create-projx 1.7.1 → 1.7.3

package/dist/{baseline-FKCXQFRD.js → baseline-HNSDAHQ4.js}

@@ -8,8 +8,8 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-N4WD4VN3.js";
-import "./chunk-OLPF7FAN.js";
+} from "./chunk-RA6FWWUM.js";
+import "./chunk-3NL6OTAP.js";
 export {
   BASELINE_REF,
   applyTemplate,

package/dist/{chunk-OLPF7FAN.js → chunk-3NL6OTAP.js}

@@ -223,6 +223,8 @@ async function copyStaticFiles(repoDir, dest) {
   }
   const staticScripts = [
     "ci-local.sh",
+    "ci-runner-gc.sh",
+    "check-bundle-size.sh",
     "setup-docker.sh",
     "setup-ssl.sh",
     "style-check.py"
@@ -343,6 +345,8 @@ var DEFAULT_ROOT_SKIP_PATTERNS = [
   ".githooks/pre-commit",
   ".github/workflows/ci.yml",
   "scripts/ci-local.sh",
+  "scripts/ci-runner-gc.sh",
+  "scripts/check-bundle-size.sh",
   "scripts/setup.sh",
   "scripts/setup-docker.sh",
   "scripts/setup-ssl.sh"
@@ -394,10 +398,15 @@ function render(template, vars) {
 function evalExpr(expr, vars) {
   const components = vars.components;
   const projectName = vars.projectName;
-  const pmName = vars.pm?.name ?? "npm";
+  if (vars.pm !== void 0 && typeof vars.pm !== "object") {
+    throw new Error(
+      `render: vars.pm must be a PmCommands object (got ${typeof vars.pm}). Templates use pm.exec, pm.name etc.; passing the package-manager name as a bare string silently breaks those references.`
+    );
+  }
+  const pm = typeof vars.pm === "object" && vars.pm !== null ? vars.pm : { name: "npm" };
   const orm = vars.orm ?? "prisma";
   const argNames = ["components", "projectName", "pm", "orm"];
-  const argValues = [components, projectName, pmName, orm];
+  const argValues = [components, projectName, pm, orm];
   for (const [k, v] of Object.entries(vars)) {
     if (["components", "projectName", "pm", "orm"].includes(k)) continue;
     if (!/^[a-zA-Z_$][\w$]*$/.test(k)) continue;

package/dist/{chunk-N4WD4VN3.js → chunk-RA6FWWUM.js}

@@ -13,7 +13,7 @@ import {
   toSnake,
   upsertComponentMarker,
   writeProjxConfig
-} from "./chunk-OLPF7FAN.js";
+} from "./chunk-3NL6OTAP.js";
 
 // src/baseline.ts
 import { existsSync, writeFileSync, unlinkSync } from "fs";
@@ -126,7 +126,7 @@ function generateVscodeSettings(vars) {
 // src/baseline.ts
 var BASELINE_REF = "refs/projx/baseline";
 async function migrateComponentMarkers(cwd, components, componentPaths, applyDefaults) {
-  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-4G3HNHES.js");
+  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-W4CWICA7.js");
   for (const component of components) {
     const dir = componentPaths[component];
     const markerDir = join2(cwd, dir);
@@ -658,25 +658,35 @@ async function substituteNamesForInstance(inst, dest, name, nameSnake, overrides
   const isCanonical = path === type;
   if (type === "fastapi") {
     const target = isCanonical ? overrides?.fastapi ?? `${name}-fastapi` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/pyproject.toml`),
-      "projx-fastapi",
-      target
-    );
+    for (const file of [
+      "pyproject.toml",
+      "src/configs/_database.py",
+      "tests/test_app.py"
+    ]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-fastapi",
+        target
+      );
+    }
   } else if (type === "fastify") {
     const target = isCanonical ? overrides?.fastify ?? `${name}-fastify` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/package.json`),
-      "projx-fastify",
-      target
-    );
+    for (const file of ["package.json", ".env.example", ".env.test"]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-fastify",
+        target
+      );
+    }
   } else if (type === "express") {
     const target = isCanonical ? overrides?.express ?? `${name}-express` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/package.json`),
-      "projx-express",
-      target
-    );
+    for (const file of ["package.json", ".env.example", ".env.test"]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-express",
+        target
+      );
+    }
   } else if (type === "frontend") {
     const target = isCanonical ? overrides?.frontend ?? `${name}-frontend` : `${name}-${path}`;
     await replaceInFile(

package/dist/index.js

@@ -9,7 +9,7 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-N4WD4VN3.js";
+} from "./chunk-RA6FWWUM.js";
 import {
   COMPONENTS,
   COMPONENT_MARKER,
@@ -36,7 +36,7 @@ import {
   toSnake,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-OLPF7FAN.js";
+} from "./chunk-3NL6OTAP.js";
 
 // src/index.ts
 import { existsSync as existsSync11 } from "fs";
@@ -851,7 +851,7 @@ function hasUncommittedChanges(cwd) {
 async function findPinnedFilesWithUpdates(cwd, repoDir, components, componentPaths, vars, version, componentSkips, rootSkip) {
   const { mkdtemp: mkdtemp2, rm: rm2, readFile: readFile8 } = await import("fs/promises");
   const { tmpdir: tmpdir2 } = await import("os");
-  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-FKCXQFRD.js");
+  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-HNSDAHQ4.js");
   const config = await readProjxConfig(cwd);
   const rootPinned = Array.isArray(config.skip) ? config.skip : [];
   const componentPinned = [];

package/dist/{utils-4G3HNHES.js → utils-W4CWICA7.js}

@@ -35,7 +35,7 @@ import {
   upsertComponentMarker,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-OLPF7FAN.js";
+} from "./chunk-3NL6OTAP.js";
 export {
   COMPONENTS,
   COMPONENT_MARKER,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-projx",
-  "version": "1.7.1",
+  "version": "1.7.3",
   "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, Express, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
   "type": "module",
   "bin": {

package/src/templates/ci.yml.ejs

@@ -11,6 +11,9 @@ permissions:
   contents: read
   pull-requests: read
 
+env:
+  WS: run-${{ github.run_id }}-${{ github.run_attempt }}
+
 jobs:
   changes:
     name: Detect changes
@@ -39,9 +42,12 @@ jobs:
 <% } %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
         id: filter
         with:
+          working-directory: ${{ env.WS }}
           filters: |
 <% for (const inst of fastapiInstances) { %>
             <%= inst.path %>:
@@ -79,10 +85,15 @@ jobs:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - run: python3 scripts/style-check.py frontend/src
+          path: ${{ env.WS }}
+      - name: Install gitleaks
+        run: |
+          curl -sSL -o /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+          sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
+      - name: Run gitleaks
+        run: gitleaks detect --source ${{ env.WS }} --no-git --no-banner --redact --exit-code 1
+      - run: python3 ${{ env.WS }}/scripts/style-check.py ${{ env.WS }}/frontend/src
 <% for (const inst of fastapiInstances) { %>
 
   <%= inst.path %>:
@@ -106,7 +117,7 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       SQLALCHEMY_DATABASE_URI: postgresql+asyncpg://postgres:postgres@localhost:5432/ci_test
       JWT_PROVIDER: shared_secret
@@ -114,6 +125,8 @@ jobs:
       JWT_ALGORITHMS: HS256
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
       - run: uv sync --group dev
       - run: uv run ruff format --check src tests
@@ -123,7 +136,7 @@ jobs:
         run: |
           run_pip_audit() {
             for attempt in 1 2 3; do
-              if uv run pip-audit --ignore-vuln CVE-2026-3219; then
+              if bash audit.sh; then
                 return 0
               fi
               if [ "$attempt" -eq 3 ]; then
@@ -157,26 +170,28 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
       JWT_SECRET: ci-test-secret # gitleaks:allow
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-<% if (pm === 'pnpm') { %>
+        with:
+          path: ${{ env.WS }}
+<% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
-<% if (pm === 'bun') { %>
+<% if (pm.name === 'bun') { %>
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
-<% if (pm !== 'bun') { %>
+<% if (pm.name !== 'bun') { %>
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
 <% if (orm === 'drizzle') { %>
@@ -196,7 +211,7 @@ jobs:
 <% for (const inst of expressInstances) { %>
 
   <%= inst.path %>:
-    name: <%= inst.display %> (format + lint + typecheck + build + test + audit)
+    name: <%= inst.display %> (format + lint + typecheck + build + audit)
     needs: changes
     if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
     runs-on: ubuntu-latest
@@ -216,25 +231,27 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-<% if (pm === 'pnpm') { %>
+        with:
+          path: ${{ env.WS }}
+<% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
-<% if (pm === 'bun') { %>
+<% if (pm.name === 'bun') { %>
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
-<% if (pm !== 'bun') { %>
+<% if (pm.name !== 'bun') { %>
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
 <% if (orm === 'drizzle') { %>
@@ -249,7 +266,6 @@ jobs:
       - run: <%= pm.exec %> eslint .
       - run: <%= pm.exec %> tsc --noEmit
       - run: <%= pm.run %> build
-      - run: <%= pm.exec %> vitest run --coverage.enabled=false
       - run: <%= pm.audit %>
 <% } %>
 <% for (const inst of frontendInstances) { %>
@@ -261,23 +277,25 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-<% if (pm === 'pnpm') { %>
+        with:
+          path: ${{ env.WS }}
+<% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
-<% if (pm === 'bun') { %>
+<% if (pm.name === 'bun') { %>
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
-<% if (pm !== 'bun') { %>
+<% if (pm.name !== 'bun') { %>
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
       - run: <%= pm.exec %> prettier --check .
@@ -296,9 +314,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2
         with:
           channel: stable
@@ -318,23 +338,25 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-<% if (pm === 'pnpm') { %>
+        with:
+          path: ${{ env.WS }}
+<% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
 <% } %>
-<% if (pm === 'bun') { %>
+<% if (pm.name === 'bun') { %>
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 <% } %>
-<% if (pm !== 'bun') { %>
+<% if (pm.name !== 'bun') { %>
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
       - run: <%= pm.exec %> prettier --check .
@@ -351,9 +373,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>/stack
+        working-directory: ${{ env.WS }}/<%= inst.path %>/stack
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
         with:
           terraform_version: '1.11'

package/src/templates/pre-commit.ejs

@@ -39,8 +39,8 @@ if [ -n "$<%= inst.upper %>_PY" ]; then
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff format
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff check --fix
   uv run mypy
-  if grep -rEn 'from src\.[a-z_]+(\.[a-z_]+)?\._[a-z_]+ import' src/; then
-    echo "ERROR: src/ files cannot import from another module's _-prefixed file. Import from the package."
+  if grep -rEn 'from src\.[a-z_]+(\.[a-z_]+)?\._[a-z_]+ import' src/ | grep -v 'pragma:.*allow-private-import'; then
+    echo "ERROR: src/ files cannot import from another module's _-prefixed file. Import from the package, or add '# pragma: allow-private-import' on the line if the cycle makes a package import impossible."
     exit 1
   fi
   uv run lint-imports
@@ -135,9 +135,21 @@ fi
 <%= inst.upper %>_TF=$(echo "$STAGED_FILES" | grep '^<%= inst.path %>/.*\.tf$' || true)
 if [ -n "$<%= inst.upper %>_TF" ]; then
   if command -v terraform &> /dev/null; then
-    echo "Formatting <%= inst.path %>..."
+    echo "Checking <%= inst.path %>..."
     cd <%= inst.path %>/stack
     echo "$<%= inst.upper %>_TF" | sed 's|^<%= inst.path %>/stack/||' | xargs terraform fmt
+    [ -d .terraform ] || terraform init -backend=false -input=false >/dev/null
+    terraform validate
+    if command -v tflint &> /dev/null; then
+      tflint --recursive
+    else
+      echo "Skipping tflint (not installed)"
+    fi
+    if command -v trivy &> /dev/null; then
+      trivy config --exit-code 1 --severity HIGH,CRITICAL .
+    else
+      echo "Skipping trivy config scan (not installed)"
+    fi
     cd ../..
     echo "$<%= inst.upper %>_TF" | xargs git add
   else