create-nuxt-base 2.5.2 → 2.6.0

package/CHANGELOG.md

@@ -2,28 +2,34 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
+
+
+### Features
+
+* **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
+
+### [2.5.3](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.2...v2.5.3) (2026-04-06)
+
 ### [2.5.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.1...v2.5.2) (2026-04-04)
 
 ### [2.5.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.0...v2.5.1) (2026-03-16)
 
-
 ### Bug Fixes
 
-* prevent build-time baked API URLs by defaulting to empty strings resolved at runtimeOC ([e577648](https://github.com/lenneTech/nuxt-base-starter/commit/e577648a287e18a76c72564d68bacc277b04a500))
+- prevent build-time baked API URLs by defaulting to empty strings resolved at runtimeOC ([e577648](https://github.com/lenneTech/nuxt-base-starter/commit/e577648a287e18a76c72564d68bacc277b04a500))
 
 ## [2.5.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.1...v2.5.0) (2026-03-16)
 
-
 ### Features
 
-* add production default dockerfile ([e338c93](https://github.com/lenneTech/nuxt-base-starter/commit/e338c9363a348c1a63d40a71301240c8e8478835))
+- add production default dockerfile ([e338c93](https://github.com/lenneTech/nuxt-base-starter/commit/e338c9363a348c1a63d40a71301240c8e8478835))
 
 ## [2.4.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.1...v2.4.0) (2026-03-16)
 
-
 ### Features
 
-* add production default dockerfile ([e338c93](https://github.com/lenneTech/nuxt-base-starter/commit/e338c9363a348c1a63d40a71301240c8e8478835))
+- add production default dockerfile ([e338c93](https://github.com/lenneTech/nuxt-base-starter/commit/e338c9363a348c1a63d40a71301240c8e8478835))
 
 ### [2.3.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.0...v2.3.1) (2026-03-15)
 

package/nuxt-base-template/CLAUDE.md

@@ -58,9 +58,51 @@ pnpm run check        # Full quality check (audit + format + lint + types + test
 
 ## Framework: @lenne.tech/nuxt-extensions
 
-This project depends on `@lenne.tech/nuxt-extensions`. The framework source is available in `node_modules/@lenne.tech/nuxt-extensions/` and **MUST** be read when using or debugging framework features.
-
-### Key Source Files (in node_modules/@lenne.tech/nuxt-extensions/)
+This project consumes the framework in one of two modes:
+
+- **npm mode (default):** `@lenne.tech/nuxt-extensions` is installed as
+  an npm dependency; framework source lives in
+  `node_modules/@lenne.tech/nuxt-extensions/`. Registered in
+  `nuxt.config.ts` via the module string `'@lenne.tech/nuxt-extensions'`.
+- **vendor mode:** framework source is copied directly into
+  `app/core/` as first-class project code. No
+  `@lenne.tech/nuxt-extensions` npm dependency. Baseline + patch log
+  live in `app/core/VENDOR.md`. Updated via
+  `/lt-dev:frontend:update-nuxt-extensions-core`. Detect via:
+  `test -f app/core/VENDOR.md`.
+
+**ALWAYS read the actual framework source** before guessing behavior —
+in npm mode from `node_modules/@lenne.tech/nuxt-extensions/`, in
+vendor mode directly from `app/core/`.
+
+### Vendor Modification Policy
+
+When this project is in vendor mode, the copy in `app/core/` exists
+so Claude Code can read framework internals directly — it is a
+**comprehension aid**, not a fork. Only edit `app/core/` when the
+change is **generally useful to every nuxt-extensions consumer**:
+
+- Bugfixes that apply to every consumer
+- Broad framework enhancements (new composables, better defaults,
+  SSR fixes)
+- Security vulnerability fixes
+- Type/config compatibility fixes every consumer would hit
+
+**Everything else stays out of `app/core/`.** Project-specific
+business rules, customer branding, and proprietary integrations
+belong in project code (`app/composables/`, `app/components/`,
+`app/middleware/`, plugin overrides).
+
+**Generally-useful changes MUST be submitted as an upstream PR** to
+`github.com/lenneTech/nuxt-extensions`. Run
+`/lt-dev:frontend:contribute-nuxt-extensions-core` to prepare the PR
+— the agent filters cosmetic commits, categorizes each local change
+as upstream-candidate vs. project-specific, and writes PR drafts for
+human review. Letting useful fixes rot in a single project's vendor
+tree is an anti-pattern: they belong upstream so every consumer
+benefits and the local patch disappears on the next sync.
+
+### Key Source Files (in node_modules/@lenne.tech/nuxt-extensions/ — npm mode; replace prefix with app/core/ in vendor mode)
 
 | File                        | Purpose                                                    |
 | --------------------------- | ---------------------------------------------------------- |
@@ -75,11 +117,18 @@ This project depends on `@lenne.tech/nuxt-extensions`. The framework source is a
 
 ### Rules
 
-1. **ALWAYS read actual source code** from `node_modules/@lenne.tech/nuxt-extensions/` before guessing framework behavior
+1. **ALWAYS read actual source code** before guessing framework behavior — from `node_modules/@lenne.tech/nuxt-extensions/` in npm mode, or from `app/core/` in vendor mode
 2. **NEVER re-implement** functionality that nuxt-extensions already provides — check composables first
 3. **Use `useBetterAuth()`** for authentication — never implement auth manually
 4. **When debugging auth issues**, read the auth proxy server route and middleware source
-5. **Check `dist/runtime/composables/`** before creating new composables — may already exist
+5. **Check runtime composables** before creating new composables — may already exist
+6. **In vendor mode**, only edit `app/core/` for generally-useful changes and submit them upstream via `/lt-dev:frontend:contribute-nuxt-extensions-core`. Project-specific code belongs outside `app/core/`.
+
+## Authentication
+
+Auth is managed by `@lenne.tech/nuxt-extensions` via `useLtAuth()`. See the [nuxt-extensions CLAUDE.md](https://github.com/lenneTech/nuxt-extensions) for detailed auth cookie rules.
+
+Key rule: Never manually write to the `lt-auth-state` cookie from custom middleware. Use `useLtAuth().setUser()` / `clearUser()` exclusively.
 
 ## Security Overrides (pnpm)
 

package/nuxt-base-template/package.json

@@ -11,9 +11,9 @@
   },
   "scripts": {
     "c": "pnpm run check",
-    "check": "pnpm audit && pnpm run format:check && pnpm run lint && pnpm test && pnpm run build && pnpm start",
-    "check:fix": "pnpm install && pnpm audit --fix && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && pnpm start",
-    "check:naf": "pnpm install && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && pnpm start",
+    "check": "pnpm audit && pnpm run format:check && pnpm run lint && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
+    "check:fix": "pnpm install && pnpm audit --fix && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
+    "check:naf": "pnpm install && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
     "cf": "pnpm run check:fix",
     "cnaf": "pnpm run check:naf",
     "init": "pnpm install",
@@ -50,7 +50,7 @@
   "dependencies": {
     "@better-auth/passkey": "1.5.6",
     "@lenne.tech/bug.lt": "latest",
-    "@lenne.tech/nuxt-extensions": "1.5.2",
+    "@lenne.tech/nuxt-extensions": "1.5.3",
     "@nuxt/image": "2.0.0",
     "@nuxt/ui": "4.6.1",
     "@pinia/nuxt": "0.11.3",
@@ -61,7 +61,6 @@
     "valibot": "1.3.1"
   },
   "devDependencies": {
-    "@hey-api/client-fetch": "0.13.1",
     "@hey-api/openapi-ts": "0.95.0",
     "@iconify-json/lucide": "1.2.101",
     "@nuxt/devtools": "3.2.4",

package/nuxt-base-template/pnpm-lock.yaml

@@ -40,8 +40,8 @@ importers:
         specifier: latest
         version: 1.6.5(@babel/parser@7.29.2)(crossws@0.3.5)(db0@0.3.4(@electric-sql/pglite@0.3.15)(drizzle-orm@0.45.1(@electric-sql/pglite@0.3.15)(@opentelemetry/api@1.9.1)(@prisma/client@7.4.2(prisma@7.4.2(@types/react@19.2.14)(magicast@0.5.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2))(typescript@6.0.2))(kysely@0.28.15)(mysql2@3.15.3)(postgres@3.4.7)(prisma@7.4.2(@types/react@19.2.14)(magicast@0.5.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)))(mysql2@3.15.3))(embla-carousel@8.6.0)(ioredis@5.9.2)(magicast@0.5.2)(qrcode@1.5.4)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)(valibot@1.3.1(typescript@6.0.2))(vite@7.3.1(@types/node@25.5.2)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.0)(yaml@2.8.3))(vue-router@4.6.4(vue@3.5.30(typescript@6.0.2)))(vue@3.5.30(typescript@6.0.2))
       '@lenne.tech/nuxt-extensions':
-        specifier: 1.5.2
-        version: 1.5.2(@better-auth/passkey@1.5.6(@better-auth/core@1.5.6(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(@opentelemetry/api@1.9.1)(better-call@1.3.2(zod@4.3.6))(jose@6.1.3)(kysely@0.28.15)(nanostores@1.1.1))(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(better-call@1.3.2(zod@4.3.6))(nanostores@1.1.1))(@playwright/test@1.59.1)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(magicast@0.5.2)(nuxt@4.4.2(469ac8679250cf62c9e726a96ed146de))(tus-js-client@4.3.1)
+        specifier: 1.5.3
+        version: 1.5.3(@better-auth/passkey@1.5.6(@better-auth/core@1.5.6(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(@opentelemetry/api@1.9.1)(better-call@1.3.2(zod@4.3.6))(jose@6.1.3)(kysely@0.28.15)(nanostores@1.1.1))(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(better-call@1.3.2(zod@4.3.6))(nanostores@1.1.1))(@playwright/test@1.59.1)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(magicast@0.5.2)(nuxt@4.4.2(469ac8679250cf62c9e726a96ed146de))(tus-js-client@4.3.1)
       '@nuxt/image':
         specifier: 2.0.0
         version: 2.0.0(crossws@0.3.5)(db0@0.3.4(@electric-sql/pglite@0.3.15)(drizzle-orm@0.45.1(@electric-sql/pglite@0.3.15)(@opentelemetry/api@1.9.1)(@prisma/client@7.4.2(prisma@7.4.2(@types/react@19.2.14)(magicast@0.5.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2))(typescript@6.0.2))(kysely@0.28.15)(mysql2@3.15.3)(postgres@3.4.7)(prisma@7.4.2(@types/react@19.2.14)(magicast@0.5.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)))(mysql2@3.15.3))(ioredis@5.9.2)(magicast@0.5.2)
@@ -67,9 +67,6 @@ importers:
         specifier: 1.3.1
         version: 1.3.1(typescript@6.0.2)
     devDependencies:
-      '@hey-api/client-fetch':
-        specifier: 0.13.1
-        version: 0.13.1(@hey-api/openapi-ts@0.95.0(magicast@0.5.2)(typescript@6.0.2))
       '@hey-api/openapi-ts':
         specifier: 0.95.0
         version: 0.95.0(magicast@0.5.2)(typescript@6.0.2)
@@ -870,12 +867,6 @@ packages:
   '@hexagon/base64@1.1.28':
     resolution: {integrity: sha512-lhqDEAvWixy3bZ+UOYbPwUbBkwBq5C1LAJ/xPC8Oi+lL54oyakv/npbA0aU2hgCsx/1NUd4IBvV03+aUBWxerw==}
 
-  '@hey-api/client-fetch@0.13.1':
-    resolution: {integrity: sha512-29jBRYNdxVGlx5oewFgOrkulZckpIpBIRHth3uHFn1PrL2ucMy52FvWOY3U3dVx2go1Z3kUmMi6lr07iOpUqqA==}
-    deprecated: Starting with v0.73.0, this package is bundled directly inside @hey-api/openapi-ts.
-    peerDependencies:
-      '@hey-api/openapi-ts': < 2
-
   '@hey-api/codegen-core@0.7.4':
     resolution: {integrity: sha512-DGd9yeSQzflOWO3Y5mt1GRXkXH9O/yIMgbxPjwLI3jwu/3nAjoXXD26lEeFb6tclYlg0JAqTIs5d930G/qxHeA==}
     engines: {node: '>=20.19.0'}
@@ -1001,8 +992,8 @@ packages:
   '@lenne.tech/bug.lt@1.6.5':
     resolution: {integrity: sha512-3aSfAcuizL8WvmDaHUlSjpLVdaeSRtNMrEPle7IoqA9VBmfaCfUKzOQmSdnz69Laeq6hn1a2P1HVcsj1QoOWuQ==}
 
-  '@lenne.tech/nuxt-extensions@1.5.2':
-    resolution: {integrity: sha512-z+mzLVMumka+mqiS4cBvaN1OkrV30hKpVYrAi5C4NYIpWgDNsP2TRUnmHv2Euq54brM9ZW4rGYNGSiHIAYACxQ==}
+  '@lenne.tech/nuxt-extensions@1.5.3':
+    resolution: {integrity: sha512-CABvWvBUYiFtfYkOHKH9WbDbAwqNSkPJAlje5qX+KqbP5GCXP9BdIOejKKehsD+P7Wfs/pjTns4Fo6PvjuTyjQ==}
     peerDependencies:
       '@better-auth/passkey': '>=1.0.0'
       '@playwright/test': '>=1.0.0'
@@ -7856,10 +7847,6 @@ snapshots:
 
   '@hexagon/base64@1.1.28': {}
 
-  '@hey-api/client-fetch@0.13.1(@hey-api/openapi-ts@0.95.0(magicast@0.5.2)(typescript@6.0.2))':
-    dependencies:
-      '@hey-api/openapi-ts': 0.95.0(magicast@0.5.2)(typescript@6.0.2)
-
   '@hey-api/codegen-core@0.7.4(magicast@0.5.2)':
     dependencies:
       '@hey-api/types': 0.1.4
@@ -8071,7 +8058,7 @@ snapshots:
       - vue-router
       - yup
 
-  '@lenne.tech/nuxt-extensions@1.5.2(@better-auth/passkey@1.5.6(@better-auth/core@1.5.6(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(@opentelemetry/api@1.9.1)(better-call@1.3.2(zod@4.3.6))(jose@6.1.3)(kysely@0.28.15)(nanostores@1.1.1))(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(better-call@1.3.2(zod@4.3.6))(nanostores@1.1.1))(@playwright/test@1.59.1)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(magicast@0.5.2)(nuxt@4.4.2(469ac8679250cf62c9e726a96ed146de))(tus-js-client@4.3.1)':
+  '@lenne.tech/nuxt-extensions@1.5.3(@better-auth/passkey@1.5.6(@better-auth/core@1.5.6(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(@opentelemetry/api@1.9.1)(better-call@1.3.2(zod@4.3.6))(jose@6.1.3)(kysely@0.28.15)(nanostores@1.1.1))(@better-auth/utils@0.3.1)(@better-fetch/fetch@1.1.21)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(better-call@1.3.2(zod@4.3.6))(nanostores@1.1.1))(@playwright/test@1.59.1)(better-auth@1.5.6(b30780dc8bc760c93f1eee811a4ad078))(magicast@0.5.2)(nuxt@4.4.2(469ac8679250cf62c9e726a96ed146de))(tus-js-client@4.3.1)':
     dependencies:
       '@nuxt/kit': 4.4.2(magicast@0.5.2)
       better-auth: 1.5.6(b30780dc8bc760c93f1eee811a4ad078)

package/nuxt-base-template/scripts/check-server-start.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+# Temp file for server output
+LOG_FILE=$(mktemp)
+
+# Start the built Nuxt server in background, redirect output to log file
+# The build step already ran before this script is called
+node .output/server/index.mjs > "$LOG_FILE" 2>&1 &
+SERVER_PID=$!
+
+# Show log output in real-time
+tail -f "$LOG_FILE" &
+TAIL_PID=$!
+
+# Ensure cleanup on exit: kill server, tail, and remove temp file
+trap 'kill $SERVER_PID $TAIL_PID 2>/dev/null; wait $SERVER_PID $TAIL_PID 2>/dev/null || true; rm -f "$LOG_FILE"' EXIT
+
+# Wait for the Nitro server ready message (max 60 seconds)
+for i in $(seq 1 60); do
+  if grep -q "Listening on\|Nitro ready\|Local:" "$LOG_FILE" 2>/dev/null; then
+    echo ""
+    echo "Server started successfully - check complete"
+    exit 0
+  fi
+  # Check if server process died unexpectedly
+  if ! kill -0 $SERVER_PID 2>/dev/null; then
+    echo ""
+    echo "Server process exited unexpectedly"
+    exit 1
+  fi
+  sleep 1
+done
+
+echo ""
+echo "Server failed to start within 60 seconds"
+exit 1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-nuxt-base",
-  "version": "2.5.2",
+  "version": "2.6.0",
   "description": "Starter to generate a configured environment with VueJS, Nuxt, Tailwind, Linting, Unit Tests, Playwright etc.",
   "license": "MIT",
   "author": "lenne.Tech GmbH",
@@ -38,6 +38,9 @@
   },
   "pnpm": {
     "overrides": {
+      "brace-expansion@>=4.0.0 <5.0.5": ">=5.0.5",
+      "handlebars@>=4.0.0 <=4.7.8": ">=4.7.9",
+      "lodash@>=4.0.0 <=4.17.23": ">=4.18.0",
       "minimatch@<3.1.4": ">=3.1.4"
     }
   }