create-rebe 1.0.0 → 3.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "create-rebe",
-	"version": "1.0.0",
+	"version": "3.0.0",
 	"description": "Scaffold a new rebe backend project: npm create rebe@latest <dir>.",
 	"license": "MIT",
 	"author": "Refkinscallv <refkinscallv@gmail.com>",

package/template/.env.example

@@ -19,6 +19,10 @@ EXPRESS_TRUST_PROXY=0
 EXPRESS_RATE_LIMIT_ENABLED=true
 EXPRESS_RATE_LIMIT_WINDOW_MS=900000
 EXPRESS_RATE_LIMIT_MAX=100
+# HTTP server timeouts (ms; 0 = Node default). Guard against slow-request/slowloris DoS.
+EXPRESS_REQUEST_TIMEOUT_MS=30000
+EXPRESS_HEADERS_TIMEOUT_MS=15000
+EXPRESS_KEEPALIVE_TIMEOUT_MS=5000
 
 # ========== Database ==========
 DB_ENABLED=false

package/template/README.md

@@ -19,12 +19,13 @@ with `APP_NAME` set to the project name and fresh `APP_KEY` / JWT secrets.
 
 ## What's inside
 
-- **HTTP** — Express 5 + Laravel-style routing, helmet, CORS, compression, rate
-  limiting, body limits, multipart uploads.
+- **HTTP** — Express 5 + a built-in Laravel-style router (`@core/routing.core`), helmet,
+  CORS, compression, rate limiting, body limits, multipart uploads.
 - **Realtime** — Socket.IO on the same port, optional Redis adapter.
 - **Background** — node-cron scheduler and an in-process job queue (optional DB
   persistence).
-- **Data** — Sequelize (MySQL/MariaDB/Postgres/MSSQL/SQLite), enabled on demand.
+- **Data** — Sequelize (MySQL/MariaDB/Postgres/MSSQL/SQLite), enabled on demand, with
+  a built-in migration runner, seeders, and a generator CLI.
 - **Auth** — JWT (access + refresh, HS256-pinned), bcrypt.
 - **Ops** — Winston logging with daily rotation, lifecycle hooks, graceful shutdown,
   PM2 config.
@@ -34,12 +35,14 @@ with `APP_NAME` set to the project name and fresh `APP_KEY` / JWT secrets.
 
 ```bash
 npm install
-npm run cli -- setup        # copy .env, refresh deps, generate keys
+npm run cli -- setup        # copy .env, install deps, generate keys
 npm run dev                 # nodemon, development
 ```
 
-`setup` copies `.env.example` to `.env` and generates `APP_KEY`, `JWT_SECRET`, and
-`JWT_REFRESH_SECRET`. Generate keys individually with `npm run cli -- key:generate`
+`setup` copies `.env.example` to `.env`, installs the pinned dependencies, and
+generates `APP_KEY`, `JWT_SECRET`, and `JWT_REFRESH_SECRET`. Pass `--upgrade` to also
+bump dependencies via `npm-check-updates` (off by default, so a clean install stays on
+the audited versions). Generate keys individually with `npm run cli -- key:generate`
 and `npm run cli -- key:jwt [--refresh]`.
 
 ## Development vs production
@@ -98,12 +101,16 @@ loader — Inversion of Control keeps the arrow pointing one way.
 │   ├── queue/register.queue.js     # (Queue) => {}
 │   ├── socket/register.socket.js   # (io, Socket) => {}
 │   └── hooks/register.hook.js      # { before, after, shutdown }
-├── database/           # Sequelize models -> @database
+├── database/           # -> @database
+│   ├── models/         # Sequelize models
+│   ├── migrations/     # up/down migrations (tracked in _migrations)
+│   └── seeders/        # data seeders
+├── modules/            # Optional feature modules (entry: <name>.module.js)
 ├── storage/            # Local file storage / uploads -> @storage
 ├── tests/              # Jest test suite
 ├── create-rebe/        # The `npm create rebe` scaffolder package
 ├── docs/               # Per-core API reference
-├── scripts/cli.js      # Project CLI (npm run cli)
+├── scripts/cli.js      # Project CLI dispatcher (npm run cli) + scripts/cli/
 ├── index.js            # Entry: dotenv -> module-alias -> runtime -> Bootstrap.run()
 └── ecosystem.config.js # PM2 (fork, single instance)
 ```
@@ -145,6 +152,54 @@ npm run format   # prettier --write .
 npm run cli -- help
 ```
 
+## CLI
+
+The project CLI (`npm run cli -- <command>`) scaffolds code and manages the database.
+
+```bash
+# Project / keys
+npm run cli -- setup [--upgrade]      # .env + install + keys (--upgrade runs npm-check-updates)
+npm run cli -- key:generate           # APP_KEY
+npm run cli -- key:jwt [--refresh]    # JWT_SECRET / JWT_REFRESH_SECRET
+
+# Scaffolding  (every make: supports --module=<name>; see docs/Make.md)
+npm run cli -- make:model <Name>      # model + matching create-table migration
+npm run cli -- make:migration <name>  # blank up/down migration
+npm run cli -- make:seed <Name>       # seeder
+npm run cli -- make:controller <Name> [--resource] [--api]
+npm run cli -- make:middleware <Name> # handle() middleware class
+npm run cli -- make:validator <Name>  # zod schemas
+npm run cli -- make:route <name>      # route group file
+npm run cli -- make:job|queue|socket <Name>   # background / realtime modules
+npm run cli -- make:hook              # { before, after, shutdown }
+npm run cli -- make:resource <Name> [--api]   # controller + model + migration + validator + route
+npm run cli -- make:module <name>     # full mini-app module (http/, routes, jobs, queue, socket, hooks, data)
+
+# Database
+npm run cli -- db:migrate             # run pending migrations            (alias: migrate)
+npm run cli -- db:rollback [--step=N] # roll back the last batch          (alias: rollback)
+npm run cli -- db:reset [--seed]      # drop all tables → migrate         (alias: reset)
+npm run cli -- db:refresh [--seed]    # rollback all via down() → migrate
+npm run cli -- db:fresh [--seed]      # alias of db:reset
+npm run cli -- db:status              # applied vs pending migrations
+npm run cli -- db:wipe                # drop all tables (no migrate)
+npm run cli -- db:seed [--all] [--class=Name]   # run default/named seeder (alias: seed)
+npm run cli -- db:seed-all            # run every seeder                  (alias: seed-all)
+```
+
+Migrations are tracked in a `_migrations` table and ordered globally by their
+`YYYYMMDDHHmmss_` filename prefix. Once migrations own the schema, keep `DB_FORCE` /
+`DB_ALTER` **off** in production. See [docs/Migration.md](./docs/Migration.md) and
+[docs/Seeder.md](./docs/Seeder.md).
+
+## Modular structure (optional)
+
+Group a feature's models, routes, migrations, seeders, jobs, queue, and socket
+handlers under `modules/<name>/` behind a single entry file
+(`<name>.module.js`). It's additive — the flat layout keeps working, and a project
+with no `modules/` directory is unaffected. Scaffold one with
+`npm run cli -- make:module <name>`; see [docs/Modules.md](./docs/Modules.md).
+
 ## License
 
 MIT

package/template/SECURITY.md

@@ -21,6 +21,10 @@ that you should review against your threat model before deploying.
 | F-08 | Info     | CWE-352  | No CSRF protection                                                                                 | N/A for bearer API  |
 | F-09 | Low      | CWE-798  | Demo credentials in sample code; secrets in local `.env`                                           | Guidance            |
 | F-10 | Info     | CWE-770  | Rate limit / trust-proxy defaults                                                                  | Guidance            |
+| F-11 | High     | CWE-400  | `ws` / `form-data` transitive DoS & CRLF advisories (socket.io, axios)                             | Fixed (2.0.0)       |
+| F-12 | Moderate | CWE-1395 | `js-yaml` DoS in the `jest` dev-dependency tree                                                    | Accepted (dev-only) |
+| F-13 | Low      | CWE-400  | No HTTP server timeouts — slow-request / slowloris DoS surface                                     | Fixed (3.0.0)       |
+| F-14 | Info     | CWE-1059 | Error JSON envelope diverged from the documented `{ status, code, … }` shape                       | Fixed (3.0.0)       |
 
 ## Findings
 
@@ -104,6 +108,41 @@ see the true client IP; leaving it at `0` while behind a proxy lets clients shar
 bucket. Do **not** set an overly permissive trust-proxy value when directly exposed —
 it would let clients spoof `X-Forwarded-For`.
 
+### F-11 — Transitive `ws` / `form-data` advisories (Fixed in 2.0.0)
+
+`npm audit` reported four high-severity transitive advisories: memory-exhaustion DoS in
+`ws` (via `socket.io` → `engine.io` / `socket.io-adapter`) and CRLF injection in
+`form-data` (via `axios`). All were resolved by a non-breaking `npm audit fix`
+(`ws 8.20.1 → 8.21.0`, `engine.io`, `socket.io-adapter`, `form-data 4.0.5 → 4.0.6`); the
+direct `socket.io` / `axios` versions are unchanged. Production dependency tree is clean
+of high-severity advisories.
+
+### F-12 — `js-yaml` DoS in the jest dev tree (Accepted / dev-only)
+
+The remaining moderate advisories all originate from `jest`'s transitive
+`@istanbuljs/load-nyc-config → js-yaml` chain (quadratic-complexity DoS in YAML merge-key
+parsing). `jest` is already on its latest major and no non-breaking fix is published, so
+these are accepted: they are **devDependencies** only, exercised against trusted local
+test-config files, with no production runtime exposure. Re-run `npm audit` after jest
+updates.
+
+### F-13 — Missing HTTP server timeouts (Fixed in 3.0.0)
+
+`express.core` created the `http.Server` without explicit socket timeouts, leaving the
+slow-request / slowloris surface to Node defaults (no per-request cap; long header
+phase). The server now applies configurable `requestTimeout` (30s), `headersTimeout`
+(15s), and `keepAliveTimeout` (5s) — see `EXPRESS_*_TIMEOUT_MS` in `.env.example`; set
+`0` to fall back to the Node default for any of them.
+
+### F-14 — Error JSON envelope consistency (Fixed in 3.0.0)
+
+`error.core` emitted JSON errors as `{ success, status, message }`, diverging from the
+documented response envelope `{ status, code, message, data, meta }` used everywhere else
+(controllers, the validator core, the rate-limit message). Clients had to special-case
+error shapes, and `status` carried a different type (boolean vs numeric code) than the
+rest of the API. 404 and error responses now use the standard envelope (errors still add
+`stack` outside production). This is a response-shape change for error paths in 3.0.0.
+
 ## Positive controls
 
 - `helmet` with a restrictive CSP; `x-powered-by` disabled.

package/template/app/routes/api.route.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const Routes = require('@refkinscallv/express-routing')
+const Routes = require('@core/routing.core')
 
 const Validator = require('@core/validator.core')
 const AuthController = require('@http/controllers/auth.controller')

package/template/app/routes/register.route.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const Routes = require('@refkinscallv/express-routing')
+const Routes = require('@core/routing.core')
 
 require('@routes/web.route')
 require('@routes/api.route')

package/template/app/routes/web.route.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const Routes = require('@refkinscallv/express-routing')
+const Routes = require('@core/routing.core')
 
 Routes.get('', ({ res }) => {
 	res.send('Hello World')

package/template/app/socket/register.socket.js

@@ -1,7 +1,5 @@
 'use strict'
 
-const logger = require('@core/logger.core')
-
 // Socket.IO connection handlers. The socket core calls this with the io server and
 // the Socket facade after the server is attached. Register namespaces, rooms, and
 // event listeners here.

package/template/config/express.config.js

@@ -13,6 +13,14 @@ const Common = require('@core/common.core')
 module.exports = {
 	bodyLimit: Common.getEnv('EXPRESS_BODY_LIMIT', '10mb'),
 	trustProxy: Common.getEnvInt('EXPRESS_TRUST_PROXY', 0),
+	// Socket timeouts guard against slow-request / slowloris DoS. A value of 0 disables
+	// the individual timeout (Node default). requestTimeout caps a full request; headers
+	// timeout caps the header phase; keepAlive is the idle keep-alive window.
+	timeouts: {
+		request: Common.getEnvInt('EXPRESS_REQUEST_TIMEOUT_MS', 30000),
+		headers: Common.getEnvInt('EXPRESS_HEADERS_TIMEOUT_MS', 15000),
+		keepAlive: Common.getEnvInt('EXPRESS_KEEPALIVE_TIMEOUT_MS', 5000),
+	},
 	rateLimit: {
 		enabled: Common.getEnvBool('EXPRESS_RATE_LIMIT_ENABLED', true),
 		windowMs: Common.getEnvInt('EXPRESS_RATE_LIMIT_WINDOW_MS', 900000),

package/template/core/common/string.js

@@ -27,7 +27,7 @@ class Str {
 	static words(str) {
 		return String(str ?? '')
 			.replace(/([a-z0-9])([A-Z])/g, '$1 $2')
-			.replace(/[_\-]+/g, ' ')
+			.replace(/[_-]+/g, ' ')
 			.trim()
 			.split(/\s+/)
 			.filter(Boolean)

package/template/core/cron.core.js

@@ -41,6 +41,7 @@ class Cron {
 		}
 
 		await Register.invoke(REGISTER_FILE, [Cron], { label: 'app/jobs/register.job.js' })
+		await require('@core/modules.core').invoke('jobs', [Cron])
 
 		if (config.cron.history && config.db.enabled) {
 			try {

package/template/core/database.core.js

@@ -54,31 +54,44 @@ class Database {
 		}
 	}
 
+	// Resolve every directory that may contain model factories: the flat
+	// database/models plus each module's models/ dir (additive, opt-in).
+	static modelDirs() {
+		const Modules = require('@core/modules.core')
+		return [MODELS_DIR, ...Modules.dirs('models')].filter((dir) => fs.existsSync(dir))
+	}
+
 	// ── Models ───────────────────────────────────────────────────────────────
 	static loadModels() {
-		if (!fs.existsSync(MODELS_DIR)) {
+		const dirs = Database.modelDirs()
+		if (!dirs.length) {
 			logger.warn(`Models directory not found: ${MODELS_DIR}`)
 			return Database.models
 		}
 
-		const files = fs.readdirSync(MODELS_DIR).filter((file) => file.endsWith('.js') && !file.startsWith('_'))
+		for (const dir of dirs) {
+			const files = fs.readdirSync(dir).filter((file) => file.endsWith('.js') && !file.startsWith('_'))
 
-		for (const file of files) {
-			try {
-				const definition = require(path.join(MODELS_DIR, file))
-				const factory = definition.default || definition
-
-				if (typeof factory !== 'function') {
-					logger.warn(`Skipped model "${file}": expected a (sequelize, DataTypes) factory export`)
-					continue
-				}
-
-				const model = factory(Database.sequelize, DataTypes)
-				if (model?.name) {
-					Database.models.set(model.name, model)
+			for (const file of files) {
+				try {
+					const definition = require(path.join(dir, file))
+					const factory = definition.default || definition
+
+					if (typeof factory !== 'function') {
+						logger.warn(`Skipped model "${file}": expected a (sequelize, DataTypes) factory export`)
+						continue
+					}
+
+					const model = factory(Database.sequelize, DataTypes)
+					if (model?.name) {
+						if (Database.models.has(model.name)) {
+							logger.warn(`Model "${model.name}" from "${file}" overrides an already-registered model of the same name`)
+						}
+						Database.models.set(model.name, model)
+					}
+				} catch (err) {
+					logger.error(`Failed to load model "${file}"`, err)
 				}
-			} catch (err) {
-				logger.error(`Failed to load model "${file}"`, err)
 			}
 		}
 

package/template/core/error.core.js

@@ -27,9 +27,11 @@ module.exports = class ErrorHandler {
 
 		if (ErrorHandler._wantsJson(req)) {
 			return res.status(status).json({
-				success: false,
-				status,
+				status: false,
+				code: status,
 				message,
+				data: null,
+				meta: null,
 			})
 		}
 
@@ -54,9 +56,11 @@ module.exports = class ErrorHandler {
 
 		if (ErrorHandler._wantsJson(req)) {
 			return res.status(status).json({
-				success: false,
-				status,
+				status: false,
+				code: status,
 				message,
+				data: null,
+				meta: null,
 				...(detail && { stack: detail }),
 			})
 		}

package/template/core/express.core.js

@@ -15,8 +15,9 @@ const config = require('@config/index')
 const logger = require('@core/logger.core')
 const ErrorHandler = require('@core/error.core')
 const Register = require('@core/register.core')
+const Modules = require('@core/modules.core')
 
-const Routes = require('@refkinscallv/express-routing')
+const Routes = require('@core/routing.core')
 
 const MIDDLEWARE_REGISTER = Register.path('app', 'http', 'middlewares', 'register.middleware.js')
 
@@ -53,21 +54,23 @@ class Express {
 			)
 		}
 
-		Express._applyUserMiddleware(app)
+		await Express._applyUserMiddleware(app)
 		Express._applyStatic(app)
 		await Express._applyRoutes(app)
 		Express._applyErrorHandling(app)
 
 		Express.app = app
 		Express.server = http.createServer(app)
+		Express._applyTimeouts(Express.server)
 		return { app, server: Express.server }
 	}
 
 	// Global application middleware: app/http/middlewares/register.middleware.js
-	// exports (app) => { ... }.
-	static _applyUserMiddleware(app) {
+	// exports (app) => { ... }, then each module's middlewares(app) hook.
+	static async _applyUserMiddleware(app) {
 		const register = Register.require(MIDDLEWARE_REGISTER, { label: 'app/http/middlewares/register.middleware.js' })
 		if (typeof register === 'function') register(app)
+		await Modules.invoke('middlewares', [app])
 	}
 
 	// Serve ./public at the root and uploaded files under /uploads. The whole
@@ -95,6 +98,7 @@ class Express {
 	// effect, then Routes.apply binds them onto a router and app.use()s it.
 	static async _applyRoutes(app) {
 		require('@routes/register.route')
+		Modules.requireRoutes()
 		await Routes.apply(app, express.Router())
 	}
 
@@ -103,6 +107,14 @@ class Express {
 		app.use(ErrorHandler.expressErrorHandler)
 	}
 
+	// Apply slow-request / slowloris DoS guards. A value of 0 leaves Node's default.
+	static _applyTimeouts(server) {
+		const t = config.express.timeouts
+		if (t.request) server.requestTimeout = t.request
+		if (t.headers) server.headersTimeout = t.headers
+		if (t.keepAlive) server.keepAliveTimeout = t.keepAlive
+	}
+
 	static listen() {
 		return new Promise((resolve, reject) => {
 			if (!Express.server) {

package/template/core/hooks.core.js

@@ -21,14 +21,17 @@ class Hooks {
 
 	static async run(stage, ctx = {}) {
 		const fn = Hooks._resolve()[stage]
-		if (typeof fn !== 'function') return
-
-		try {
-			await fn(ctx)
-		} catch (err) {
-			logger.error(`Hook "${stage}" failed`, err)
-			throw err
+		if (typeof fn === 'function') {
+			try {
+				await fn(ctx)
+			} catch (err) {
+				logger.error(`Hook "${stage}" failed`, err)
+				throw err
+			}
 		}
+
+		// Module lifecycle hooks run after the flat app hook for the same stage.
+		await require('@core/modules.core').runHooks(stage, ctx)
 	}
 
 	static before(ctx) {

package/template/core/migrator.core.js

@@ -0,0 +1,201 @@
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+const logger = require('@core/logger.core')
+const Database = require('@core/database.core')
+const Modules = require('@core/modules.core')
+
+const MIGRATIONS_DIR = path.resolve(process.cwd(), 'database', 'migrations')
+const TABLE = '_migrations'
+
+// Lightweight migration runner built on Sequelize's QueryInterface (no extra deps).
+// Migration files export { up(qi, Sequelize), down(qi, Sequelize) } and live in
+// database/migrations/ and/or each module's migrations/ dir. Applied migrations are
+// tracked in the `_migrations` table; files are ordered globally by filename, so the
+// `YYYYMMDDHHmmss_` timestamp prefix produced by the CLI gives deterministic order.
+// Files whose name starts with "_" are ignored (helpers/partials).
+class Migrator {
+	// Open (or reuse) the pooled connection and return the QueryInterface.
+	static async _qi() {
+		const sequelize = await Database.connect()
+		return { sequelize, qi: sequelize.getQueryInterface(), Sequelize: Database.Sequelize }
+	}
+
+	static async _ensureTable(qi) {
+		const { DataTypes } = Database
+		await qi
+			.createTable(
+				TABLE,
+				{
+					id: { type: DataTypes.BIGINT.UNSIGNED, primaryKey: true, autoIncrement: true },
+					name: { type: DataTypes.STRING(255), allowNull: false, unique: true },
+					batch: { type: DataTypes.INTEGER, allowNull: false },
+					migrated_at: { type: DataTypes.DATE, allowNull: false },
+				},
+				{ charset: 'utf8mb4' },
+			)
+			.catch((err) => {
+				// createTable is not idempotent across all dialects; tolerate "already exists".
+				if (!/already exists/i.test(err.message)) throw err
+			})
+	}
+
+	// Map of basename -> absolute path across the flat dir and every module dir.
+	// Later duplicates of the same filename are warned about and ignored.
+	static _discover() {
+		const dirs = [MIGRATIONS_DIR, ...Modules.dirs('migrations')]
+		const files = new Map()
+
+		for (const dir of dirs) {
+			if (!fs.existsSync(dir)) continue
+			for (const file of fs.readdirSync(dir)) {
+				if (!file.endsWith('.js') || file.startsWith('_')) continue
+				if (files.has(file)) {
+					logger.warn(`Duplicate migration filename "${file}" in ${dir} ignored (already provided by ${path.dirname(files.get(file))})`)
+					continue
+				}
+				files.set(file, path.join(dir, file))
+			}
+		}
+
+		return new Map([...files.entries()].sort(([a], [b]) => a.localeCompare(b)))
+	}
+
+	static async _applied(sequelize) {
+		const { QueryTypes } = Database.Sequelize
+		const rows = await sequelize.query(`SELECT name, batch FROM ${TABLE} ORDER BY id ASC`, { type: QueryTypes.SELECT })
+		return rows
+	}
+
+	// Run every pending migration in order under a fresh batch number.
+	static async up() {
+		const { sequelize, qi, Sequelize } = await Migrator._qi()
+		await Migrator._ensureTable(qi)
+
+		const all = Migrator._discover()
+		const applied = new Set((await Migrator._applied(sequelize)).map((r) => r.name))
+		const pending = [...all.keys()].filter((name) => !applied.has(name))
+
+		if (!pending.length) {
+			logger.info('Migrations: nothing to migrate')
+			return []
+		}
+
+		const batch = await Migrator._nextBatch(sequelize)
+		const ran = []
+
+		for (const name of pending) {
+			const mod = Migrator._require(all.get(name))
+			logger.info(`Migrating: ${name}`)
+			await mod.up(qi, Sequelize)
+			await sequelize.query(`INSERT INTO ${TABLE} (name, batch, migrated_at) VALUES (:name, :batch, :now)`, {
+				replacements: { name, batch, now: new Date() },
+			})
+			ran.push(name)
+		}
+
+		logger.info(`Migrations: ${ran.length} applied (batch ${batch})`)
+		return ran
+	}
+
+	// Roll back the most recent batch, or the last `step` batches.
+	static async down({ step = 1 } = {}) {
+		const { sequelize, qi, Sequelize } = await Migrator._qi()
+		await Migrator._ensureTable(qi)
+
+		const all = Migrator._discover()
+		const applied = await Migrator._applied(sequelize)
+		if (!applied.length) {
+			logger.info('Migrations: nothing to roll back')
+			return []
+		}
+
+		const batches = [...new Set(applied.map((r) => r.batch))].sort((a, b) => b - a).slice(0, step)
+		const targets = applied
+			.filter((r) => batches.includes(r.batch))
+			.map((r) => r.name)
+			.reverse()
+
+		const rolled = []
+		for (const name of targets) {
+			const file = all.get(name)
+			if (!file) {
+				logger.warn(`Cannot roll back "${name}": file not found; removing tracking row only`)
+			} else {
+				const mod = Migrator._require(file)
+				logger.info(`Rolling back: ${name}`)
+				await mod.down(qi, Sequelize)
+			}
+			await sequelize.query(`DELETE FROM ${TABLE} WHERE name = :name`, { replacements: { name } })
+			rolled.push(name)
+		}
+
+		logger.info(`Migrations: ${rolled.length} rolled back`)
+		return rolled
+	}
+
+	// Roll back everything (all batches), one batch at a time.
+	static async rollbackAll() {
+		const { sequelize, qi } = await Migrator._qi()
+		await Migrator._ensureTable(qi)
+		let guard = 0
+		while ((await Migrator._applied(sequelize)).length) {
+			await Migrator.down({ step: 1 })
+			if (++guard > 1000) throw new Error('rollbackAll exceeded 1000 iterations; aborting')
+		}
+	}
+
+	static async status() {
+		const { sequelize, qi } = await Migrator._qi()
+		await Migrator._ensureTable(qi)
+		const all = [...Migrator._discover().keys()]
+		const applied = await Migrator._applied(sequelize)
+		const appliedMap = new Map(applied.map((r) => [r.name, r.batch]))
+		return all.map((name) => ({ name, applied: appliedMap.has(name), batch: appliedMap.get(name) ?? null }))
+	}
+
+	// Drop every table in the database (used by reset/fresh/wipe). FK constraints are
+	// disabled per dialect so order does not matter.
+	static async dropAllTables() {
+		const { sequelize, qi } = await Migrator._qi()
+		const dialect = sequelize.getDialect()
+		const tables = (await qi.showAllTables()).map((t) => (typeof t === 'object' ? t.tableName : t))
+
+		if (!tables.length) {
+			logger.info('Migrations: no tables to drop')
+			return []
+		}
+
+		if (dialect === 'mysql' || dialect === 'mariadb') {
+			await sequelize.query('SET FOREIGN_KEY_CHECKS = 0')
+			for (const t of tables) await qi.dropTable(t)
+			await sequelize.query('SET FOREIGN_KEY_CHECKS = 1')
+		} else if (dialect === 'postgres') {
+			for (const t of tables) await qi.dropTable(t, { cascade: true })
+		} else {
+			for (const t of tables) await qi.dropTable(t)
+		}
+
+		logger.info(`Migrations: dropped ${tables.length} table(s)`)
+		return tables
+	}
+
+	static async _nextBatch(sequelize) {
+		const { QueryTypes } = Database.Sequelize
+		const [row] = await sequelize.query(`SELECT COALESCE(MAX(batch), 0) AS max FROM ${TABLE}`, { type: QueryTypes.SELECT })
+		return Number(row.max) + 1
+	}
+
+	static _require(file) {
+		const raw = require(file)
+		const mod = raw && raw.default !== undefined ? raw.default : raw
+		if (!mod || typeof mod.up !== 'function' || typeof mod.down !== 'function') {
+			throw new Error(`Migration "${path.basename(file)}" must export { up, down } functions`)
+		}
+		return mod
+	}
+}
+
+module.exports = Migrator