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      const scan = scanIntegrations({
-        targetRoot: projectRoot,
-        relatedModuleId: 'accounts',
-      });
-      assert.equal(scan.groups.some((group) => group.id === 'accounts-rbac'), true);
-
-      const syncResult = syncIntegrations({
-        targetRoot: projectRoot,
-        packageRoot,
-        groupIds: ['accounts-rbac'],
-      });
-      const claimsPair = syncResult.summary.find((item) => item.id === 'accounts-rbac');
-      assert.ok(claimsPair);
-      assert.equal(claimsPair.result.applied, true);
-
-      const contracts = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'accounts-contracts', 'src', 'index.ts'),
-        'utf8',
-      );
-      assert.match(contracts, /roles\?: string\[\];/);
-      assert.match(contracts, /permissions\?: string\[\];/);
-
-      const authTypes = fs.readFileSync(
-        path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.types.ts'),
-        'utf8',
-      );
-      assert.match(authTypes, /roles\?: string\[\];/);
-      assert.match(authTypes, /permissions\?: string\[\];/);
-
-      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
-      assert.match(readme, /forgeon:accounts:rbac:start/);
-      assert.match(readme, /base accounts schema remains free of roles and permissions/);
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
-
-  it('scans accounts-rbac compatibility when accounts and rbac are both installed', () => {
-    const targetRoot = mkTmp('forgeon-module-accounts-rbac-scan-');
-    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac-scan');
-    const templateRoot = path.join(packageRoot, 'templates', 'base');
-
-    try {
-      scaffoldProject({
-        templateRoot,
-        packageRoot,
-        targetRoot: projectRoot,
-        projectName: 'demo-accounts-rbac-scan',
-        frontend: 'react',
-        db: 'prisma',
-        dbPrismaEnabled: true,
-        i18nEnabled: false,
-        proxy: 'caddy',
-      });
-
-      addModule({
-        moduleId: 'accounts',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-      addModule({
-        moduleId: 'rbac',
-        targetRoot: projectRoot,
-        packageRoot,
-      });
-
-      const scan = scanIntegrations({
-        targetRoot: projectRoot,
-        relatedModuleId: 'rbac',
-      });
-      const compatibilityGroup = scan.groups.find((group) => group.id === 'accounts-rbac');
-
-      assert.ok(compatibilityGroup);
-      assert.deepEqual(compatibilityGroup.modules, ['accounts', 'rbac']);
-    } finally {
-      fs.rmSync(targetRoot, { recursive: true, force: true });
-    }
-  });
+  it('applies accounts with db-prisma and wires the DB-backed runtime immediately', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-db-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-db');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-db',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: true,
+        proxy: 'caddy',
+      });
+
+      const result = addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      assert.equal(result.applied, true);
+      assertAccountsWiring(projectRoot);
+
+      const schema = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'schema.prisma'), 'utf8');
+      assert.match(schema, /model UserProfile/);
+      assert.match(schema, /model UserSettings/);
+      assert.match(schema, /model AuthIdentity/);
+      assert.match(schema, /model AuthCredential/);
+      assert.match(schema, /model AuthRefreshToken/);
+      assert.doesNotMatch(schema, /roles\s+/i);
+      assert.doesNotMatch(schema, /permissions\s+/i);
+
+      const migrationPath = path.join(
+        projectRoot,
+        'apps',
+        'api',
+        'prisma',
+        'migrations',
+        '0002_accounts_core',
+        'migration.sql',
+      );
+      assert.equal(fs.existsSync(migrationPath), true);
+
+      const seedSource = fs.readFileSync(path.join(projectRoot, 'apps', 'api', 'prisma', 'seed.ts'), 'utf8');
+      assert.match(seedSource, /Prisma\.dmmf/);
+      assert.match(seedSource, /userFields\.has\('email'\)/);
+
+      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+      assert.match(readme, /POST \/api\/auth\/register/);
+      assert.match(readme, /POST \/api\/auth\/password-reset\/request/);
+      assert.match(readme, /\/api\/users\/:id\/settings/);
+
+      const moduleDoc = fs.readFileSync(result.docsPath, 'utf8');
+      assert.match(moduleDoc, /Status: implemented/);
+      assert.match(moduleDoc, /db-adapter/);
+      assert.match(moduleDoc, /owner-scoped/);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
+  it('detects and applies accounts-rbac compatibility sync explicitly', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-rbac-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-rbac',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({
+        moduleId: 'rbac',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      const scan = scanIntegrations({
+        targetRoot: projectRoot,
+        relatedModuleId: 'accounts',
+      });
+      assert.equal(scan.groups.some((group) => group.id === 'accounts-rbac'), true);
+
+      const syncResult = syncIntegrations({
+        targetRoot: projectRoot,
+        packageRoot,
+        groupIds: ['accounts-rbac'],
+      });
+      const claimsPair = syncResult.summary.find((item) => item.id === 'accounts-rbac');
+      assert.ok(claimsPair);
+      assert.equal(claimsPair.result.applied, true);
+
+      const contracts = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'accounts-contracts', 'src', 'index.ts'),
+        'utf8',
+      );
+      assert.match(contracts, /roles\?: string\[\];/);
+      assert.match(contracts, /permissions\?: string\[\];/);
+
+      const authTypes = fs.readFileSync(
+        path.join(projectRoot, 'packages', 'accounts-api', 'src', 'auth.types.ts'),
+        'utf8',
+      );
+      assert.match(authTypes, /roles\?: string\[\];/);
+      assert.match(authTypes, /permissions\?: string\[\];/);
+
+      const readme = fs.readFileSync(path.join(projectRoot, 'README.md'), 'utf8');
+      assert.match(readme, /forgeon:accounts:rbac:start/);
+      assert.match(readme, /base accounts schema remains free of roles and permissions/);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
+
+  it('scans accounts-rbac compatibility when accounts and rbac are both installed', () => {
+    const targetRoot = mkTmp('forgeon-module-accounts-rbac-scan-');
+    const projectRoot = path.join(targetRoot, 'demo-accounts-rbac-scan');
+    const templateRoot = path.join(packageRoot, 'templates', 'base');
+
+    try {
+      scaffoldProject({
+        templateRoot,
+        packageRoot,
+        targetRoot: projectRoot,
+        projectName: 'demo-accounts-rbac-scan',
+        frontend: 'react',
+        db: 'prisma',
+        dbPrismaEnabled: true,
+        i18nEnabled: false,
+        proxy: 'caddy',
+      });
+
+      addModule({
+        moduleId: 'accounts',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+      addModule({
+        moduleId: 'rbac',
+        targetRoot: projectRoot,
+        packageRoot,
+      });
+
+      const scan = scanIntegrations({
+        targetRoot: projectRoot,
+        relatedModuleId: 'rbac',
+      });
+      const compatibilityGroup = scan.groups.find((group) => group.id === 'accounts-rbac');
+
+      assert.ok(compatibilityGroup);
+      assert.deepEqual(compatibilityGroup.modules, ['accounts', 'rbac']);
+    } finally {
+      fs.rmSync(targetRoot, { recursive: true, force: true });
+    }
+  });
   it('applies logger then accounts on db/i18n-disabled scaffold without breaking health controller syntax', () => {
     const targetRoot = mkTmp('forgeon-module-jwt-nodb-noi18n-');
     const projectRoot = path.join(targetRoot, 'demo-jwt-nodb-noi18n');