create-projx 1.6.0 → 1.6.2

package/README.md

@@ -7,6 +7,8 @@
 
 **Go from blank folder to production-ready project in 30 seconds.** Backend-only API, AI/ML app, mobile, full-stack, infra setup — pick what you need and get it wired with auth, database, Docker, CI/CD, hooks, and tests. All optional. All yours.
 
+![projx demo](.github/demo.gif)
+
 ```bash
 npx create-projx my-app
 ```
@@ -175,27 +177,35 @@ Your custom files (controllers, pages, middleware) are never deleted. Files you
 
 ### Skip Files
 
-To skip component source files, add `skip` to `.projx-component`:
+Common user-owned files are **default-skipped** automatically — template updates won't touch them:
+
+| Scope | Default skips |
+|-------|---------------|
+| Root (`.projx`) | `docker-compose.yml`, `docker-compose.dev.yml`, `README.md`, `.githooks/pre-commit`, `.github/workflows/ci.yml`, `setup.sh` |
+| fastapi | `pyproject.toml` |
+| fastify / frontend / e2e | `package.json` |
+| mobile | `pubspec.yaml` |
+
+Defaults are applied once on first `update` and saved to the `skip` array. To skip additional files, add them to `skip` in `.projx` (root-level) or `.projx-component` (per-component):
 
 ```json
+// .projx — root skip
 {
-  "components": ["fastapi"],
-  "origin": "init",
-  "skip": ["src/**", "tests/**"]
+  "version": "x.y.z",
+  "skip": ["docker-compose.yml", "README.md", "my-custom-config.yml"]
 }
 ```
 
-To skip root-level files (docker-compose, README), add `skip` to `.projx`:
-
 ```json
+// fastapi/.projx-component — component skip
 {
-  "version": "1.5.2",
-  "components": ["fastapi", "frontend"],
-  "skip": ["docker-compose.yml", "README.md"]
+  "component": "fastapi",
+  "origin": "init",
+  "skip": ["pyproject.toml", "src/custom_middleware.py"]
 }
 ```
 
-Skipped files are excluded from template updates.
+To opt back in to updates for a skipped file, use `npx create-projx unpin <file>`.
 
 ## Options
 
@@ -274,14 +284,14 @@ When both `fastapi` and `fastify` exist, the entity generates in the **primary b
 
 Override with `--ai` (fastapi) or `--backend` (fastify).
 
-| Component                 | Generated                                                                                     |
-| ------------------------- | --------------------------------------------------------------------------------------------- |
-| Primary backend (fastapi) | `src/entities/<name>/_model.py` + `tests/test_<name>_entity.py` — model + 11 CRUD/auth tests  |
-| Primary backend (fastify) | `src/modules/<name>/schemas.ts` + `index.ts` + Prisma model + `tests/modules/<name>.test.ts`  |
-| `frontend`                | `src/types/<name>.ts` — TypeScript interface + Create/Update variants                         |
-| `mobile`                  | `lib/entities/<name>/model.dart` — Dart class with fromJson/toJson/copyWith                   |
+| Component                 | Generated                                                                                    |
+| ------------------------- | -------------------------------------------------------------------------------------------- |
+| Primary backend (fastapi) | `src/entities/<name>/_model.py` + `tests/test_<name>_entity.py` — model + 11 CRUD/auth tests |
+| Primary backend (fastify) | `src/modules/<name>/schemas.ts` + `index.ts` + Prisma model + `tests/modules/<name>.test.ts` |
+| `frontend`                | `src/types/<name>.ts` — TypeScript interface + Create/Update variants                        |
+| `mobile`                  | `lib/entities/<name>/model.dart` — Dart class with fromJson/toJson/copyWith                  |
 
-**Tests included**: every `gen entity` writes a working integration test file alongside the model — 11 tests for FastAPI (extending `BaseEntityApiTest`), 11 tests for Fastify (via `describeCrudEntity`). Both run against a real database (Postgres for Fastify, SQLite-in-memory for FastAPI today). New entities ship green from day one — no scrambling to bolt on tests at go-live.
+**Tests included**: every `gen entity` writes a working integration test file alongside the model — 11 tests for FastAPI (extending `BaseEntityApiTest`), 11 tests for Fastify (via `describeCrudEntity`). Both run against a real database (Postgres). New entities ship green from day one — no scrambling to bolt on tests at go-live.
 
 No migrations — run `alembic revision --autogenerate` or `prisma migrate dev` (via your package manager) when ready.
 
@@ -343,6 +353,8 @@ The core idea: define a data model, get everything else for free.
 
 **Backend** — Drop a model file. The registry auto-discovers it and generates CRUD routes, schemas, pagination, filtering, sorting, search, FK expansion, and OpenAPI docs.
 
+**Field privacy** — Sensitive columns (`password_hash`, `secret`, `api_key`, `mfa_secret`, etc.) are automatically stripped from API responses and `/_meta` via a built-in baseline. Add project-specific hidden fields per entity (`__hidden_fields__` in FastAPI, `hiddenFields` in Fastify). Mark entire entities as `__private__` / `private: true` to hide them from the API entirely — no routes registered, not listed in `/_meta`. The `/_meta` endpoint requires authentication on both backends.
+
 **Frontend** — Fetches metadata from `GET /api/v1/_meta`, renders table + form UI automatically. Customize with overrides.
 
 **Mobile** — Same metadata endpoint, generates list/detail/form screens. Offline-first with local DB and sync queue.
@@ -361,8 +373,8 @@ The CLI lives in `cli/`. Templates are the root-level component directories (`fa
 
 ```bash
 cd cli
-npm test        # run tests
-npm run build   # build CLI
+pnpm test       # run tests
+pnpm build      # build CLI
 ```
 
 ## Try it now

package/dist/{baseline-72Z7TC2E.js → baseline-KTCFW2FK.js}

@@ -10,8 +10,8 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-G74HYIE4.js";
-import "./chunk-FTHX7ILT.js";
+} from "./chunk-D33FXCNT.js";
+import "./chunk-LTIJPVRZ.js";
 export {
   BASELINE_REF,
   applyTemplate,

package/dist/{chunk-G74HYIE4.js → chunk-D33FXCNT.js}

@@ -6,19 +6,20 @@ import {
   readComponentMarker,
   readProjxConfig,
   render,
+  renderEjsInDir,
   replaceInDir,
   replaceInFile,
   sharedTemplateDir,
   toSnake,
   upsertComponentMarker,
   writeProjxConfig
-} from "./chunk-FTHX7ILT.js";
+} from "./chunk-LTIJPVRZ.js";
 
 // src/baseline.ts
 import { existsSync, writeFileSync, unlinkSync } from "fs";
-import { chmod, mkdir, writeFile, rm, readFile as readFile2 } from "fs/promises";
+import { chmod, mkdir, writeFile, rm, readFile as readFile2, copyFile } from "fs/promises";
 import { execSync } from "child_process";
-import { join as join2 } from "path";
+import { join as join2, dirname } from "path";
 import { tmpdir } from "os";
 
 // src/generators/index.ts
@@ -106,7 +107,7 @@ function buildDisplayNames(paths) {
 }
 var BASELINE_REF = "refs/projx/baseline";
 async function migrateComponentMarkers(cwd, components, componentPaths, applyDefaults) {
-  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-OOY5OZDX.js");
+  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-VY5BBJBQ.js");
   for (const component of components) {
     const dir = componentPaths[component];
     const markerDir = join2(cwd, dir);
@@ -259,7 +260,12 @@ async function tryThreeWayMerge(cwd, templateDir, baselineRef, componentPaths) {
     if (file === ".projx") continue;
     if (file.endsWith("/.projx-component") || file === ".projx-component") continue;
     const oursPath = join2(cwd, file);
-    if (!existsSync(oursPath)) continue;
+    if (!existsSync(oursPath)) {
+      await mkdir(dirname(oursPath), { recursive: true });
+      await copyFile(join2(templateDir, file), oursPath);
+      merged.push(file);
+      continue;
+    }
     const baseContent = lookupBaseContent(cwd, baselineRef, file, pathFallbacks);
     if (baseContent === null) continue;
     let theirsContent;
@@ -324,8 +330,10 @@ async function removeSkippedFiles(dir, skipPatterns, realDir) {
       const rel = full.slice(base.length + 1);
       if (entry.isDirectory()) {
         await walk(full, base);
-      } else if (entry.name !== ".projx-component" && matchesSkip(rel, skipPatterns)) {
-        if (realDir && !existsSync(join2(realDir, rel))) continue;
+      } else if (entry.name !== ".projx-component") {
+        const targetRel = rel.endsWith(".ejs") ? rel.slice(0, -".ejs".length) : rel;
+        if (!matchesSkip(targetRel, skipPatterns) && !matchesSkip(rel, skipPatterns)) continue;
+        if (realDir && !existsSync(join2(realDir, targetRel))) continue;
         await unlink(full);
       }
     }
@@ -358,6 +366,7 @@ async function writeTemplateToDir(dest, repoDir, components, componentPaths, var
       await cp(srcDir, outDir, { recursive: true, force: true });
     }
     await rm(tmpDir, { recursive: true, force: true });
+    await renderEjsInDir(outDir, vars);
     await upsertComponentMarker(join2(dest, targetDir), component, skipPatterns.length > 0 ? skipPatterns : void 0);
   }
   if (!vars.pathsUpper) {

package/dist/{chunk-FTHX7ILT.js → chunk-LTIJPVRZ.js}

@@ -19,13 +19,13 @@ var PACKAGE_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
 function pmCommands(pm) {
   switch (pm) {
     case "npm":
-      return { name: "npm", install: "npm install", ci: "npm ci", run: "npm run", exec: "npx", dlx: "npx", lockfile: "package-lock.json", prismaExec: "npx prisma", runDev: "npm run dev" };
+      return { name: "npm", install: "npm install", ci: "npm ci", run: "npm run", exec: "npx", dlx: "npx", lockfile: "package-lock.json", prismaExec: "npx prisma", runDev: "npm run dev", audit: "npm audit --omit=dev" };
     case "pnpm":
-      return { name: "pnpm", install: "pnpm install", ci: "pnpm install --frozen-lockfile", run: "pnpm", exec: "pnpm exec", dlx: "pnpm dlx", lockfile: "pnpm-lock.yaml", prismaExec: "pnpm prisma", runDev: "pnpm dev" };
+      return { name: "pnpm", install: "pnpm install", ci: "pnpm install --frozen-lockfile", run: "pnpm", exec: "pnpm exec", dlx: "pnpm dlx", lockfile: "pnpm-lock.yaml", prismaExec: "pnpm prisma", runDev: "pnpm dev", audit: "pnpm audit --prod" };
     case "yarn":
-      return { name: "yarn", install: "yarn", ci: "yarn --frozen-lockfile", run: "yarn", exec: "yarn", dlx: "yarn dlx", lockfile: "yarn.lock", prismaExec: "yarn prisma", runDev: "yarn dev" };
+      return { name: "yarn", install: "yarn", ci: "yarn --frozen-lockfile", run: "yarn", exec: "yarn", dlx: "yarn dlx", lockfile: "yarn.lock", prismaExec: "yarn prisma", runDev: "yarn dev", audit: "yarn npm audit --environment production" };
     case "bun":
-      return { name: "bun", install: "bun install", ci: "bun install --frozen-lockfile", run: "bun run", exec: "bunx", dlx: "bunx", lockfile: "bun.lockb", prismaExec: "bunx prisma", runDev: "bun run dev" };
+      return { name: "bun", install: "bun install", ci: "bun install --frozen-lockfile", run: "bun run", exec: "bunx", dlx: "bunx", lockfile: "bun.lockb", prismaExec: "bunx prisma", runDev: "bun run dev", audit: "bun audit --prod" };
   }
 }
 function detectPackageManager(cwd) {
@@ -369,6 +369,22 @@ function render(template, vars) {
   }
   return output.join("\n").replace(/\n{3,}/g, "\n\n");
 }
+async function renderEjsInDir(dir, vars) {
+  if (!existsSync(dir)) return;
+  const entries = await readdir(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      await renderEjsInDir(full, vars);
+    } else if (entry.name.endsWith(".ejs")) {
+      const content = await readFile(full, "utf-8");
+      const rendered = render(content, vars);
+      const out = full.slice(0, -".ejs".length);
+      await writeFile(out, rendered);
+      await rm(full);
+    }
+  }
+}
 function detectProjectName(cwd, components, componentPaths) {
   for (const component of components) {
     const dir = componentPaths[component] ?? component;
@@ -420,5 +436,6 @@ export {
   discoverComponentPaths,
   discoverComponentsFromMarkers,
   render,
+  renderEjsInDir,
   detectProjectName
 };

package/dist/index.js

@@ -9,7 +9,7 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-G74HYIE4.js";
+} from "./chunk-D33FXCNT.js";
 import {
   COMPONENTS,
   COMPONENT_MARKER,
@@ -33,7 +33,7 @@ import {
   toTitle,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-FTHX7ILT.js";
+} from "./chunk-LTIJPVRZ.js";
 
 // src/index.ts
 import { existsSync as existsSync11 } from "fs";
@@ -371,7 +371,7 @@ function hasUncommittedChanges(cwd) {
 async function findPinnedFilesWithUpdates(cwd, repoDir, components, componentPaths, vars, version, componentSkips, rootSkip) {
   const { mkdir: mkdir5, rm: rm2, readFile: readFile7 } = await import("fs/promises");
   const { tmpdir: tmpdir2 } = await import("os");
-  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-72Z7TC2E.js");
+  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-KTCFW2FK.js");
   const config = await readProjxConfig(cwd);
   const rootPinned = Array.isArray(config.skip) ? config.skip : [];
   const componentPinned = [];

package/dist/{utils-OOY5OZDX.js → utils-VY5BBJBQ.js}

@@ -23,6 +23,7 @@ import {
   readFileOrNull,
   readProjxConfig,
   render,
+  renderEjsInDir,
   replaceInDir,
   replaceInFile,
   sharedTemplateDir,
@@ -32,7 +33,7 @@ import {
   upsertComponentMarker,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-FTHX7ILT.js";
+} from "./chunk-LTIJPVRZ.js";
 export {
   COMPONENTS,
   COMPONENT_MARKER,
@@ -58,6 +59,7 @@ export {
   readFileOrNull,
   readProjxConfig,
   render,
+  renderEjsInDir,
   replaceInDir,
   replaceInFile,
   sharedTemplateDir,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-projx",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
   "type": "module",
   "bin": {
@@ -10,13 +10,6 @@
     "dist",
     "src/templates"
   ],
-  "scripts": {
-    "build": "tsup src/index.ts --format esm --target node18 --clean",
-    "dev": "tsup src/index.ts --format esm --target node18 --watch",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "prepublishOnly": "npm run build"
-  },
   "keywords": [
     "projx",
     "scaffold",
@@ -61,5 +54,11 @@
     "typescript": "^5",
     "typescript-eslint": "^8.58.0",
     "vitest": "^4.1.2"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --target node18 --clean",
+    "dev": "tsup src/index.ts --format esm --target node18 --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
   }
-}
+}

package/src/templates/README.md.ejs

@@ -24,7 +24,7 @@ Scaffolded with [Projx](https://github.com/ukanhaupa/projx).
 <% if (components.includes('infra')) { %>
 | **<%= paths.infra %>/** | Terraform, AWS (EKS, RDS, VPC, CodePipeline) |
 <% } %>
-| **Identity** | Keycloak (OIDC / JWT) |
+| **Identity** | OIDC / JWT |
 | **Containers** | Docker, Docker Compose |
 
 ## Getting Started

package/src/templates/ci.yml.ejs

@@ -61,10 +61,21 @@ jobs:
             <%= paths.infra %>:
               - '<%= paths.infra %>/**'
 <% } %>
+
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 <% if (components.includes('fastapi')) { %>
 
   <%= paths.fastapi %>:
-    name: <%= displayNames.fastapi %> (format + lint)
+    name: <%= displayNames.fastapi %> (format + lint + typecheck + test + audit)
     needs: changes
     if: needs.changes.outputs.<%= paths.fastapi %> == 'true'
     runs-on: ubuntu-latest
@@ -77,11 +88,14 @@ jobs:
       - run: uv sync --group dev
       - run: uv run ruff format --check src tests
       - run: uv run ruff check src tests
+      - run: uv run mypy
+      - run: uv run pytest
+      - run: uv run pip-audit
 <% } %>
 <% if (components.includes('fastify')) { %>
 
   <%= paths.fastify %>:
-    name: <%= displayNames.fastify %> (format + lint + typecheck)
+    name: <%= displayNames.fastify %> (format + lint + typecheck + audit)
     needs: changes
     if: needs.changes.outputs.<%= paths.fastify %> == 'true'
     runs-on: ubuntu-latest
@@ -93,7 +107,7 @@ jobs:
 <% if (pm === 'pnpm') { %>
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: 10
 <% } %>
 <% if (pm === 'bun') { %>
       - uses: oven-sh/setup-bun@v2
@@ -110,11 +124,12 @@ jobs:
       - run: <%= pm.exec %> prettier --check .
       - run: <%= pm.exec %> eslint .
       - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.audit %>
 <% } %>
 <% if (components.includes('frontend')) { %>
 
   <%= paths.frontend %>:
-    name: <%= displayNames.frontend %> (format + lint + typecheck)
+    name: <%= displayNames.frontend %> (format + lint + typecheck + audit)
     needs: changes
     if: needs.changes.outputs.<%= paths.frontend %> == 'true'
     runs-on: ubuntu-latest
@@ -126,7 +141,7 @@ jobs:
 <% if (pm === 'pnpm') { %>
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: 10
 <% } %>
 <% if (pm === 'bun') { %>
       - uses: oven-sh/setup-bun@v2
@@ -142,6 +157,7 @@ jobs:
       - run: <%= pm.exec %> prettier --check .
       - run: <%= pm.exec %> eslint 'src/**/*.{ts,tsx}'
       - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.audit %>
 <% } %>
 <% if (components.includes('mobile')) { %>
 
@@ -166,7 +182,7 @@ jobs:
 <% if (components.includes('e2e')) { %>
 
   <%= paths.e2e %>:
-    name: <%= displayNames.e2e %> (format + lint + typecheck)
+    name: <%= displayNames.e2e %> (format + lint + typecheck + audit)
     needs: changes
     if: needs.changes.outputs.<%= paths.e2e %> == 'true'
     runs-on: ubuntu-latest
@@ -178,7 +194,7 @@ jobs:
 <% if (pm === 'pnpm') { %>
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: 10
 <% } %>
 <% if (pm === 'bun') { %>
       - uses: oven-sh/setup-bun@v2
@@ -194,6 +210,7 @@ jobs:
       - run: <%= pm.exec %> prettier --check .
       - run: <%= pm.exec %> eslint '**/*.ts'
       - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.audit %>
 <% } %>
 <% if (components.includes('infra')) { %>
 

package/src/templates/pre-commit.ejs

@@ -31,10 +31,11 @@ STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACMR)
 
 <%= pathsUpper.fastapi %>_PY=$(echo "$STAGED_FILES" | grep '^<%= paths.fastapi %>/.*\.py$' || true)
 if [ -n "$<%= pathsUpper.fastapi %>_PY" ]; then
-  echo "Formatting & linting <%= paths.fastapi %>..."
+  echo "Running quality gates for <%= paths.fastapi %>..."
   cd <%= paths.fastapi %>
   echo "$<%= pathsUpper.fastapi %>_PY" | sed 's|^<%= paths.fastapi %>/||' | xargs uv run ruff format
   echo "$<%= pathsUpper.fastapi %>_PY" | sed 's|^<%= paths.fastapi %>/||' | xargs uv run ruff check --fix
+  uv run mypy
   cd ..
   echo "$<%= pathsUpper.fastapi %>_PY" | xargs git add
 fi