create-projx 1.7.2 → 1.7.4

package/README.md

@@ -4,6 +4,7 @@
 [![CI](https://github.com/ukanhaupa/projx/actions/workflows/ci.yml/badge.svg)](https://github.com/ukanhaupa/projx/actions/workflows/ci.yml)
 [![GitHub stars](https://img.shields.io/github/stars/ukanhaupa/projx)](https://github.com/ukanhaupa/projx)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Sponsor](https://img.shields.io/github/sponsors/ukanhaupa?label=Sponsor&logo=GitHub)](https://github.com/sponsors/ukanhaupa)
 
 **Go from blank folder to production-ready project in 30 seconds.** Backend-only API, AI/ML app, mobile, full-stack, infra setup — pick what you need and get it wired with auth, database, Docker, CI/CD, hooks, and tests. All optional. All yours.
 
@@ -85,20 +86,76 @@ If this saves you even one hour, it's already paid for itself. (It's free.)
 
 ## What you get
 
-| Component  | Stack                                                         | What it gives you                                                          |
-| ---------- | ------------------------------------------------------------- | -------------------------------------------------------------------------- |
-| `fastapi`  | Python, SQLAlchemy, Alembic                                   | Auto-entity CRUD, JWT auth, migrations, OpenAPI docs                       |
-| `fastify`  | Node.js, Prisma / Drizzle / Sequelize / TypeORM, TypeBox      | Auto-entity CRUD, JWT auth, typed schemas, OpenAPI docs                    |
-| `express`  | Express 5, TypeScript, Prisma / Drizzle / Sequelize / TypeORM | Auto-entity CRUD, JWT auth, validation, security middleware, health checks |
-| `frontend` | React 19, TypeScript, Vite                                    | Auth, theming, design tokens, light/dark mode                              |
-| `mobile`   | Flutter, Riverpod, GoRouter                                   | Auth, biometric, theming, GoRouter shell                                   |
-| `e2e`      | Playwright                                                    | Page object model, auth fixtures, accessibility scans                      |
-| `infra`    | Terraform, AWS                                                | EKS, RDS, VPC, ALB, CodePipeline, multi-environment                        |
+| Component     | Stack                                                         | What it gives you                                                          |
+| ------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------- |
+| `fastapi`     | Python, SQLAlchemy, Alembic                                   | Auto-entity CRUD, JWT auth, migrations, OpenAPI docs                       |
+| `fastify`     | Node.js, Prisma / Drizzle / Sequelize / TypeORM, TypeBox      | Auto-entity CRUD, JWT auth, typed schemas, OpenAPI docs                    |
+| `express`     | Express 5, TypeScript, Prisma / Drizzle / Sequelize / TypeORM | Auto-entity CRUD, JWT auth, validation, security middleware, health checks |
+| `frontend`    | React 19, TypeScript, Vite                                    | Auth, theming, design tokens, light/dark mode                              |
+| `mobile`      | Flutter, Riverpod, GoRouter                                   | Auth, biometric, theming, GoRouter shell                                   |
+| `e2e`         | Playwright                                                    | Page object model, auth fixtures, accessibility scans                      |
+| `infra`       | Terraform, AWS                                                | EKS, RDS, VPC, ALB, CodePipeline, multi-environment                        |
+| `admin-panel` | Directus (Docker), Postgres                                   | Instant admin UI + REST/GraphQL over your DB, internal-only behind nginx   |
 
 Plus, in every project: Docker Compose for dev + prod, GitHub Actions CI per component (path-filtered), pre-commit hooks, secret detection, VS Code settings, and 80% test coverage enforced.
 
 All optional. Pick any combination.
 
+## Optional features
+
+Components are the floor. Features are the opt-in modules that ride on top — same standard, same CI, same skip-list discipline. Today there's one, and it's the one everyone rewrites: **auth**.
+
+```bash
+# Fastify + Prisma (default ORM)
+npx create-projx my-app --components fastify --auth fastify
+
+# Express + Drizzle
+npx create-projx my-app --components express --orm drizzle --auth express
+
+# FastAPI + SQLAlchemy
+npx create-projx my-app --components fastapi --auth fastapi
+
+# Multiple backends, one flag — comma-separable targets
+npx create-projx my-app --components fastify,express --auth fastify,express
+
+# Add auth to an existing project
+npx create-projx add frontend --auth fastify
+```
+
+`update` re-applies any feature recorded on a component, so template upgrades never strip your auth wiring.
+
+### What `--auth` ships
+
+- Email + password signup — first user auto-promoted to admin
+- Login with JWT access token and refresh-token rotation, with replay detection
+- Account lockout after 5 failed logins (15-minute cooldown)
+- MFA via TOTP authenticator app — enroll via otpauth URL (client renders the QR), verify on challenge
+- MFA recovery codes — generate, single-use consume, regenerate
+- MFA lockout on repeated bad codes with time-based unlock
+- Password reset via emailed single-use token (30-minute TTL)
+- Email verification with resend endpoint (24-hour TTL token)
+- Authenticated password change — revokes all other sessions
+- Active session listing
+- Current-user lookup via `/me`
+- Role-based permissions baked into the JWT payload
+- SMTP mailer for verification and reset emails — falls back to logging the link when SMTP is unset
+- Cron-driven cleanup of expired tokens (toggle via `AUTH_BACKGROUND_JOBS`)
+- Centralized error responses with `request_id` propagation
+
+Sixteen endpoints across signup, login, MFA challenge/enroll/disable, recovery-code regen, refresh, logout, change-password, sessions, forgot/reset password, verify/resend email, me. Same surface on every backend — mounted at `/auth/*` on fastify and express, `/api/v1/auth/*` on fastapi.
+
+### Backend × ORM compatibility
+
+| Backend   | Prisma | Drizzle | Sequelize | TypeORM | SQLAlchemy |
+| --------- | ------ | ------- | --------- | ------- | ---------- |
+| `fastify` | yes    | yes     | yes       | yes     | —          |
+| `express` | yes    | yes     | yes       | yes     | —          |
+| `fastapi` | —      | —       | —         | —       | yes        |
+
+Nine combinations, one external contract. ORM-specific bits live under [features/auth/](features/auth/) (per-stack, per-ORM subdirectories); the shared surface per stack lives under each stack's `common/` subdirectory. Env vars the feature reads: `JWT_SECRET`, `FRONTEND_URL`, `AUTH_BACKGROUND_JOBS` (all backends); `JWT_ALGORITHMS`, `MFA_ISSUER`, `AUTH_CLEANUP_INTERVAL_SECONDS` (fastapi).
+
+Full feature-template spec — manifests, patches, anchors, idempotency — in [docs/feature-templates.md](docs/feature-templates.md).
+
 ## Built for humans and AI agents
 
 Projx is a shared operating system for teams that ship with both:
@@ -462,6 +519,12 @@ Add this to your project's README:
 
 ---
 
+## Sponsor
+
+Projx is free and MIT-licensed. If it saves you time, consider [sponsoring its development](https://github.com/sponsors/ukanhaupa) — it keeps the templates current and the roadmap moving.
+
+---
+
 ## License
 
 MIT

package/dist/{baseline-ZPPJKHBN.js → baseline-O25CAKIL.js}

@@ -8,8 +8,8 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-XAYCVTHL.js";
-import "./chunk-FQPOK3QZ.js";
+} from "./chunk-RFHLWYJ4.js";
+import "./chunk-B7PW6QO7.js";
 export {
   BASELINE_REF,
   applyTemplate,

package/dist/{chunk-FQPOK3QZ.js → chunk-B7PW6QO7.js}

@@ -23,7 +23,8 @@ var COMPONENTS = [
   "frontend",
   "mobile",
   "e2e",
-  "infra"
+  "infra",
+  "admin-panel"
 ];
 var PACKAGE_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
 var ORM_PROVIDERS = [
@@ -223,6 +224,7 @@ async function copyStaticFiles(repoDir, dest) {
   }
   const staticScripts = [
     "ci-local.sh",
+    "ci-runner-gc.sh",
     "check-bundle-size.sh",
     "setup-docker.sh",
     "setup-ssl.sh",
@@ -295,7 +297,10 @@ function parseMarker(raw) {
     if (!component) return null;
     return {
       component,
-      skip: Array.isArray(data.skip) ? data.skip : []
+      skip: Array.isArray(data.skip) ? data.skip : [],
+      features: Array.isArray(data.features) ? data.features.filter(
+        (f) => typeof f === "string"
+      ) : void 0
     };
   } catch {
     return null;
@@ -308,9 +313,25 @@ async function readComponentMarker(dir) {
 }
 async function writeComponentMarker(dir, data) {
   const markerPath = join(dir, COMPONENT_MARKER);
+  const existing = await readFileOrNull(markerPath);
+  let preservedFeatures;
+  if (existing) {
+    try {
+      const prev = JSON.parse(existing);
+      if (Array.isArray(prev.features)) {
+        preservedFeatures = prev.features.filter(
+          (f) => typeof f === "string"
+        );
+      }
+    } catch {
+      preservedFeatures = void 0;
+    }
+  }
+  const features = data.features ?? preservedFeatures;
   const out = {
     component: data.component,
-    skip: Array.isArray(data.skip) ? data.skip : []
+    skip: Array.isArray(data.skip) ? data.skip : [],
+    ...features && features.length > 0 ? { features } : {}
   };
   await writeFile(markerPath, JSON.stringify(out, null, 2) + "\n");
 }
@@ -344,6 +365,7 @@ var DEFAULT_ROOT_SKIP_PATTERNS = [
   ".githooks/pre-commit",
   ".github/workflows/ci.yml",
   "scripts/ci-local.sh",
+  "scripts/ci-runner-gc.sh",
   "scripts/check-bundle-size.sh",
   "scripts/setup.sh",
   "scripts/setup-docker.sh",

package/dist/{chunk-XAYCVTHL.js → chunk-RFHLWYJ4.js}

@@ -13,7 +13,7 @@ import {
   toSnake,
   upsertComponentMarker,
   writeProjxConfig
-} from "./chunk-FQPOK3QZ.js";
+} from "./chunk-B7PW6QO7.js";
 
 // src/baseline.ts
 import { existsSync, writeFileSync, unlinkSync } from "fs";
@@ -44,7 +44,8 @@ var CANONICAL_DISPLAY = {
   frontend: "Frontend",
   mobile: "Flutter",
   e2e: "E2E",
-  infra: "Terraform"
+  infra: "Terraform",
+  "admin-panel": "Admin Panel"
 };
 function withInstances(vars) {
   const base = vars.instances && vars.instances.length > 0 ? vars.instances : vars.components.map((type) => ({
@@ -66,7 +67,8 @@ function withInstances(vars) {
     frontendInstances: byType("frontend"),
     mobileInstances: byType("mobile"),
     e2eInstances: byType("e2e"),
-    infraInstances: byType("infra")
+    infraInstances: byType("infra"),
+    adminPanelInstances: byType("admin-panel")
   };
 }
 async function renderShared(filename, vars) {
@@ -126,7 +128,7 @@ function generateVscodeSettings(vars) {
 // src/baseline.ts
 var BASELINE_REF = "refs/projx/baseline";
 async function migrateComponentMarkers(cwd, components, componentPaths, applyDefaults) {
-  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-MC7VKL2U.js");
+  const { readComponentMarker: readComponentMarker2, writeComponentMarker } = await import("./utils-X2P47QNN.js");
   for (const component of components) {
     const dir = componentPaths[component];
     const markerDir = join2(cwd, dir);
@@ -423,7 +425,7 @@ async function writeTemplateToDir(dest, repoDir, components, componentPaths, var
     if (!matchesSkip(file, effectiveSkip)) return true;
     return !existsSync(join2(realCwd, file));
   };
-  if (hasBackend || components.includes("frontend")) {
+  if (hasBackend || components.includes("frontend") || components.includes("admin-panel")) {
     if (shouldWrite("docker-compose.yml"))
       await writeFile(
         join2(dest, "docker-compose.yml"),
@@ -658,25 +660,35 @@ async function substituteNamesForInstance(inst, dest, name, nameSnake, overrides
   const isCanonical = path === type;
   if (type === "fastapi") {
     const target = isCanonical ? overrides?.fastapi ?? `${name}-fastapi` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/pyproject.toml`),
-      "projx-fastapi",
-      target
-    );
+    for (const file of [
+      "pyproject.toml",
+      "src/configs/_database.py",
+      "tests/test_app.py"
+    ]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-fastapi",
+        target
+      );
+    }
   } else if (type === "fastify") {
     const target = isCanonical ? overrides?.fastify ?? `${name}-fastify` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/package.json`),
-      "projx-fastify",
-      target
-    );
+    for (const file of ["package.json", ".env.example", ".env.test"]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-fastify",
+        target
+      );
+    }
   } else if (type === "express") {
     const target = isCanonical ? overrides?.express ?? `${name}-express` : `${name}-${path}`;
-    await replaceInFile(
-      join2(dest, `${path}/package.json`),
-      "projx-express",
-      target
-    );
+    for (const file of ["package.json", ".env.example", ".env.test"]) {
+      await replaceInFile(
+        join2(dest, `${path}/${file}`),
+        "projx-express",
+        target
+      );
+    }
   } else if (type === "frontend") {
     const target = isCanonical ? overrides?.frontend ?? `${name}-frontend` : `${name}-${path}`;
     await replaceInFile(

package/dist/index.js

@@ -9,7 +9,7 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-XAYCVTHL.js";
+} from "./chunk-RFHLWYJ4.js";
 import {
   COMPONENTS,
   COMPONENT_MARKER,
@@ -36,11 +36,12 @@ import {
   toSnake,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-FQPOK3QZ.js";
+} from "./chunk-B7PW6QO7.js";
 
 // src/index.ts
 import { existsSync as existsSync11 } from "fs";
 import { resolve } from "path";
+import { pathToFileURL } from "url";
 
 // src/features.ts
 import { existsSync } from "fs";
@@ -186,16 +187,16 @@ async function readManifest(featureDir, feature) {
   }
   return manifest;
 }
-async function applyTarget(args2) {
-  const stackDir = join(args2.featureDir, args2.target.component);
+async function applyTarget(args) {
+  const stackDir = join(args.featureDir, args.target.component);
   if (!existsSync(stackDir)) return;
-  const targetPath = join(args2.dest, args2.target.path);
+  const targetPath = join(args.dest, args.target.path);
   if (!existsSync(targetPath)) {
     throw new Error(
-      `Target instance path ${args2.target.path} not found in ${args2.dest}.`
+      `Target instance path ${args.target.path} not found in ${args.dest}.`
     );
   }
-  const orm = typeof args2.vars.orm === "string" ? args2.vars.orm : void 0;
+  const orm = typeof args.vars.orm === "string" ? args.vars.orm : void 0;
   const ormDir = orm ? join(stackDir, orm) : void 0;
   const hasOrmDir = ormDir !== void 0 && existsSync(ormDir);
   const ormPatchNames = /* @__PURE__ */ new Set();
@@ -210,7 +211,7 @@ async function applyTarget(args2) {
   for (const sub of ["files", join("common", "files")]) {
     const filesDir = join(stackDir, sub);
     if (existsSync(filesDir)) {
-      await renderFilesInto(filesDir, targetPath, args2.vars);
+      await renderFilesInto(filesDir, targetPath, args.vars);
     }
   }
   for (const sub of ["patches", join("common", "patches")]) {
@@ -219,7 +220,7 @@ async function applyTarget(args2) {
       await applyPatches(
         patchesDir,
         targetPath,
-        args2.featureName,
+        args.featureName,
         ormPatchNames,
         hasOrmDir
       );
@@ -228,18 +229,18 @@ async function applyTarget(args2) {
   if (hasOrmDir) {
     const ormFilesDir = join(ormDir, "files");
     if (existsSync(ormFilesDir)) {
-      await renderFilesInto(ormFilesDir, targetPath, args2.vars);
+      await renderFilesInto(ormFilesDir, targetPath, args.vars);
     }
     const ormPatchesDir = join(ormDir, "patches");
     if (existsSync(ormPatchesDir)) {
-      await applyPatches(ormPatchesDir, targetPath, args2.featureName);
+      await applyPatches(ormPatchesDir, targetPath, args.featureName);
     }
   }
-  const envKeys = args2.manifest.env?.[args2.target.component] ?? [];
+  const envKeys = args.manifest.env?.[args.target.component] ?? [];
   if (envKeys.length > 0) {
-    await appendEnvExample(targetPath, args2.featureName, envKeys);
+    await appendEnvExample(targetPath, args.featureName, envKeys);
   }
-  await recordFeatureInMarker(targetPath, args2.featureName);
+  await recordFeatureInMarker(targetPath, args.featureName);
 }
 async function renderFilesInto(filesDir, targetPath, vars) {
   const entries = await collectFiles(filesDir);
@@ -382,7 +383,11 @@ var LABELS = {
   frontend: { label: "Frontend", hint: "React 19 + Vite + React Router" },
   mobile: { label: "Mobile", hint: "Flutter + Riverpod + GoRouter" },
   e2e: { label: "E2E Tests", hint: "Playwright" },
-  infra: { label: "Infrastructure", hint: "Terraform + AWS" }
+  infra: { label: "Infrastructure", hint: "Terraform + AWS" },
+  "admin-panel": {
+    label: "Admin Panel",
+    hint: "Directus \u2014 instant admin over Postgres (Docker)"
+  }
 };
 var DEFAULTS = ["fastify", "frontend", "e2e"];
 async function runPrompts(nameArg) {
@@ -607,6 +612,8 @@ async function installDeps(dest, components, pm) {
           break;
         case "infra":
           break;
+        case "admin-panel":
+          break;
       }
     } catch {
       spinner6.stop(`Failed to install ${component} dependencies.`);
@@ -632,6 +639,32 @@ import { readFile as readFile3, unlink } from "fs/promises";
 import { execSync } from "child_process";
 import { join as join3 } from "path";
 import * as p3 from "@clack/prompts";
+async function collectRecordedFeatures(cwd, components, componentPaths) {
+  const byFeature = /* @__PURE__ */ new Map();
+  for (const component of components) {
+    const dir = componentPaths[component] ?? component;
+    const raw = await readFile3(join3(cwd, dir, COMPONENT_MARKER), "utf-8").catch(
+      () => null
+    );
+    if (!raw) continue;
+    let features;
+    try {
+      features = JSON.parse(raw).features;
+    } catch {
+      continue;
+    }
+    if (!Array.isArray(features)) continue;
+    for (const name of features) {
+      if (typeof name !== "string") continue;
+      const list = byFeature.get(name) ?? [];
+      list.push(dir);
+      byFeature.set(name, list);
+    }
+  }
+  const out = {};
+  for (const [feature, targets] of byFeature) out[feature] = targets.join(",");
+  return out;
+}
 async function update(cwd, localRepo) {
   p3.intro("projx update");
   const isLocal = !!localRepo;
@@ -766,6 +799,24 @@ async function update(cwd, localRepo) {
       extraInstances
     );
     spinner6.stop("Template applied.");
+    const recordedFeatures = await collectRecordedFeatures(
+      cwd,
+      components,
+      componentPaths
+    );
+    if (Object.keys(recordedFeatures).length > 0) {
+      const featSpinner = p3.spinner();
+      featSpinner.start("Re-applying recorded features");
+      await applyFeatures({
+        features: recordedFeatures,
+        repoDir,
+        components,
+        instances,
+        dest: cwd,
+        vars
+      });
+      featSpinner.stop("Features re-applied.");
+    }
     const pinnedUpdates = await findPinnedFilesWithUpdates(
       cwd,
       repoDir,
@@ -851,7 +902,7 @@ function hasUncommittedChanges(cwd) {
 async function findPinnedFilesWithUpdates(cwd, repoDir, components, componentPaths, vars, version, componentSkips, rootSkip) {
   const { mkdtemp: mkdtemp2, rm: rm2, readFile: readFile8 } = await import("fs/promises");
   const { tmpdir: tmpdir2 } = await import("os");
-  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-ZPPJKHBN.js");
+  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-O25CAKIL.js");
   const config = await readProjxConfig(cwd);
   const rootPinned = Array.isArray(config.skip) ? config.skip : [];
   const componentPinned = [];
@@ -1036,7 +1087,7 @@ import { copyFileSync as copyFileSync2, existsSync as existsSync4 } from "fs";
 import { readFile as readFile4 } from "fs/promises";
 import { join as join4 } from "path";
 import * as p4 from "@clack/prompts";
-async function add(cwd, newComponents, localRepo, skipInstall = false, customName) {
+async function add(cwd, newComponents, localRepo, skipInstall = false, customName, features) {
   p4.intro("projx add");
   const isLocal = !!localRepo;
   if (!existsSync4(join4(cwd, ".projx"))) {
@@ -1124,6 +1175,19 @@ async function add(cwd, newComponents, localRepo, skipInstall = false, customNam
       { realCwd: cwd }
     );
     spinner6.stop("Components added.");
+    if (features && Object.keys(features).length > 0) {
+      const featSpinner = p4.spinner();
+      featSpinner.start("Applying features");
+      await applyFeatures({
+        features,
+        repoDir,
+        components: allComponents,
+        instances,
+        dest: cwd,
+        vars
+      });
+      featSpinner.stop("Features applied.");
+    }
     if (!skipInstall) {
       await installDeps2(
         cwd,
@@ -1322,6 +1386,8 @@ async function installDeps2(dest, instances, pm) {
           break;
         case "infra":
           break;
+        case "admin-panel":
+          break;
       }
     } catch {
       spinner6.stop(`Failed to install ${type} dependencies (${path}/).`);
@@ -1418,6 +1484,15 @@ async function scanDirectory(dir, relPath) {
       evidence: "Terraform .tf files found"
     });
   }
+  const dockerfile = await readFileOrNull(join5(dir, "Dockerfile"));
+  if (dockerfile && /^FROM\s+directus\/directus/m.test(dockerfile)) {
+    results.push({
+      component: "admin-panel",
+      directory: relPath,
+      confidence: "high",
+      evidence: "Dockerfile builds from directus/directus image"
+    });
+  }
   return results;
 }
 async function readPkg(dir) {
@@ -4086,7 +4161,6 @@ async function runGen(opts) {
 }
 
 // src/index.ts
-var args = process.argv.slice(2);
 function matchFeatureFlag(arg, argv, i) {
   for (const feat of KNOWN_FEATURES) {
     const eq = `--${feat}=`;
@@ -4109,7 +4183,8 @@ function matchFeatureFlag(arg, argv, i) {
   }
   return null;
 }
-function parseArgs() {
+function parseArgs(argv = process.argv.slice(2)) {
+  const args = argv;
   let command = "create";
   let name;
   let localRepo;
@@ -4249,7 +4324,7 @@ function printHelp() {
     projx gen entity <name>       Generate a new entity
 
   Options:
-    --components <list>  Comma-separated: fastapi,fastify,express,frontend,mobile,e2e,infra
+    --components <list>  Comma-separated: fastapi,fastify,express,frontend,mobile,e2e,infra,admin-panel
     --orm <provider>     Node backend ORM: prisma (default), drizzle, sequelize, typeorm
     --auth <targets>     Add auth feature. Targets: <component>[:<instance>] (comma-separated)
     --no-git             Skip git init
@@ -4263,6 +4338,7 @@ function printHelp() {
     npx create-projx my-app --components fastapi,frontend,e2e
     npx create-projx my-app --components express,frontend,e2e --orm drizzle
     npx create-projx my-app --components fastify,frontend,mobile --auth fastify
+    npx create-projx my-app --components fastify,frontend,admin-panel
     npx create-projx my-app -y
     npx create-projx add frontend mobile
     npx create-projx add fastify --name email-ingestor
@@ -4306,7 +4382,8 @@ async function main() {
       components,
       localRepo,
       options.install === false,
-      customName
+      customName,
+      options.features
     );
     return;
   }
@@ -4379,7 +4456,14 @@ async function main() {
   }
   await scaffold(opts, dest, localRepo);
 }
-main().catch((err) => {
-  console.error(err);
-  process.exit(1);
-});
+var isEntrypoint = process.argv[1] !== void 0 && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (isEntrypoint) {
+  main().catch((err) => {
+    console.error(err);
+    process.exit(1);
+  });
+}
+export {
+  matchFeatureFlag,
+  parseArgs
+};

package/dist/{utils-MC7VKL2U.js → utils-X2P47QNN.js}

@@ -35,7 +35,7 @@ import {
   upsertComponentMarker,
   writeComponentMarker,
   writeProjxConfig
-} from "./chunk-FQPOK3QZ.js";
+} from "./chunk-B7PW6QO7.js";
 export {
   COMPONENTS,
   COMPONENT_MARKER,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-projx",
-  "version": "1.7.2",
+  "version": "1.7.4",
   "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, Express, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
   "type": "module",
   "bin": {

package/src/templates/README.md.ejs

@@ -27,6 +27,9 @@ Scaffolded with [Projx](https://github.com/ukanhaupa/projx).
 <% if (components.includes('infra')) { %>
 | **<%= paths.infra %>/** | Terraform, AWS (EKS, RDS, VPC, CodePipeline) |
 <% } %>
+<% if (components.includes('admin-panel')) { %>
+| **<%= paths['admin-panel'] %>/** | Directus admin panel over Postgres |
+<% } %>
 | **Identity** | OIDC / JWT |
 | **Containers** | Docker, Docker Compose |
 
@@ -83,6 +86,20 @@ cd <%= paths.frontend %> && cp .env.example .env && <%= pm.install %> && <%= pm.
 cd <%= paths.mobile %> && cp .env.example .env && flutter pub get && flutter run
 ```
 <% } %>
+<% if (components.includes('admin-panel')) { %>
+
+### <%= paths['admin-panel'] %>/
+
+```bash
+cd <%= paths['admin-panel'] %> && cp .env.example .env   # set KEY, SECRET, ADMIN_PASSWORD, DB_*
+docker compose up --build <%= paths['admin-panel'] %>
+```
+<% if (components.includes('frontend')) { %>
+Internal-only — reach the admin UI at `https://localhost/admin/` through the frontend proxy.
+<% } else { %>
+Internal-only — publish the port for local admin work: `docker compose run --service-ports --rm <%= paths['admin-panel'] %>`.
+<% } %>
+<% } %>
 
 ## Testing
 

package/src/templates/ci.yml.ejs

@@ -11,6 +11,9 @@ permissions:
   contents: read
   pull-requests: read
 
+env:
+  WS: run-${{ github.run_id }}-${{ github.run_attempt }}
+
 jobs:
   changes:
     name: Detect changes
@@ -36,12 +39,18 @@ jobs:
 <% } %>
 <% for (const inst of infraInstances) { %>
       <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
+<% } %>
+<% for (const inst of adminPanelInstances) { %>
+      <%= inst.path %>: ${{ steps.filter.outputs.<%= inst.path %> }}
 <% } %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
         id: filter
         with:
+          working-directory: ${{ env.WS }}
           filters: |
 <% for (const inst of fastapiInstances) { %>
             <%= inst.path %>:
@@ -71,6 +80,10 @@ jobs:
             <%= inst.path %>:
               - '<%= inst.path %>/**'
 <% } %>
+<% for (const inst of adminPanelInstances) { %>
+            <%= inst.path %>:
+              - '<%= inst.path %>/**'
+<% } %>
 
   secrets:
     name: Secret scan
@@ -79,10 +92,15 @@ jobs:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - run: python3 scripts/style-check.py frontend/src
+          path: ${{ env.WS }}
+      - name: Install gitleaks
+        run: |
+          curl -sSL -o /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+          sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
+      - name: Run gitleaks
+        run: gitleaks detect --source ${{ env.WS }} --no-git --no-banner --redact --exit-code 1
+      - run: python3 ${{ env.WS }}/scripts/style-check.py ${{ env.WS }}/frontend/src
 <% for (const inst of fastapiInstances) { %>
 
   <%= inst.path %>:
@@ -106,7 +124,7 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       SQLALCHEMY_DATABASE_URI: postgresql+asyncpg://postgres:postgres@localhost:5432/ci_test
       JWT_PROVIDER: shared_secret
@@ -114,6 +132,8 @@ jobs:
       JWT_ALGORITHMS: HS256
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
       - run: uv sync --group dev
       - run: uv run ruff format --check src tests
@@ -123,7 +143,7 @@ jobs:
         run: |
           run_pip_audit() {
             for attempt in 1 2 3; do
-              if uv run pip-audit --ignore-vuln CVE-2026-3219 --ignore-vuln PYSEC-2025-183; then
+              if bash audit.sh; then
                 return 0
               fi
               if [ "$attempt" -eq 3 ]; then
@@ -157,12 +177,14 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
       JWT_SECRET: ci-test-secret # gitleaks:allow
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
 <% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
@@ -176,7 +198,7 @@ jobs:
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
 <% if (orm === 'drizzle') { %>
@@ -216,11 +238,13 @@ jobs:
           --health-retries 5
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     env:
       DATABASE_URL: postgresql://postgres:postgres@localhost:5432/ci_test
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
 <% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
@@ -234,7 +258,7 @@ jobs:
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
 <% if (orm === 'drizzle') { %>
@@ -260,9 +284,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
 <% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
@@ -276,7 +302,7 @@ jobs:
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
       - run: <%= pm.exec %> prettier --check .
@@ -295,9 +321,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2
         with:
           channel: stable
@@ -317,9 +345,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>
+        working-directory: ${{ env.WS }}/<%= inst.path %>
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
 <% if (pm.name === 'pnpm') { %>
       - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
@@ -333,7 +363,7 @@ jobs:
         with:
           node-version: 22
           cache: <%= pm.name %>
-          cache-dependency-path: <%= inst.path %>/<%= pm.lockfile %>
+          cache-dependency-path: ${{ env.WS }}/<%= inst.path %>/<%= pm.lockfile %>
 <% } %>
       - run: <%= pm.ci %>
       - run: <%= pm.exec %> prettier --check .
@@ -350,9 +380,11 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: <%= inst.path %>/stack
+        working-directory: ${{ env.WS }}/<%= inst.path %>/stack
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
         with:
           terraform_version: '1.11'
@@ -360,3 +392,19 @@ jobs:
       - run: terraform init -backend=false
       - run: terraform validate
 <% } %>
+<% for (const inst of adminPanelInstances) { %>
+
+  <%= inst.path %>:
+    name: <%= inst.display %> (docker build)
+    needs: changes
+    if: github.event_name == 'workflow_dispatch' || needs.changes.outputs.<%= inst.path %> == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WS }}/<%= inst.path %>
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          path: ${{ env.WS }}
+      - run: docker build -t <%= inst.path %>:ci .
+<% } %>

package/src/templates/docker-compose.yml.ejs

@@ -157,6 +157,32 @@ services:
     networks:
       - app-network
 <% } %>
+<% for (const inst of adminPanelInstances) { %>
+  <%= inst.path %>:
+    build: ./<%= inst.path %>
+    expose:
+      - "8055"
+    env_file:
+      - ./<%= inst.path %>/.env
+    volumes:
+      - ./<%= inst.path %>/uploads:/directus/uploads
+      - ./<%= inst.path %>/extensions:/directus/extensions
+    restart: unless-stopped
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "node",
+          "-e",
+          "require('http').get('http://localhost:8055/server/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - app-network
+<% } %>
 <% if (frontendInstances.length > 0) { %>
   certbot:
     image: certbot/certbot:latest

package/src/templates/pre-commit.ejs

@@ -39,8 +39,8 @@ if [ -n "$<%= inst.upper %>_PY" ]; then
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff format
   echo "$<%= inst.upper %>_PY" | sed 's|^<%= inst.path %>/||' | xargs uv run ruff check --fix
   uv run mypy
-  if grep -rEn 'from src\.[a-z_]+(\.[a-z_]+)?\._[a-z_]+ import' src/; then
-    echo "ERROR: src/ files cannot import from another module's _-prefixed file. Import from the package."
+  if grep -rEn 'from src\.[a-z_]+(\.[a-z_]+)?\._[a-z_]+ import' src/ | grep -v 'pragma:.*allow-private-import'; then
+    echo "ERROR: src/ files cannot import from another module's _-prefixed file. Import from the package, or add '# pragma: allow-private-import' on the line if the cycle makes a package import impossible."
     exit 1
   fi
   uv run lint-imports

package/src/templates/setup.sh.ejs

@@ -121,6 +121,14 @@ else
   echo "<%= inst.display %> skipped (SDK not installed)."
 fi
 <% } %>
+<% for (const inst of adminPanelInstances) { %>
+
+if [ ! -f <%= inst.path %>/.env ] && [ -f <%= inst.path %>/.env.example ]; then
+  cp <%= inst.path %>/.env.example <%= inst.path %>/.env
+  echo "<%= inst.path %>/.env created from .env.example."
+fi
+echo "<%= inst.display %> configured (Docker — run 'docker compose up <%= inst.path %>')."
+<% } %>
 
 echo ""
 echo "Done. Ensure PostgreSQL is running locally, then run '<%= pm.runDev %>' (or 'uv run main.py') in each service."