create-mantiq 0.7.0 → 0.7.2

package/stubs/shared/app/Http/Requests/RegisterRequest.ts.stub

@@ -0,0 +1,11 @@
+import { FormRequest } from '@mantiq/validation'
+
+export class RegisterRequest extends FormRequest {
+  override rules() {
+    return {
+      name: 'required|string|max:255',
+      email: 'required|email|max:255',
+      password: 'required|string|min:6',
+    }
+  }
+}

package/stubs/shared/app/Http/Requests/StoreUserRequest.ts.stub

@@ -0,0 +1,11 @@
+import { FormRequest } from '@mantiq/validation'
+
+export class StoreUserRequest extends FormRequest {
+  override rules() {
+    return {
+      name: 'required|string|max:255',
+      email: 'required|email|max:255',
+      password: 'required|string|min:6',
+    }
+  }
+}

package/stubs/shared/app/Http/Requests/UpdateUserRequest.ts.stub

@@ -0,0 +1,11 @@
+import { FormRequest } from '@mantiq/validation'
+
+export class UpdateUserRequest extends FormRequest {
+  override rules() {
+    return {
+      name: 'string|max:255',
+      email: 'email|max:255',
+      password: 'string|min:6',
+    }
+  }
+}

package/stubs/shared/config/app.ts.stub

@@ -0,0 +1,36 @@
+import { env } from '@mantiq/core'
+
+export default {
+
+  /*
+  |--------------------------------------------------------------------------
+  | Application Name
+  |--------------------------------------------------------------------------
+  */
+  name: env('APP_NAME', 'MantiqJS'),
+  env: env('APP_ENV', 'production'),
+  debug: env('APP_DEBUG', false),
+  key: env('APP_KEY', ''),
+  url: env('APP_URL', 'http://localhost:3000'),
+  port: Number(env('APP_PORT', '3000')),
+  basePath: import.meta.dir + '/..',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Middleware Groups
+  |--------------------------------------------------------------------------
+  |
+  | Middleware groups are applied automatically based on the route file:
+  |   routes/web.ts → 'web' group (stateful: sessions, CSRF, cookies)
+  |   routes/api.ts → 'api' group (stateful: sessions, cookies — for SPA)
+  |
+  | The 'api' group includes sessions so the SPA can use cookie-based auth
+  | for API calls. CSRF is not included — the SPA sends the X-XSRF-TOKEN
+  | header instead (set by the web group on page load).
+  |
+  */
+  middlewareGroups: {
+    web: ['cors', 'encrypt.cookies', 'session', 'csrf'],
+    api: ['cors', 'encrypt.cookies', 'session', 'throttle'],
+  },
+}

package/stubs/shared/config/vite.ts.stub

@@ -0,0 +1,8 @@
+export default {
+  reactRefresh: {{REACT_REFRESH}},
+
+  ssr: {
+    entry: '{{SSR_ENTRY}}',
+    bundle: 'bootstrap/ssr/ssr.js',
+  },
+}

package/stubs/shared/database/factories/UserFactory.ts.stub

@@ -1,16 +1,14 @@
 import { Factory, Faker } from '@mantiq/database'
-import { HashManager } from '@mantiq/core'
 import { User } from '../../app/Models/User.ts'
 
 export class UserFactory extends Factory<User> {
   protected model = User
 
-  override async definition(faker: Faker): Promise<Record<string, any>> {
-    const hasher = new HashManager({ bcrypt: { rounds: 10 } })
+  override definition(index: number, fake: Faker): Record<string, any> {
     return {
-      name: faker.name(),
-      email: faker.email(),
-      password: await hasher.make('password'),
+      name: fake.name(),
+      email: fake.email(),
+      password: 'password',
     }
   }
 }

package/stubs/shared/routes/api.ts.stub

@@ -1,106 +1,16 @@
 import type { Router } from '@mantiq/core'
-import { MantiqResponse, HashManager } from '@mantiq/core'
-import { User } from '../app/Models/User.ts'
+import { json } from '@mantiq/core'
+import { UserController } from '../app/Http/Controllers/UserController.ts'
+import { StoreUserRequest } from '../app/Http/Requests/StoreUserRequest.ts'
+import { UpdateUserRequest } from '../app/Http/Requests/UpdateUserRequest.ts'
 
 export default function (router: Router) {
-  router.get('/api/ping', () => {
-    return MantiqResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
-  })
-
-  // Users CRUD — server-side search + pagination
-  router.get('/api/users', async (request: any) => {
-    const search = request.query('search') ?? ''
-    const page = Math.max(1, Number(request.query('page') ?? 1))
-    const perPage = Math.min(100, Math.max(1, Number(request.query('per_page') ?? 10)))
-    const sortBy = request.query('sort') ?? 'created_at'
-    const sortDir = request.query('dir') === 'asc' ? 'asc' : 'desc'
-
-    let query = User.query()
-
-    if (search) {
-      query = query.where('name', 'LIKE', `%${search}%`)
-        .orWhere('email', 'LIKE', `%${search}%`) as any
-    }
-
-    const total = await (User.query() as any).count() as number
-    const filteredQuery = search
-      ? User.query().where('name', 'LIKE', `%${search}%`).orWhere('email', 'LIKE', `%${search}%`) as any
-      : User.query()
-
-    const filteredTotal = await filteredQuery.count() as number
-
-    const users = search
-      ? await User.query()
-          .where('name', 'LIKE', `%${search}%`)
-          .orWhere('email', 'LIKE', `%${search}%`)
-          .orderBy(sortBy, sortDir)
-          .limit(perPage)
-          .offset((page - 1) * perPage)
-          .get() as any[]
-      : await User.query()
-          .orderBy(sortBy, sortDir)
-          .limit(perPage)
-          .offset((page - 1) * perPage)
-          .get() as any[]
-
-    return MantiqResponse.json({
-      data: users.map((u: any) => u.toObject()),
-      meta: {
-        total,
-        filtered_total: filteredTotal,
-        page,
-        per_page: perPage,
-        last_page: Math.ceil(filteredTotal / perPage),
-      },
-    })
-  }).middleware('auth')
-
-  router.post('/api/users', async (request: any) => {
-    const body = await request.input()
-    if (!body?.name || !body?.email || !body?.password) {
-      return MantiqResponse.json({ error: 'Name, email and password are required.' }, 422)
-    }
-
-    // Check duplicate
-    const existing = await User.where('email', body.email).first()
-    if (existing) {
-      return MantiqResponse.json({ error: 'Email already exists.' }, 422)
-    }
-
-    const hasher = new HashManager({ bcrypt: { rounds: 10 } })
-    const user = await User.create({
-      name: body.name,
-      email: body.email,
-      password: await hasher.make(body.password),
-    })
-
-    return MantiqResponse.json({ data: user.toObject() }, 201)
-  }).middleware('auth')
-
-  router.put('/api/users/:id', async (request: any) => {
-    const id = request.param('id')
-    const body = await request.input()
-    const user = await User.find(Number(id))
-    if (!user) return MantiqResponse.json({ error: 'User not found.' }, 404)
-
-    if (body.name) user.setAttribute('name', body.name)
-    if (body.email) user.setAttribute('email', body.email)
-
-    if (body.password) {
-      const hasher = new HashManager({ bcrypt: { rounds: 10 } })
-      user.setAttribute('password', await hasher.make(body.password))
-    }
-
-    await user.save()
-    return MantiqResponse.json({ data: user.toObject() })
-  }).middleware('auth')
-
-  router.delete('/api/users/:id', async (request: any) => {
-    const id = request.param('id')
-    const user = await User.find(Number(id))
-    if (!user) return MantiqResponse.json({ error: 'User not found.' }, 404)
-
-    await user.delete()
-    return MantiqResponse.json({ success: true })
-  }).middleware('auth')
+  // Public
+  router.get('/ping', () => json({ status: 'ok', timestamp: new Date().toISOString() }))
+
+  // Protected — FormRequest auto-validates before controller runs
+  router.get('/users', [UserController, 'index']).middleware('auth')
+  router.post('/users', [UserController, 'store', StoreUserRequest]).middleware('auth')
+  router.put('/users/:id', [UserController, 'update', UpdateUserRequest]).middleware('auth')
+  router.delete('/users/:id', [UserController, 'destroy']).middleware('auth')
 }

package/stubs/shared/routes/web.ts.stub

@@ -2,6 +2,8 @@ import type { Router } from '@mantiq/core'
 import { HomeController } from '../app/Http/Controllers/HomeController.ts'
 import { PageController } from '../app/Http/Controllers/PageController.ts'
 import { AuthController } from '../app/Http/Controllers/AuthController.ts'
+import { RegisterRequest } from '../app/Http/Requests/RegisterRequest.ts'
+import { LoginRequest } from '../app/Http/Requests/LoginRequest.ts'
 
 export default function (router: Router) {
   router.get('/', [HomeController, 'index'])
@@ -16,8 +18,8 @@ export default function (router: Router) {
   router.get('/account/security', [PageController, 'security']).middleware('auth')
   router.get('/account/preferences', [PageController, 'preferences']).middleware('auth')
 
-  // Auth actions
-  router.post('/login', [AuthController, 'login'])
-  router.post('/register', [AuthController, 'register'])
+  // Auth actions — FormRequest auto-validates before controller runs
+  router.post('/login', [AuthController, 'login', LoginRequest])
+  router.post('/register', [AuthController, 'register', RegisterRequest])
   router.post('/logout', [AuthController, 'logout']).middleware('auth')
 }

package/stubs/shared/tests/feature/auth.test.ts.stub

@@ -0,0 +1,69 @@
+import { describe, test, beforeAll } from 'bun:test'
+import { TestCase } from '@mantiq/testing'
+
+const t = new TestCase()
+t.refreshDatabase = true
+t.setup()
+
+const user = {
+  name: 'Test User',
+  email: 'test@example.com',
+  password: 'password123',
+}
+
+describe('Authentication', () => {
+  test('can register a new user', async () => {
+    await t.client.initSession()
+    const res = await t.client.post('/register', user)
+    res.assertCreated()
+    await res.assertJson({ message: 'Registered.' })
+    await res.assertJsonMissingKey('password')
+    await t.assertDatabaseHas('users', { email: user.email })
+  })
+
+  test('cannot register with duplicate email', async () => {
+    await t.client.initSession()
+    await t.client.post('/register', user)
+    const res = await t.client.post('/register', user)
+    res.assertUnprocessable()
+  })
+
+  test('can login with valid credentials', async () => {
+    await t.client.initSession()
+    await t.client.post('/register', user)
+    t.client.flushCookies()
+
+    await t.client.initSession()
+    const res = await t.client.post('/login', {
+      email: user.email,
+      password: user.password,
+    })
+    res.assertOk()
+    await res.assertJson({ message: 'Logged in.' })
+  })
+
+  test('cannot login with wrong password', async () => {
+    await t.client.initSession()
+    await t.client.post('/register', user)
+    t.client.flushCookies()
+
+    await t.client.initSession()
+    const res = await t.client.post('/login', {
+      email: user.email,
+      password: 'wrong',
+    })
+    res.assertUnauthorized()
+  })
+
+  test('can logout', async () => {
+    await t.client.initSession()
+    await t.client.post('/register', user)
+    const logoutRes = await t.client.post('/logout')
+    logoutRes.assertOk()
+  })
+
+  test('protected routes require authentication', async () => {
+    const res = await t.client.get('/api/users')
+    res.assertUnauthorized()
+  })
+})

package/stubs/shared/tests/feature/users.test.ts.stub

@@ -0,0 +1,90 @@
+import { describe, test, expect } from 'bun:test'
+import { TestCase } from '@mantiq/testing'
+
+const t = new TestCase()
+t.refreshDatabase = true
+t.setup()
+
+const admin = {
+  name: 'Admin',
+  email: 'admin@example.com',
+  password: 'password123',
+}
+
+/** Register and login before CRUD tests. */
+async function login() {
+  await t.client.initSession()
+  await t.client.post('/register', admin)
+}
+
+describe('Users CRUD', () => {
+  test('can list users', async () => {
+    await login()
+    const res = await t.client.get('/api/users')
+    res.assertOk()
+    await res.assertJsonHasKey('data', 'meta')
+    await res.assertJsonPath('meta.page', 1)
+  })
+
+  test('can create a user', async () => {
+    await login()
+    const res = await t.client.post('/api/users', {
+      name: 'New User',
+      email: 'new@example.com',
+      password: 'secret123',
+    })
+    res.assertCreated()
+    await res.assertJsonPath('data.name', 'New User')
+    await res.assertJsonPath('data.email', 'new@example.com')
+    await t.assertDatabaseHas('users', { email: 'new@example.com' })
+  })
+
+  test('cannot create user with missing fields', async () => {
+    await login()
+    const res = await t.client.post('/api/users', { name: 'No Email' })
+    res.assertUnprocessable()
+  })
+
+  test('can update a user', async () => {
+    await login()
+    const createRes = await t.client.post('/api/users', {
+      name: 'Update Me',
+      email: 'update@example.com',
+      password: 'secret123',
+    })
+    const userId = (await createRes.json()).data.id
+
+    const res = await t.client.put(`/api/users/${userId}`, { name: 'Updated' })
+    res.assertOk()
+    await res.assertJsonPath('data.name', 'Updated')
+  })
+
+  test('can delete a user', async () => {
+    await login()
+    const createRes = await t.client.post('/api/users', {
+      name: 'Delete Me',
+      email: 'delete@example.com',
+      password: 'secret123',
+    })
+    const userId = (await createRes.json()).data.id
+
+    const res = await t.client.delete(`/api/users/${userId}`)
+    res.assertOk()
+    await t.assertDatabaseMissing('users', { email: 'delete@example.com' })
+  })
+
+  test('can search users', async () => {
+    await login()
+    const res = await t.client.get('/api/users?search=Admin')
+    res.assertOk()
+    const data = await res.json()
+    expect(data.data.length).toBeGreaterThan(0)
+  })
+
+  test('can paginate users', async () => {
+    await login()
+    const res = await t.client.get('/api/users?page=1&per_page=1')
+    res.assertOk()
+    await res.assertJsonPath('meta.per_page', 1)
+  })
+})

package/stubs/svelte/src/App.svelte.stub

@@ -9,7 +9,7 @@
     initialData?: Record<string, any>
   } = $props()
 
-  const windowData = typeof window !== 'undefined' ? (window as any).__MANTIQ_DATA__ : {}
+  const windowData = typeof window !== 'undefined' ? (window as Record<string, any>).__MANTIQ_DATA__ ?? {} : {}
   const bootstrapData = (() => initialData ?? windowData)()
 
   let currentPage = $state<string>(bootstrapData._page ?? 'Login')

package/stubs/svelte/src/lib/api.ts.stub

@@ -1,17 +1,41 @@
-export async function api<T = any>(url: string, opts: RequestInit = {}): Promise<{ ok: boolean; status: number; data: T }> {
-  const res = await fetch(url, { ...opts, headers: { Accept: 'application/json', ...opts.headers } })
+function getCookie(name: string): string | null {
+  const match = document.cookie.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`))
+  return match ? decodeURIComponent(match[1]!) : null
+}
+
+type ApiResult<T> = { ok: true; status: number; data: T } | { ok: false; status: number; data: any }
+
+export async function api<T = any>(url: string, opts: RequestInit = {}): Promise<ApiResult<T>> {
+  const headers: Record<string, string> = { Accept: 'application/json', ...(opts.headers as Record<string, string>) }
+
+  // Attach XSRF token for CSRF protection on mutating requests
+  if (opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
+    const xsrf = getCookie('XSRF-TOKEN')
+    if (xsrf) headers['X-XSRF-TOKEN'] = xsrf
+  }
+
+  const res = await fetch(url, { ...opts, credentials: 'same-origin', headers })
 
   // Session expired — redirect to login
   if (res.status === 401 || res.status === 419) {
     window.location.href = '/login'
-    return { ok: false, status: res.status, data: null as any }
+    return { ok: false, status: res.status, data: null }
   }
 
   const ct = res.headers.get('content-type') ?? ''
   const data = ct.includes('json') ? await res.json() : null
-  return { ok: res.ok, status: res.status, data }
+  if (!res.ok) return { ok: false, status: res.status, data }
+  return { ok: true, status: res.status, data }
+}
+
+export function post<T = any>(url: string, body: object) {
+  return api<T>(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })
+}
+
+export function put<T = any>(url: string, body: object) {
+  return api<T>(url, { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })
 }
 
-export function post(url: string, body: object) {
-  return api(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })
+export function del<T = any>(url: string) {
+  return api<T>(url, { method: 'DELETE' })
 }

package/stubs/svelte/src/main.ts.stub

@@ -1,10 +1,12 @@
+declare global { interface Window { __MANTIQ_DATA__?: Record<string, any> } }
+
 import './style.css'
 import { mount } from 'svelte'
 import App from './App.svelte'
 import { pages } from './pages.ts'
 
 const target = document.getElementById('app')!
-const data = (window as any).__MANTIQ_DATA__ ?? {}
+const data = window.__MANTIQ_DATA__ ?? {}
 
 // Clear SSR content and mount fresh — avoids hydration mismatches
 // with shadcn-svelte sidebar components

package/stubs/svelte/src/pages/Login.svelte.stub

@@ -13,8 +13,8 @@
     [key: string]: any
   } = $props()
 
-  let email = $state('admin@example.com')
-  let password = $state('password')
+  let email = $state('')
+  let password = $state('')
   let error = $state('')
   let loading = $state(false)
 
@@ -82,7 +82,7 @@
             type="email"
             bind:value={email}
             required
-            placeholder="admin@example.com"
+            placeholder="you@example.com"
             autocomplete="email"
           />
         </div>

package/stubs/svelte/vite.config.ts.stub

@@ -2,9 +2,28 @@ import { defineConfig } from 'vite'
 import { svelte } from '@sveltejs/vite-plugin-svelte'
 import tailwindcss from '@tailwindcss/vite'
 import path from 'path'
+import { writeFileSync, unlinkSync } from 'node:fs'
 
 export default defineConfig({
-  plugins: [svelte(), tailwindcss()],
+  plugins: [
+    svelte(),
+    tailwindcss(),
+    {
+      name: 'mantiq-hot',
+      configureServer(server) {
+        const hotPath = path.resolve(__dirname, 'public/hot')
+        server.httpServer?.once('listening', () => {
+          const addr = server.httpServer!.address()
+          const url = typeof addr === 'string' ? addr : `http://localhost:${addr?.port}`
+          writeFileSync(hotPath, url)
+        })
+        const cleanup = () => { try { unlinkSync(hotPath) } catch {} }
+        process.on('exit', cleanup)
+        process.on('SIGINT', () => { cleanup(); process.exit() })
+        process.on('SIGTERM', () => { cleanup(); process.exit() })
+      },
+    },
+  ],
   publicDir: false,
   resolve: {
     alias: {

package/stubs/tailwind-only/react/src/components/layout/app-sidebar.tsx.stub

@@ -0,0 +1,68 @@
+import { cn } from '@/lib/utils'
+import { NavGroup } from './nav-group'
+import { NavUser, type NavUserProps } from './nav-user'
+import { sidebarData } from './sidebar-data'
+
+export interface AppSidebarProps {
+  user: NavUserProps['user']
+  appName: string
+  activePath: string
+  navigate: (href: string) => void
+  onLogout: () => void
+  collapsed?: boolean
+}
+
+export function AppSidebar({
+  user,
+  appName,
+  activePath,
+  navigate,
+  onLogout,
+  collapsed,
+}: AppSidebarProps) {
+  return (
+    <aside
+      className={cn(
+        'flex h-screen flex-col border-r border-gray-200 bg-gray-50 transition-[width] duration-200 dark:border-gray-800 dark:bg-gray-900',
+        collapsed ? 'w-16' : 'w-64',
+      )}
+    >
+      {/* Header */}
+      <div className="flex h-14 items-center gap-2 border-b border-gray-200 px-4 dark:border-gray-800">
+        <button
+          type="button"
+          onClick={() => navigate('/dashboard')}
+          className="flex items-center gap-2"
+        >
+          <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-lg bg-emerald-600 text-xs font-bold text-white">
+            M
+          </div>
+          {!collapsed && (
+            <div className="grid text-left text-sm leading-tight">
+              <span className="truncate font-semibold text-gray-900 dark:text-gray-50">{appName}</span>
+              <span className="truncate text-xs text-gray-500 dark:text-gray-400">Admin Panel</span>
+            </div>
+          )}
+        </button>
+      </div>
+
+      {/* Navigation */}
+      <nav className="flex-1 overflow-y-auto py-2">
+        {sidebarData.map((group) => (
+          <NavGroup
+            key={group.title}
+            group={group}
+            activePath={activePath}
+            navigate={navigate}
+            collapsed={collapsed}
+          />
+        ))}
+      </nav>
+
+      {/* User footer */}
+      <div className="border-t border-gray-200 dark:border-gray-800">
+        <NavUser user={user} navigate={navigate} onLogout={onLogout} collapsed={collapsed} />
+      </div>
+    </aside>
+  )
+}

package/stubs/tailwind-only/react/src/components/layout/authenticated-layout.tsx.stub

@@ -0,0 +1,57 @@
+import { useState, useCallback, createContext, useContext } from 'react'
+import { post } from '@/lib/api'
+import { AppSidebar } from './app-sidebar'
+
+const SidebarContext = createContext<{ toggle: () => void }>({ toggle: () => {} })
+
+export function useSidebarToggle() {
+  return useContext(SidebarContext)
+}
+
+interface AuthenticatedLayoutProps {
+  children: React.ReactNode
+  currentUser?: { name: string; email: string; role?: string } | null
+  appName?: string
+  navigate: (href: string) => void
+  activePath: string
+}
+
+export function AuthenticatedLayout({
+  children,
+  currentUser,
+  appName = 'Mantiq',
+  navigate,
+  activePath,
+}: AuthenticatedLayoutProps) {
+  const [collapsed, setCollapsed] = useState(false)
+
+  const handleLogout = useCallback(async () => {
+    await post('/logout', {})
+    navigate('/login')
+  }, [navigate])
+
+  const user = currentUser ?? { name: 'User', email: 'user@example.com' }
+
+  return (
+    <SidebarContext.Provider value={{ toggle: () => setCollapsed((c) => !c) }}>
+      <div className="flex min-h-screen">
+        {/* Sidebar — hidden on mobile, visible on md+ */}
+        <div className="hidden md:block">
+          <AppSidebar
+            user={user}
+            appName={appName}
+            activePath={activePath}
+            navigate={navigate}
+            onLogout={handleLogout}
+            collapsed={collapsed}
+          />
+        </div>
+
+        {/* Main content */}
+        <div className="flex flex-1 flex-col">
+          {children}
+        </div>
+      </div>
+    </SidebarContext.Provider>
+  )
+}