create-projx 1.6.5 → 1.7.1

package/dist/{utils-AVKSTHIF.js → utils-4G3HNHES.js}

@@ -4,6 +4,8 @@ import {
   DEFAULT_COMPONENT_SKIP_PATTERNS,
   DEFAULT_ROOT_SKIP_PATTERNS,
   EXCLUDE,
+  KNOWN_FEATURES,
+  ORM_PROVIDERS,
   PACKAGE_MANAGERS,
   REPO,
   REPO_URL,
@@ -33,13 +35,15 @@ import {
   upsertComponentMarker,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-6YRBHJ2V.js";
+} from "./chunk-OLPF7FAN.js";
 export {
   COMPONENTS,
   COMPONENT_MARKER,
   DEFAULT_COMPONENT_SKIP_PATTERNS,
   DEFAULT_ROOT_SKIP_PATTERNS,
   EXCLUDE,
+  KNOWN_FEATURES,
+  ORM_PROVIDERS,
   PACKAGE_MANAGERS,
   REPO,
   REPO_URL,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "create-projx",
-  "version": "1.6.5",
-  "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
+  "version": "1.7.1",
+  "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, Express, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
   "type": "module",
   "bin": {
     "create-projx": "dist/index.js"
@@ -20,6 +20,7 @@
     "fullstack",
     "fastapi",
     "fastify",
+    "express",
     "react",
     "flutter",
     "terraform",
@@ -44,21 +45,25 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@clack/prompts": "^0.9"
+    "@clack/prompts": "^1.2.0"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@types/node": "^25.5.2",
+    "@vitest/coverage-v8": "^4.1.5",
     "eslint": "^10.2.0",
+    "prettier": "^3.8.3",
     "tsup": "^8",
     "typescript": "^5",
-    "typescript-eslint": "^8.58.0",
-    "vitest": "^4.1.2"
+    "typescript-eslint": "^8.59.0",
+    "vitest": "^4.1.5"
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm --target node18 --clean",
     "dev": "tsup src/index.ts --format esm --target node18 --watch",
-    "test": "vitest run",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "test": "vitest run --coverage",
     "test:watch": "vitest"
   }
 }

package/src/templates/README.md.ejs

@@ -10,7 +10,10 @@ Scaffolded with [Projx](https://github.com/ukanhaupa/projx).
 | **<%= paths.fastapi %>/** | FastAPI, SQLAlchemy, Alembic, uvicorn |
 <% } %>
 <% if (components.includes('fastify')) { %>
-| **<%= paths.fastify %>/** | Fastify, Prisma, TypeBox, TypeScript |
+| **<%= paths.fastify %>/** | Fastify, <%= orm === 'drizzle' ? 'Drizzle' : 'Prisma' %>, TypeBox, TypeScript |
+<% } %>
+<% if (components.includes('express')) { %>
+| **<%= paths.express %>/** | Express 5, TypeScript, <%= orm === 'drizzle' ? 'Drizzle' : 'Prisma' %> |
 <% } %>
 <% if (components.includes('frontend')) { %>
 | **<%= paths.frontend %>/** | React 19, TypeScript, Vite, React Router |
@@ -30,8 +33,9 @@ Scaffolded with [Projx](https://github.com/ukanhaupa/projx).
 ## Getting Started
 
 ```bash
-./scripts/setup.sh                           # Install all dependencies
-docker compose -f docker-compose.dev.yml up  # Start with Docker (dev mode)
+./scripts/setup.sh           # Install all dependencies
+# Ensure PostgreSQL is running locally, then run `<%= pm.runDev %>` in each service.
+# Production stack: docker compose up --build
 ```
 <% if (components.includes('fastapi')) { %>
 
@@ -48,11 +52,21 @@ API docs at `http://localhost:7860/docs`.
 ### <%= paths.fastify %>/
 
 ```bash
-cd <%= paths.fastify %> && cp .env.example .env && <%= pm.install %> && <%= pm.exec %> prisma migrate dev && <%= pm.run %> dev
+cd <%= paths.fastify %> && cp .env.example .env && <%= pm.install %> && <%= orm === 'drizzle' ? `${pm.exec} drizzle-kit push --force` : `${pm.exec} prisma migrate dev` %> && <%= pm.run %> dev
 ```
 
 API docs at `http://localhost:3000/docs`.
 <% } %>
+<% if (components.includes('express')) { %>
+
+### <%= paths.express %>/
+
+```bash
+cd <%= paths.express %> && cp .env.example .env && <%= pm.install %><%= orm === 'drizzle' ? ` && ${pm.exec} drizzle-kit push --force` : '' %> && <%= pm.run %> dev
+```
+
+Health check at `http://localhost:3000/api/health`.
+<% } %>
 <% if (components.includes('frontend')) { %>
 
 ### <%= paths.frontend %>/
@@ -79,6 +93,9 @@ cd <%= paths.fastapi %> && uv run pytest
 <% if (components.includes('fastify')) { %>
 cd <%= paths.fastify %> && <%= pm.run %> test
 <% } %>
+<% if (components.includes('express')) { %>
+cd <%= paths.express %> && <%= pm.run %> test
+<% } %>
 <% if (components.includes('frontend')) { %>
 cd <%= paths.frontend %> && <%= pm.exec %> vitest run
 <% } %>

package/src/templates/ci.yml.ejs

@@ -5,13 +5,16 @@ on:
     branches: [main]
   push:
     branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
 
 jobs:
   changes:
     name: Detect changes
     runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
     outputs:
 <% for (const inst of fastapiInstances) { %>
       <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
@@ -19,6 +22,9 @@ jobs:
 <% for (const inst of fastifyInstances) { %>
       <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
 <% } %>
+<% for (const inst of expressInstances) { %>
+      <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
+<% } %>
 <% for (const inst of frontendInstances) { %>
       <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
 <% } %>
@@ -32,8 +38,8 @@ jobs:
       <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
 <% } %>
     steps:
-      - uses: actions/checkout@v5
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
         id: filter
         with:
           filters: |
@@ -45,6 +51,10 @@ jobs:
             <%= inst.path %>:
               - '<%= inst.path %>/**'
 <% } %>
+<% for (const inst of expressInstances) { %>
+            <%= inst.path %>:
+              - '<%= inst.path %>/**'
+<% } %>
 <% for (const inst of frontendInstances) { %>
             <%= inst.path %>:
               - '<%= inst.path %>/**'
@@ -66,88 +76,204 @@ jobs:
     name: Secret scan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: python3 scripts/style-check.py frontend/src
 <% for (const inst of fastapiInstances) { %>
 
   <%= inst.path %>:
-    name: <%= inst.display %> (format + lint + typecheck + test + audit)
+    name: <%= inst.display %> (format + lint + typecheck + audit)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: ci_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 5
     defaults:
       run:
         working-directory: <%= inst.path %>
+    env:
+      SQLALCHEMY_DATABASE_URI: postgresql+asyncpg://postgres:postgres@localhost:5432/ci_test
+      JWT_PROVIDER: shared_secret
+      JWT_SECRET: ci-test-secret # gitleaks:allow
+      JWT_ALGORITHMS: HS256
     steps:
-      - uses: actions/checkout@v5
-      - uses: astral-sh/setup-uv@v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
       - run: uv sync --group dev
       - run: uv run ruff format --check src tests
       - run: uv run ruff check src tests
       - run: uv run mypy
-      - run: uv run pytest
-      - run: uv run pip-audit
+      - name: Audit Python dependencies
+        run: |
+          run_pip_audit() {
+            for attempt in 1 2 3; do
+              if uv run pip-audit --ignore-vuln CVE-2026-3219; then
+                return 0
+              fi
+              if [ "$attempt" -eq 3 ]; then
+                return 1
+              fi
+              sleep $((attempt * 5))
+            done
+          }
+          run_pip_audit
 <% } %>
 <% for (const inst of fastifyInstances) { %>
 
   <%= inst.path %>:
-    name: <%= inst.display %> (format + lint + typecheck + audit)
+    name: <%= inst.display %> (format + lint + typecheck + build + audit)
+    needs: changes
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: ci_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 5
+    defaults:
+      run:
+        working-directory: <%= inst.path %>
+    env:
+      DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
+      JWT_SECRET: ci-test-secret # gitleaks:allow
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+<% if (pm === 'pnpm') { %>
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+        with:
+          version: 10
+<% } %>
+<% if (pm === 'bun') { %>
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+<% } %>
+<% if (pm !== 'bun') { %>
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
+        with:
+          node-version: 22
+          cache: <%= pm.name %>
+          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+<% } %>
+      - run: <%= pm.ci %>
+<% if (orm === 'drizzle') { %>
+      - run: <%= pm.exec %> drizzle-kit push --force
+<% } else if (orm === 'sequelize' || orm === 'typeorm') { %>
+      - run: <%= pm.exec %> tsx scripts/db-sync.ts
+<% } else { %>
+      - run: <%= pm.prismaExec %> generate
+      - run: <%= pm.prismaExec %> migrate deploy
+<% } %>
+      - run: <%= pm.exec %> prettier --check .
+      - run: <%= pm.exec %> eslint .
+      - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.run %> build
+      - run: <%= pm.audit %>
+<% } %>
+<% for (const inst of expressInstances) { %>
+
+  <%= inst.path %>:
+    name: <%= inst.display %> (format + lint + typecheck + build + test + audit)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: ci_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 5
     defaults:
       run:
         working-directory: <%= inst.path %>
+    env:
+      DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 <% if (pm === 'pnpm') { %>
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
 <% if (pm === 'bun') { %>
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
 <% if (pm !== 'bun') { %>
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
-          node-version: 20
+          node-version: 22
           cache: <%= pm.name %>
           cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
+<% if (orm === 'drizzle') { %>
+      - run: <%= pm.exec %> drizzle-kit push --force
+<% } else if (orm === 'sequelize' || orm === 'typeorm') { %>
+      - run: <%= pm.exec %> tsx scripts/db-sync.ts
+<% } else { %>
       - run: <%= pm.prismaExec %> generate
+      - run: <%= pm.prismaExec %> migrate deploy
+<% } %>
       - run: <%= pm.exec %> prettier --check .
       - run: <%= pm.exec %> eslint .
       - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.run %> build
+      - run: <%= pm.exec %> vitest run --coverage.enabled=false
       - run: <%= pm.audit %>
 <% } %>
 <% for (const inst of frontendInstances) { %>
 
   <%= inst.path %>:
-    name: <%= inst.display %> (format + lint + typecheck + audit)
+    name: <%= inst.display %> (format + lint + typecheck + build + audit)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: <%= inst.path %>
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 <% if (pm === 'pnpm') { %>
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
 <% if (pm === 'bun') { %>
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
 <% if (pm !== 'bun') { %>
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
@@ -157,50 +283,54 @@ jobs:
       - run: <%= pm.exec %> prettier --check .
       - run: <%= pm.exec %> eslint 'src/**/*.{ts,tsx}'
       - run: <%= pm.exec %> tsc --noEmit
+      - run: <%= pm.run %> build
+      - run: bash scripts/check-bundle-size.sh
       - run: <%= pm.audit %>
 <% } %>
 <% for (const inst of mobileInstances) { %>
 
   <%= inst.path %>:
-    name: <%= inst.display %> (format + analyze)
+    name: <%= inst.display %> (format + analyze + test + coverage)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: <%= inst.path %>
     steps:
-      - uses: actions/checkout@v5
-      - uses: subosito/flutter-action@v2
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2
         with:
           channel: stable
       - run: flutter pub get
       - run: dart run build_runner build --delete-conflicting-outputs
       - run: dart format --set-exit-if-changed .
       - run: dart analyze --fatal-infos
+      - run: flutter test --coverage
+      - run: bash scripts/check-coverage.sh
 <% } %>
 <% for (const inst of e2eInstances) { %>
 
   <%= inst.path %>:
     name: <%= inst.display %> (format + lint + typecheck + audit)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: <%= inst.path %>
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 <% if (pm === 'pnpm') { %>
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
 <% if (pm === 'bun') { %>
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
 <% if (pm !== 'bun') { %>
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
@@ -217,14 +347,14 @@ jobs:
   <%= inst.path %>:
     name: <%= inst.display %> (fmt + validate)
     needs: changes
-    if: needs.changes.outputs.<%= inst.path %> == 'true'
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: <%= inst.path %>/stack
     steps:
-      - uses: actions/checkout@v5
-      - uses: hashicorp/setup-terraform@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
         with:
           terraform_version: '1.11'
       - run: terraform fmt -check -recursive

package/src/templates/docker-compose.yml.ejs

@@ -30,12 +30,17 @@ services:
       retries: 3
       start_period: 15s
     networks:
-      - app-network
+      app-network:
+<% if (fastifyInstances.length === 0 && expressInstances.length === 0 && inst.path === fastapiInstances[0].path) { %>
+        aliases:
+          - backend
+<% } %>
 <% } %>
 <% for (const inst of fastifyInstances) { %>
   <%= inst.path %>-migrate:
-    build: ./<%= inst.path %>
-    command: ["sh", "-c", "<%= pm.prismaExec %> migrate deploy"]
+    build:
+      context: ./<%= inst.path %>
+      target: migrate
     env_file:
       - ./<%= inst.path %>/.env
     networks:
@@ -51,13 +56,61 @@ services:
       <%= inst.path %>-migrate:
         condition: service_completed_successfully
     healthcheck:
-      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health"]
+      test:
+        [
+          "CMD",
+          "node",
+          "-e",
+          "require('http').get('http://localhost:3000/api/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
+        ]
       interval: 30s
       timeout: 10s
       retries: 3
       start_period: 15s
+    networks:
+      app-network:
+<% if (inst.path === fastifyInstances[0].path) { %>
+        aliases:
+          - backend
+<% } %>
+<% } %>
+<% for (const inst of expressInstances) { %>
+  <%= inst.path %>-migrate:
+    build:
+      context: ./<%= inst.path %>
+      target: migrate
+    env_file:
+      - ./<%= inst.path %>/.env
     networks:
       - app-network
+  <%= inst.path %>:
+    build: ./<%= inst.path %>
+    expose:
+      - "3000"
+    env_file:
+      - ./<%= inst.path %>/.env
+    restart: unless-stopped
+    depends_on:
+      <%= inst.path %>-migrate:
+        condition: service_completed_successfully
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "node",
+          "-e",
+          "require('http').get('http://localhost:3000/api/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    networks:
+      app-network:
+<% if (fastifyInstances.length === 0 && inst.path === expressInstances[0].path) { %>
+        aliases:
+          - backend
+<% } %>
 <% } %>
 <% for (const inst of frontendInstances) { %>
   <%= inst.path %>:
@@ -65,6 +118,8 @@ services:
       context: ./<%= inst.path %>
       args:
         VITE_API_URL: ""
+    environment:
+      DOMAIN: ${DOMAIN:-localhost}
     ports:
       - "80:80"
       - "443:443"
@@ -75,6 +130,10 @@ services:
     depends_on:
       <%= fastifyInstances[0].path %>:
         condition: service_healthy
+<% } else if (expressInstances.length > 0) { %>
+    depends_on:
+      <%= expressInstances[0].path %>:
+        condition: service_healthy
 <% } else if (fastapiInstances.length > 0) { %>
     depends_on:
       <%= fastapiInstances[0].path %>:
@@ -82,7 +141,15 @@ services:
 <% } %>
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/"]
+      test:
+        [
+          "CMD",
+          "wget",
+          "--spider",
+          "-q",
+          "--no-check-certificate",
+          "https://127.0.0.1/",
+        ]
       interval: 30s
       timeout: 5s
       retries: 3

package/src/templates/pre-commit.ejs

@@ -4,17 +4,20 @@ set -e
 # ── Secret detection ──────────────────────────────────────────────
 STAGED_DIFF="$(git diff --cached --diff-filter=ACMR)"
 
-if echo "$STAGED_DIFF" | grep -qE '(AKIA|ASIA)[A-Z0-9]{16}'; then
-  echo "ERROR: Possible AWS access key detected in staged changes."
+AKIA_HITS="$(echo "$STAGED_DIFF" | grep -E '(AKIA|ASIA)[A-Z0-9]{16}' | grep -vE '(pragma: allowlist secret|gitleaks:allow)' || true)"
+if [ -n "$AKIA_HITS" ]; then
+  echo "ERROR: Possible AWS access key detected in staged changes:"
+  echo "$AKIA_HITS" | head -5
+  echo "Add 'pragma: allowlist secret' on the line to whitelist if intentional."
   exit 1
 fi
 
 if echo "$STAGED_DIFF" | grep -qE '(password|secret|token)\s*[:=]\s*["\x27][^"'\'']{8,}' 2>/dev/null; then
-  REAL_SECRETS="$(echo "$STAGED_DIFF" | grep -E '(password|secret|token)\s*[:=]\s*["\x27][^"'\'']{8,}' | grep -vE '(test-secret|dev-secret|example|placeholder|your-|changeme|CHANGE_ME)' || true)"
+  REAL_SECRETS="$(echo "$STAGED_DIFF" | grep -E '(password|secret|token)\s*[:=]\s*["\x27][^"'\'']{8,}' | grep -vE '(test-secret|dev-secret|example|placeholder|your-|changeme|CHANGE_ME|pragma: allowlist secret|gitleaks:allow)' || true)"
   if [ -n "$REAL_SECRETS" ]; then
     echo "WARNING: Possible secret detected in staged changes:"
     echo "$REAL_SECRETS" | head -5
-    echo "If intentional, commit with: git commit --no-verify"
+    echo "Add 'pragma: allowlist secret' on the line to whitelist, or commit with --no-verify if intentional."
     exit 1
   fi
 fi
@@ -36,12 +39,33 @@ if [ -n "$<%= inst.upper %>_PY" ]; then
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff format
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff check --fix
   uv run mypy
+  if grep -rEn 'from src\.[a-z_]+(\.[a-z_]+)?\._[a-z_]+ import' src/; then
+    echo "ERROR: src/ files cannot import from another module's _-prefixed file. Import from the package."
+    exit 1
+  fi
+  uv run lint-imports
   cd ..
   echo "$<%= inst.upper %>_PY" | xargs git add
 fi
 <% } %>
 <% for (const inst of fastifyInstances) { %>
 
+<%= inst.upper %>_TS=$(echo "$STAGED_FILES" | grep '^<%= inst.path %>/.*\.ts$' || true)
+<%= inst.upper %>_ALL=$(echo "$STAGED_FILES" | grep '^<%= inst.path %>/' || true)
+if [ -n "$<%= inst.upper %>_ALL" ]; then
+  echo "Formatting <%= inst.path %>..."
+  cd <%= inst.path %>
+  echo "$<%= inst.upper %>_ALL" | sed 's|^<%= inst.path %>/||' | xargs <%= pm.exec %> prettier --write --ignore-unknown
+  if [ -n "$<%= inst.upper %>_TS" ]; then
+    echo "$<%= inst.upper %>_TS" | sed 's|^<%= inst.path %>/||' | xargs <%= pm.exec %> eslint --fix
+    <%= pm.exec %> tsc --noEmit
+  fi
+  cd ..
+  echo "$<%= inst.upper %>_ALL" | xargs git add
+fi
+<% } %>
+<% for (const inst of expressInstances) { %>
+
 <%= inst.upper %>_TS=$(echo "$STAGED_FILES" | grep '^<%= inst.path %>/.*\.ts$' || true)
 <%= inst.upper %>_ALL=$(echo "$STAGED_FILES" | grep '^<%= inst.path %>/' || true)
 if [ -n "$<%= inst.upper %>_ALL" ]; then