create-projx 1.7.6 → 1.7.7

package/dist/{baseline-2PBT5JBT.js → baseline-DT3CWKOO.js}

@@ -8,7 +8,7 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-NPBLDU4H.js";
+} from "./chunk-OH6QQNPO.js";
 import "./chunk-N66CVDEV.js";
 export {
   BASELINE_REF,

package/dist/{chunk-NPBLDU4H.js → chunk-OH6QQNPO.js}

@@ -90,6 +90,39 @@ async function generateCiYml(vars) {
 async function generateReadme(vars) {
   return renderShared("README.md.ejs", withInstances(vars));
 }
+function infraTemplateVars(vars) {
+  const projectName = vars.projectName;
+  const productionDomain = vars.productionDomain ?? `${projectName}.example.com`;
+  const awsRegion = vars.awsRegion ?? "us-east-1";
+  const githubOwner = vars.githubOwner ?? "TODO";
+  const ecrRepos = vars.ecrRepos ?? [
+    `${projectName}/backend`,
+    `${projectName}/frontend`
+  ];
+  const hasBackendMigrations = vars.components.some(
+    (c) => c === "fastify" || c === "express"
+  );
+  const hasAdminPanelMigrations = vars.components.includes("admin-panel");
+  return {
+    ...vars,
+    productionDomain,
+    awsRegion,
+    githubOwner,
+    ecrRepos,
+    hasBackendMigrations,
+    hasAdminPanelMigrations,
+    displayName: projectName.charAt(0).toUpperCase() + projectName.slice(1)
+  };
+}
+async function generateRollback(vars) {
+  return renderShared("rollback.sh.ejs", infraTemplateVars(vars));
+}
+async function generateCodeowners(vars) {
+  return renderShared("codeowners.ejs", infraTemplateVars(vars));
+}
+async function generateRunbook(vars) {
+  return renderShared("runbook.md.ejs", infraTemplateVars(vars));
+}
 function generateVscodeSettings(vars) {
   const settings = {};
   if (vars.components.includes("fastapi")) {
@@ -457,6 +490,26 @@ async function writeTemplateToDir(dest, repoDir, components, componentPaths, var
     );
     await chmod(join2(dest, "scripts/setup.sh"), 493);
   }
+  if (vars.components.includes("infra")) {
+    if (shouldWrite("scripts/rollback.sh")) {
+      await mkdir(join2(dest, "scripts"), { recursive: true });
+      await writeFile(
+        join2(dest, "scripts/rollback.sh"),
+        await generateRollback(vars)
+      );
+      await chmod(join2(dest, "scripts/rollback.sh"), 493);
+    }
+    if (shouldWrite(".github/CODEOWNERS")) {
+      await mkdir(join2(dest, ".github"), { recursive: true });
+      await writeFile(
+        join2(dest, ".github/CODEOWNERS"),
+        await generateCodeowners(vars)
+      );
+    }
+    if (shouldWrite("RUNBOOK.md")) {
+      await writeFile(join2(dest, "RUNBOOK.md"), await generateRunbook(vars));
+    }
+  }
   await copyStaticFiles(repoDir, dest);
   if (shouldWrite(".vscode/settings.json")) {
     await mkdir(join2(dest, ".vscode"), { recursive: true });
@@ -613,7 +666,7 @@ function ormNodeDockerfileSource(manifest, vars) {
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
 ` : pmName === "yarn" ? "RUN corepack enable\n" : pmName === "bun" ? "RUN npm install -g bun\n" : "";
-  const buildCopy = extraConfigCopy ? `COPY package.json tsconfig.json ${extraConfigCopy} ./` : `COPY package.json tsconfig.json ./`;
+  const buildCopy = extraConfigCopy ? `COPY package.json tsconfig.json tsconfig.build.json ${extraConfigCopy} ./` : `COPY package.json tsconfig.json tsconfig.build.json ./`;
   const migrateStage = migrateCmd ? `FROM build AS migrate
 CMD ["sh", "-c", "${exec} ${migrateCmd}"]
 

package/dist/index.js

@@ -9,7 +9,7 @@ import {
   matchesSkip,
   saveBaselineRef,
   writeTemplateToDir
-} from "./chunk-NPBLDU4H.js";
+} from "./chunk-OH6QQNPO.js";
 import {
   COMPONENTS,
   COMPONENT_MARKER,
@@ -903,7 +903,7 @@ function hasUncommittedChanges(cwd) {
 async function findPinnedFilesWithUpdates(cwd, repoDir, components, componentPaths, vars, version, componentSkips, rootSkip) {
   const { mkdtemp: mkdtemp2, rm: rm2, readFile: readFile8 } = await import("fs/promises");
   const { tmpdir: tmpdir2 } = await import("os");
-  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-2PBT5JBT.js");
+  const { writeTemplateToDir: writeTemplateToDir2 } = await import("./baseline-DT3CWKOO.js");
   const config = await readProjxConfig(cwd);
   const rootPinned = Array.isArray(config.skip) ? config.skip : [];
   const componentPinned = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-projx",
-  "version": "1.7.6",
+  "version": "1.7.7",
   "description": "Scaffold production-grade fullstack projects in seconds. FastAPI, Fastify, Express, React, Flutter, Terraform — with auth, database, CI/CD, E2E tests, and Docker. One command, ready to deploy.",
   "type": "module",
   "bin": {

package/src/templates/codeowners.ejs

@@ -0,0 +1,9 @@
+* @<%= githubOwner %>
+
+infra/ @<%= githubOwner %>
+.github/workflows/ @<%= githubOwner %>
+scripts/deploy*.sh @<%= githubOwner %>
+scripts/rollback.sh @<%= githubOwner %>
+<% if (hasBackendMigrations) { %>backend/prisma/migrations/ @<%= githubOwner %>
+<% } %><% if (hasAdminPanelMigrations) { %>admin-panel/internal/db/migrations/ @<%= githubOwner %>
+<% } %>

package/src/templates/docker-compose.yml.ejs

@@ -23,7 +23,7 @@ services:
           "CMD",
           "python",
           "-c",
-          "import urllib.request; urllib.request.urlopen('http://localhost:7860/api/health')",
+          "import urllib.request; urllib.request.urlopen('http://localhost:7860/api/health/live')",
         ]
       interval: 30s
       timeout: 10s
@@ -61,7 +61,7 @@ services:
           "CMD",
           "node",
           "-e",
-          "require('http').get('http://localhost:3000/api/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
+          "require('http').get('http://localhost:3000/api/health/live', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
         ]
       interval: 30s
       timeout: 10s
@@ -99,7 +99,7 @@ services:
           "CMD",
           "node",
           "-e",
-          "require('http').get('http://localhost:3000/api/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
+          "require('http').get('http://localhost:3000/api/health/live', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))",
         ]
       interval: 30s
       timeout: 10s

package/src/templates/rollback.sh.ejs

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# Roll <%= projectName %> back to a previous main-<sha> image tag in ECR.
+#
+# Usage:
+#   scripts/rollback.sh <previous-sha>
+#
+# Required env on the operator workstation:
+#   AWS_REGION       (default <%= awsRegion %>)
+#   ECR_REGISTRY     (account-id.dkr.ecr.<%= awsRegion %>.amazonaws.com)
+#   EC2_INSTANCE_ID  (the <%= projectName %>-web instance)
+#   DOMAIN           (default <%= productionDomain %>)
+
+set -euo pipefail
+
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 <previous-sha>" >&2
+  exit 2
+fi
+
+PREV_SHA="$1"
+AWS_REGION="${AWS_REGION:-<%= awsRegion %>}"
+DOMAIN="${DOMAIN:-<%= productionDomain %>}"
+TAG="main-${PREV_SHA}"
+
+if [[ -z "${ECR_REGISTRY:-}" ]]; then
+  echo "ECR_REGISTRY is required" >&2
+  exit 2
+fi
+if [[ -z "${EC2_INSTANCE_ID:-}" ]]; then
+  echo "EC2_INSTANCE_ID is required" >&2
+  exit 2
+fi
+
+REPOS=(<% for (const r of ecrRepos) { %>
+  <%= r %><% } %>
+)
+
+echo "==> Confirming target image exists in ECR for every service"
+for repo in "${REPOS[@]}"; do
+  if ! aws ecr describe-images --region "$AWS_REGION" --repository-name "$repo" --image-ids imageTag="$TAG" >/dev/null 2>&1; then
+    echo "FATAL: $repo does not have image tag $TAG in ECR" >&2
+    exit 3
+  fi
+done
+
+echo "==> Re-tagging $TAG as main-latest for every service"
+for repo in "${REPOS[@]}"; do
+  manifest=$(aws ecr batch-get-image --region "$AWS_REGION" --repository-name "$repo" --image-ids imageTag="$TAG" --query 'images[].imageManifest' --output text)
+  if [[ -z "$manifest" ]]; then
+    echo "FATAL: failed to read manifest for $repo:$TAG" >&2
+    exit 4
+  fi
+  aws ecr put-image --region "$AWS_REGION" --repository-name "$repo" --image-tag "main-latest" --image-manifest "$manifest" >/dev/null
+  echo "  re-tagged $repo -> main-latest"
+done
+
+echo "==> Triggering deploy on $EC2_INSTANCE_ID with IMAGE_TAG=$TAG"
+COMMAND_ID=$(aws ssm send-command \
+  --region "$AWS_REGION" \
+  --instance-ids "$EC2_INSTANCE_ID" \
+  --document-name AWS-RunShellScript \
+  --comment "<%= projectName %> rollback to $TAG" \
+  --parameters commands="[\"IMAGE_TAG=$TAG AWS_REGION=$AWS_REGION ECR_REGISTRY=$ECR_REGISTRY DOMAIN=$DOMAIN bash /opt/<%= projectName %>/scripts/deploy-on-ec2.sh\"]" \
+  --query 'Command.CommandId' \
+  --output text)
+
+echo "==> SSM command id: $COMMAND_ID"
+echo "Tail logs with:"
+echo "  aws ssm get-command-invocation --region $AWS_REGION --instance-id $EC2_INSTANCE_ID --command-id $COMMAND_ID"

package/src/templates/runbook.md.ejs

@@ -0,0 +1,64 @@
+# <%= displayName %> Runbook
+
+Single source of truth for production recovery, deploys, rollbacks, and incident response.
+
+## Architecture at a glance
+
+- Single EC2 (Ubuntu 24.04, `<%= awsRegion %>`) running Docker Compose
+- RDS Postgres, isolated subnets, PITR enabled, `deletion_protection=true`
+- Container registry: ECR
+- IaC: Terraform in [`infra/`](infra/), state in S3 + DynamoDB lock
+
+## Deploy
+
+GitHub Actions builds + pushes ECR + SSM SendCommand to the EC2. Operator runs migrate by hand:
+
+```
+aws ssm start-session --target $EC2_INSTANCE_ID
+cd /opt/<%= projectName %>
+docker compose run --rm migrate
+```
+
+## Rollback (target RTO < 2 minutes)
+
+1. Pick last-known-good `main-<sha>` tag in ECR.
+2. `scripts/rollback.sh <sha>` — re-tags ECR + SSM-invokes deploy.
+3. `curl https://<%= productionDomain %>/api/health` must return 200.
+
+## DB restore (point-in-time)
+
+Last tested: not yet rehearsed.
+
+```
+aws rds restore-db-instance-to-point-in-time \
+  --source-db-instance-identifier <%= projectName %>-1 \
+  --target-db-instance-identifier <%= projectName %>-1-restore-$(date +%Y%m%d) \
+  --restore-time <iso8601-utc>
+```
+
+Then update `/<%= projectName %>/backend/env` `DATABASE_URL` SSM parameter; `docker compose restart backend`.
+
+## Certificate renewal
+
+Let's Encrypt via certbot at `/etc/cron.d/<%= projectName %>-certbot`, daily 03:00.
+
+## Incident channels
+
+- Internal alarms: `<%= projectName %>-alerts` SNS topic (subscribe via `var.alert_emails`)
+- Application crashes: Sentry (Node backends: `service_configs` row with purpose `sentry`; FastAPI/frontend: `SENTRY_DSN` / `VITE_SENTRY_DSN` env)
+- Customer-facing: TBD
+
+## Known recovery cliffs (open items)
+
+- **Single-AZ RDS** — failover takes minutes until `multi_az=true` flipped.
+- **DR untested** — restore procedure above is theoretical until rehearsed.
+- **`docker container prune` + `docker image prune -a` on every deploy** — `scripts/deploy.sh` aggressively cleans the local Docker store after each successful deploy. This keeps the disk small but means **rollback to a previous image always requires a fresh `docker pull`** rather than a local-cache hit. On a slow link or during a registry outage that blocks the pull, rollback time stretches by however long the pull takes. If the rollback target is more than two deploys old it will not be in the registry's hot cache either. **Mitigation:** for the highest-risk deploys (database migrations, auth surface, payment paths), keep the previous container running on a parallel port for the first 15 minutes post-deploy so an in-place revert does not need any pull at all. Skip the prune step on the deploy host for those windows.
+
+## Common ops
+
+| Task                       | Command                                                                              |
+| -------------------------- | ------------------------------------------------------------------------------------ |
+| SSH-equivalent             | `aws ssm start-session --target $EC2_INSTANCE_ID`                                    |
+| Tail backend logs          | `docker logs --tail 200 -f backend`                                                  |
+| Run a one-off migration    | `docker compose run --rm migrate`                                                    |
+| Re-issue certbot           | `sudo certbot certonly --nginx --keep-until-expiring -d <%= productionDomain %>`     |