create-rebe 1.0.0

package/template/README.md

@@ -0,0 +1,150 @@
+# rebe
+
+Ready-to-use Node.js backend framework. One process serves a JSON API, Socket.IO,
+cron jobs, and an in-process queue on a clean four-layer architecture
+(config → core → app) with centralized configuration.
+
+## Create a project
+
+```bash
+npm create rebe@latest my-api
+cd my-api
+npm install
+npm run dev
+```
+
+Flags (all optional): `--name <name>`, `--pm <npm|pnpm|yarn|bun>`, `--install`,
+`--git`, `--no-env`, `--force`, `-y`. Unless `--no-env` is set, a `.env` is generated
+with `APP_NAME` set to the project name and fresh `APP_KEY` / JWT secrets.
+
+## What's inside
+
+- **HTTP** — Express 5 + Laravel-style routing, helmet, CORS, compression, rate
+  limiting, body limits, multipart uploads.
+- **Realtime** — Socket.IO on the same port, optional Redis adapter.
+- **Background** — node-cron scheduler and an in-process job queue (optional DB
+  persistence).
+- **Data** — Sequelize (MySQL/MariaDB/Postgres/MSSQL/SQLite), enabled on demand.
+- **Auth** — JWT (access + refresh, HS256-pinned), bcrypt.
+- **Ops** — Winston logging with daily rotation, lifecycle hooks, graceful shutdown,
+  PM2 config.
+- **Optional Redis** — standalone; each feature opts in and falls back cleanly.
+
+## Manual setup (from a clone)
+
+```bash
+npm install
+npm run cli -- setup        # copy .env, refresh deps, generate keys
+npm run dev                 # nodemon, development
+```
+
+`setup` copies `.env.example` to `.env` and generates `APP_KEY`, `JWT_SECRET`, and
+`JWT_REFRESH_SECRET`. Generate keys individually with `npm run cli -- key:generate`
+and `npm run cli -- key:jwt [--refresh]`.
+
+## Development vs production
+
+|                 | Development                      | Production                                  |
+| --------------- | -------------------------------- | ------------------------------------------- |
+| Start           | `npm run dev` (nodemon)          | `npm start` (`node .`) or PM2               |
+| `APP_ENV`       | `development`                    | `production`                                |
+| Logs            | colored console + rotating files | console filtered, rotating files in `logs/` |
+| Error responses | include stack                    | stack hidden                                |
+
+Production with PM2 (single fork instance):
+
+```bash
+pm2 start ecosystem.config.js
+pm2 logs <APP_NAME>
+```
+
+> Run a **single** instance (`exec_mode: 'fork', instances: 1`). State is kept
+> in-process (Socket.IO rooms, the in-process queue, node-cron schedules). Cluster
+> mode would duplicate cron ticks, split socket rooms, and break queue state. For
+> horizontal scale, enable Redis (`REDIS_USE_SOCKET`/`REDIS_USE_QUEUE`) first.
+
+## Architecture
+
+Four layers with a strict, one-directional dependency arrow:
+
+```
+Entry (index.js -> bootstrap.core)
+  -> Application (app/: http, routes, jobs, queue, socket, hooks; database/ models)
+       -> Core (core/: infrastructure, static classes, no business logic)
+            -> Config (config/: reads .env via Common.getEnv*, exposes `config`)
+                 -> .env
+```
+
+The core layer never imports application code statically. Each core loads a single
+application entry point at runtime (`register.*.js`) through the hardened register
+loader — Inversion of Control keeps the arrow pointing one way.
+
+## Project structure
+
+```
+.
+├── config/             # Centralized config (one file per domain) -> @config
+├── core/               # Core layer (static classes) -> @core
+│   ├── common.core.js + common/   # Shared utils + env readers
+│   ├── runtime · logger · error · register
+│   ├── database · cron · queue
+│   ├── jwt · mailer · hooks · redis
+│   ├── express · socket · validator
+│   └── bootstrap.core.js          # Boot orchestrator
+├── app/                # Application layer -> @app
+│   ├── http/controllers|middlewares|validators
+│   ├── routes/         # web.route, api.route, register.route
+│   ├── jobs/register.job.js        # (Cron) => {}
+│   ├── queue/register.queue.js     # (Queue) => {}
+│   ├── socket/register.socket.js   # (io, Socket) => {}
+│   └── hooks/register.hook.js      # { before, after, shutdown }
+├── database/           # Sequelize models -> @database
+├── storage/            # Local file storage / uploads -> @storage
+├── tests/              # Jest test suite
+├── create-rebe/        # The `npm create rebe` scaffolder package
+├── docs/               # Per-core API reference
+├── scripts/cli.js      # Project CLI (npm run cli)
+├── index.js            # Entry: dotenv -> module-alias -> runtime -> Bootstrap.run()
+└── ecosystem.config.js # PM2 (fork, single instance)
+```
+
+## Boot flow
+
+```
+index.js -> dotenv -> module-alias -> runtime.core -> Bootstrap.run()
+  1. error handlers   2. Hooks.before   3. Redis.connect (if enabled)
+  4. Database.connect (if enabled)       5. Express.create -> { app, server }
+  6. Socket.attach    7. Cron + Queue    8. Express.listen   9. Hooks.after
+ 10. SIGINT/SIGTERM -> graceful shutdown
+```
+
+## Response envelope
+
+There is no `response.core`. Every API handler returns a manual envelope:
+
+```js
+res.json({ status: true, code: 200, message: 'OK', data: null, meta: null })
+```
+
+Validation failures add an `errors` array (422). Unhandled errors and 404s are
+formatted by `error.core` (JSON or HTML).
+
+## Documentation
+
+- [docs/](./docs/README.md) — per-core API reference (one file per core).
+- [SECURITY.md](./SECURITY.md) — security model, hardening checklist, audit findings.
+- `.env.example` — every configuration variable with its default.
+
+## Scripts
+
+```bash
+npm run dev      # nodemon (development)
+npm start        # node . (production)
+npm test         # jest
+npm run format   # prettier --write .
+npm run cli -- help
+```
+
+## License
+
+MIT

package/template/SECURITY.md

@@ -0,0 +1,133 @@
+# SECURITY
+
+Security model, audit findings, and production hardening guidance for `rebe`.
+
+This document records a code- and dependency-level audit of the framework. Findings
+are rated Critical / High / Medium / Low / Info and mapped to CWE. Items marked
+**Fixed** are already addressed in the codebase; **Guidance** items are safe defaults
+that you should review against your threat model before deploying.
+
+## Audit summary
+
+| ID   | Severity | CWE      | Issue                                                                                              | Status              |
+| ---- | -------- | -------- | -------------------------------------------------------------------------------------------------- | ------------------- |
+| F-01 | Medium   | CWE-79   | Reflected XSS in error/404 HTML pages                                                              | Fixed               |
+| F-02 | Medium   | CWE-942  | CORS wildcard origin combined with credentials                                                     | Fixed               |
+| F-03 | Medium   | CWE-440  | `common/*` utils required a non-existent module (`@app/config`), crashing Crypt/Hash/Storage/Cache | Fixed               |
+| F-04 | Low      | CWE-1395 | Transitive `uuid` bounds-check advisory via `sequelize`                                            | Accepted / monitor  |
+| F-05 | Medium   | CWE-434  | File-type enforcement relies on client MIME; active content (SVG/HTML) could be stored XSS         | Guidance            |
+| F-06 | Info     | CWE-345  | JWT algorithm confusion                                                                            | Mitigated by design |
+| F-07 | Low      | CWE-400  | Large default JSON/body limit (10 MB)                                                              | Guidance            |
+| F-08 | Info     | CWE-352  | No CSRF protection                                                                                 | N/A for bearer API  |
+| F-09 | Low      | CWE-798  | Demo credentials in sample code; secrets in local `.env`                                           | Guidance            |
+| F-10 | Info     | CWE-770  | Rate limit / trust-proxy defaults                                                                  | Guidance            |
+
+## Findings
+
+### F-01 — Reflected XSS in error pages (Fixed)
+
+`error.core` rendered `req.originalUrl` and error messages directly into HTML 404/500
+responses. A crafted URL could inject markup. The CSP (`default-src 'self'`) blocks
+inline script execution, but the values are now HTML-escaped (`Common.Str.escapeHtml`)
+as defense in depth. JSON responses were never affected.
+
+### F-02 — CORS wildcard + credentials (Fixed)
+
+The previous config used `origin: ['*']` with `credentials: true`. Reflecting any
+origin with credentials enabled is unsafe, and browsers reject the combination.
+`cors.config.js` now reads `CORS_ORIGIN` / `SOCKET_CORS_ORIGIN` as an allowlist and
+**forces credentials off** whenever the origin is `*`. Set explicit origins in
+production to allow credentialed cross-origin requests.
+
+### F-03 — Broken module reference in shared utils (Fixed)
+
+`crypt.js`, `hash.js`, `storage.js`, and `cache.js` required `@app/config`, which does
+not resolve (`@app` → the application folder; config lives at `@config`). Any use of
+`Common.Crypt`, `Common.Hash`, `Common.Storage`, or the config-default path of
+`Common.Cache` would throw `MODULE_NOT_FOUND`. All references now use `@config/index`.
+This is primarily a reliability bug, but a crash in a crypto/hash helper invoked on a
+request path is a denial-of-service vector.
+
+### F-04 — Transitive uuid advisory (Accepted / monitor)
+
+`npm audit` reports a moderate advisory (GHSA-w5hq-g745-h8pq) for `uuid` pulled in by
+`sequelize`. The only automated fix downgrades `sequelize` to a 3.x release (a major
+breaking change), so it is not applied. Real-world impact here is low: the affected
+code path requires an attacker-controlled `buf` argument, which the framework never
+passes, and the database is disabled by default. Re-run `npm audit` periodically and
+bump `sequelize` once an upstream fix ships.
+
+### F-05 — File upload type enforcement (Guidance)
+
+`express.core.upload()` filters by `file.mimetype`, which the client controls, and by
+`STORAGE_UPLOAD_ALLOWED_TYPES`. The default allowlist (`image/jpeg,image/png,
+image/webp,application/pdf`) is safe, and `/uploads` is served with
+`X-Content-Type-Options: nosniff`. If you broaden the allowlist:
+
+- Do **not** allow `image/svg+xml` or `text/html` for files served back to browsers —
+  they can carry script (stored XSS). Serve such files with
+  `Content-Disposition: attachment`, from a separate origin, or convert/sanitize them.
+- Consider validating magic bytes, not just the MIME header.
+
+### F-06 — JWT algorithm (Mitigated by design)
+
+`jwt.core` pins HS256 on both sign and verify, so forged `alg: none` or RS/HS-swap
+tokens are rejected. Keep access-token TTLs short and store only non-sensitive claims
+(the payload is signed, not encrypted).
+
+### F-07 — Body size limit (Guidance)
+
+`EXPRESS_BODY_LIMIT` defaults to `10mb`. For pure-JSON APIs, lower it (e.g. `256kb`)
+to reduce the memory-exhaustion surface; raise it only for endpoints that genuinely
+need large payloads.
+
+### F-08 — CSRF (N/A for bearer auth)
+
+The sample auth uses `Authorization: Bearer` tokens, which are not sent automatically
+by browsers, so CSRF does not apply. If you switch to cookie-based sessions, add CSRF
+protection (e.g. double-submit token) and set cookies `HttpOnly`, `Secure`,
+`SameSite`.
+
+### F-09 — Demo credentials and local secrets (Guidance)
+
+`auth.controller.js` ships an in-memory demo user (`demo@example.com` /
+`password123`) so the sample runs without a database — replace it with a real model
+lookup before production. `.env` is git-ignored; never commit it, and rotate any
+secret that was ever committed. The scaffolder (`create-rebe`) generates fresh
+`APP_KEY` and JWT secrets per project.
+
+### F-10 — Rate limit & trust proxy (Guidance)
+
+A global rate limit is on by default (`100` / 15 min / IP). Behind a proxy or load
+balancer, set `EXPRESS_TRUST_PROXY=1` (or the real hop count) so the limiter and logs
+see the true client IP; leaving it at `0` while behind a proxy lets clients share one
+bucket. Do **not** set an overly permissive trust-proxy value when directly exposed —
+it would let clients spoof `X-Forwarded-For`.
+
+## Positive controls
+
+- `helmet` with a restrictive CSP; `x-powered-by` disabled.
+- Only `./public` and `/uploads` are served statically — the full `storage/` root is
+  not exposed.
+- `Common.Hash.equals` uses `crypto.timingSafeEqual`; `Crypt` uses AES-256-GCM
+  (authenticated) with a random IV and salt per message.
+- `Common.Storage` resolves every path inside the storage root and rejects traversal.
+- Graceful shutdown drains the queue and closes connections.
+
+## Production hardening checklist
+
+- [ ] `APP_ENV=production` (hides stack traces).
+- [ ] Set explicit `CORS_ORIGIN` / `SOCKET_CORS_ORIGIN` (no `*`).
+- [ ] Strong, unique `APP_KEY`, `JWT_SECRET`, `JWT_REFRESH_SECRET`; never committed.
+- [ ] `EXPRESS_TRUST_PROXY` matches your proxy topology.
+- [ ] Review `EXPRESS_BODY_LIMIT` and the rate-limit window/max.
+- [ ] Replace demo auth with real user storage and password hashing.
+- [ ] Restrict upload types; treat SVG/HTML as attachments.
+- [ ] Run behind TLS; enable `MAIL_SECURE`/`REDIS_TLS` where applicable.
+- [ ] `npm audit` clean (or risks accepted and tracked).
+- [ ] Single PM2 fork instance, or Redis-backed for multi-instance.
+
+## Reporting
+
+Report vulnerabilities privately to the maintainer rather than via public issues.
+Include a description, affected version, and reproduction steps.

package/template/app/hooks/register.hook.js

@@ -0,0 +1,22 @@
+'use strict'
+
+// Application lifecycle hooks, invoked by the bootstrap core:
+//   before   — config is loaded; services have not started yet
+//   after    — the HTTP server is listening
+//   shutdown — a termination signal was received (cleanup here)
+//
+// Each stage receives a context object ({ config }). Keep them fast and resilient;
+// a thrown error in `before`/`after` aborts boot.
+module.exports = {
+	async before(ctx) {
+		// e.g. warm caches, assert required external services are reachable
+	},
+
+	async after(ctx) {
+		// e.g. emit a "ready" event, register health probes
+	},
+
+	async shutdown(ctx) {
+		// e.g. flush buffers, close third-party clients
+	},
+}

package/template/app/http/controllers/auth.controller.js

@@ -0,0 +1,34 @@
+'use strict'
+
+const bcrypt = require('bcrypt')
+
+const config = require('@config/index')
+const Jwt = require('@core/jwt.core')
+
+// In-memory demo user so the sample runs without a database. The password hash is
+// computed once at load. Replace this with a real model lookup
+// (e.g. Database.model('User').findOne(...)) in a production app.
+const DEMO_USER = { id: 1, email: 'demo@example.com', name: 'Demo User' }
+const DEMO_PASSWORD_HASH = bcrypt.hashSync('password123', config.bcrypt.saltRounds)
+
+class AuthController {
+	// Input is already validated by Validator.make(loginSchema) on the route.
+	static async login({ req, res }) {
+		const { email, password } = req.body
+
+		const ok = email === DEMO_USER.email && (await bcrypt.compare(password, DEMO_PASSWORD_HASH))
+		if (!ok) {
+			return res.status(401).json({ status: false, code: 401, message: 'Invalid credentials', data: null, meta: null })
+		}
+
+		const tokens = Jwt.issue({ sub: DEMO_USER.id, email: DEMO_USER.email })
+		return res.json({ status: true, code: 200, message: 'Login successful', data: { user: DEMO_USER, ...tokens }, meta: null })
+	}
+
+	// Protected by the auth middleware, which sets req.user from the access token.
+	static async me({ req, res }) {
+		return res.json({ status: true, code: 200, message: 'OK', data: req.user, meta: null })
+	}
+}
+
+module.exports = AuthController

package/template/app/http/middlewares/auth.middleware.js

@@ -0,0 +1,25 @@
+'use strict'
+
+const Jwt = require('@core/jwt.core')
+
+// Route middleware: require a valid Bearer access token and expose the decoded
+// payload as req.user. Use per-route as a handle-based middleware:
+//   Routes.get('auth/me', AuthController.me, [Auth])
+class Auth {
+	static handle({ req, res, next }) {
+		const token = Jwt.fromHeader(req.headers.authorization)
+		if (!token) {
+			return res.status(401).json({ status: false, code: 401, message: 'Missing bearer token', data: null, meta: null })
+		}
+
+		const { valid, payload } = Jwt.tryVerify(token)
+		if (!valid) {
+			return res.status(401).json({ status: false, code: 401, message: 'Invalid or expired token', data: null, meta: null })
+		}
+
+		req.user = payload
+		next()
+	}
+}
+
+module.exports = Auth

package/template/app/http/middlewares/register.middleware.js

@@ -0,0 +1,18 @@
+'use strict'
+
+const logger = require('@core/logger.core')
+
+// Global application middleware. The Express core calls this with the app instance
+// during create(), after the security/parsing stack and before routes. Register
+// cross-cutting middleware here.
+module.exports = (app) => {
+	// Lightweight access log: method, URL, status, and latency once the response
+	// has been sent.
+	app.use((req, res, next) => {
+		const start = Date.now()
+		res.on('finish', () => {
+			logger.http(`${req.method} ${req.originalUrl} ${res.statusCode} ${Date.now() - start}ms`)
+		})
+		next()
+	})
+}

package/template/app/http/validators/auth.validator.js

@@ -0,0 +1,8 @@
+'use strict'
+
+const { z } = require('zod')
+
+module.exports.loginSchema = z.object({
+	email: z.string().email(),
+	password: z.string().min(6),
+})

package/template/app/jobs/register.job.js

@@ -0,0 +1,17 @@
+'use strict'
+
+const logger = require('@core/logger.core')
+
+// Cron job definitions. The Cron core calls this function during boot and
+// passes the Cron facade. Declare jobs with Cron.define(name, expression, fn).
+//
+// Expression format (node-cron): second? minute hour day-of-month month day-of-week
+//   '*/5 * * * *'    -> every 5 minutes
+//   '0 0 * * *'      -> every day at midnight
+//   '0 */6 * * *'    -> every 6 hours
+module.exports = (Cron) => {
+	// Heartbeat — handy while developing to confirm the scheduler is alive.
+	Cron.define('heartbeat', '*/30 * * * *', async () => {
+		logger.debug('Cron heartbeat tick')
+	})
+}

package/template/app/queue/register.queue.js

@@ -0,0 +1,11 @@
+'use strict'
+
+// Queue worker definitions. The Queue core calls this function during boot and
+// passes the Queue facade. Register a processor per queue name; dispatch jobs
+// from anywhere with Queue.dispatch('emails', { ... }).
+module.exports = (Queue) => {
+	// sample
+	// Queue.define('name', async (payload) => {
+	//     // action here
+	// }, { concurrency: 2, maxRetries: 3 })
+}

package/template/app/routes/api.route.js

@@ -0,0 +1,18 @@
+'use strict'
+
+const Routes = require('@refkinscallv/express-routing')
+
+const Validator = require('@core/validator.core')
+const AuthController = require('@http/controllers/auth.controller')
+const Auth = require('@http/middlewares/auth.middleware')
+const { loginSchema } = require('@http/validators/auth.validator')
+
+Routes.group('api', () => {
+	Routes.get('status', ({ res }) => {
+		res.json({ status: true, code: 200, message: 'OK', data: null, meta: null })
+	})
+
+	// Sample auth flow (runs without a database; see auth.controller.js).
+	Routes.post('auth/login', AuthController.login, [Validator.make(loginSchema)])
+	Routes.get('auth/me', AuthController.me, [Auth])
+})

package/template/app/routes/register.route.js

@@ -0,0 +1,8 @@
+'use strict'
+
+const Routes = require('@refkinscallv/express-routing')
+
+require('@routes/web.route')
+require('@routes/api.route')
+
+module.exports = Routes

package/template/app/routes/web.route.js

@@ -0,0 +1,7 @@
+'use strict'
+
+const Routes = require('@refkinscallv/express-routing')
+
+Routes.get('', ({ res }) => {
+	res.send('Hello World')
+})

package/template/app/socket/register.socket.js

@@ -0,0 +1,15 @@
+'use strict'
+
+const logger = require('@core/logger.core')
+
+// Socket.IO connection handlers. The socket core calls this with the io server and
+// the Socket facade after the server is attached. Register namespaces, rooms, and
+// event listeners here.
+module.exports = (io, Socket) => {
+	io.on('connection', (socket) => {
+		// Example: echo a ping back to the sender.
+		socket.on('ping', (payload) => {
+			socket.emit('pong', { received: payload, at: Date.now() })
+		})
+	})
+}

package/template/config/app.config.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const Common = require('@core/common.core')
+
+module.exports = {
+	env: Common.getEnv('APP_ENV', 'development'),
+	name: Common.getEnv('APP_NAME', 'rebe'),
+	url: Common.getEnv('APP_URL', 'http://localhost:3000'),
+	port: Common.getEnvInt('APP_PORT', 3000),
+	timezone: Common.getEnv('APP_TIMEZONE', 'UTC'),
+	key: Common.getEnv('APP_KEY'),
+}

package/template/config/bcrypt.config.js

@@ -0,0 +1,7 @@
+'use strict'
+
+const Common = require('@core/common.core')
+
+module.exports = {
+	saltRounds: Common.getEnvInt('BCRYPT_SALT_ROUNDS', 10),
+}

package/template/config/cache.config.js

@@ -0,0 +1,7 @@
+'use strict'
+
+const Common = require('@core/common.core')
+
+module.exports = {
+	ttl: Common.getEnvInt('CACHE_TTL', 3600),
+}

package/template/config/cors.config.js

@@ -0,0 +1,37 @@
+'use strict'
+
+const cors = require('cors')
+
+const Common = require('@core/common.core')
+
+// Allowed origins are read from the environment so deployments can lock CORS down
+// without code changes. A literal '*' means "any origin"; any other value is parsed
+// as a comma-separated allowlist.
+//
+// Security note: the browser CORS spec forbids combining a wildcard origin with
+// `credentials: true`. When the origin is '*' we therefore force credentials off.
+// Set explicit origins (e.g. CORS_ORIGIN=https://app.example.com) to enable
+// credentialed cross-origin requests.
+const expressOrigins = Common.getEnvArray('CORS_ORIGIN', ['*'])
+const socketOrigins = Common.getEnvArray('SOCKET_CORS_ORIGIN', ['*'])
+
+const expressWildcard = expressOrigins.length === 1 && expressOrigins[0] === '*'
+const socketWildcard = socketOrigins.length === 1 && socketOrigins[0] === '*'
+
+module.exports = {
+	express: cors({
+		origin: expressWildcard ? '*' : expressOrigins,
+		methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+		allowedHeaders: ['Content-Type', 'Authorization'],
+		credentials: Common.getEnvBool('CORS_CREDENTIALS', !expressWildcard),
+		maxAge: Common.getEnvInt('CORS_MAX_AGE', 86400),
+	}),
+	socket: {
+		cors: {
+			origin: socketWildcard ? '*' : socketOrigins,
+			methods: ['GET', 'POST'],
+			allowedHeaders: ['Content-Type', 'Authorization'],
+			credentials: Common.getEnvBool('SOCKET_CORS_CREDENTIALS', !socketWildcard),
+		},
+	},
+}

package/template/config/cron.config.js

@@ -0,0 +1,9 @@
+'use strict'
+
+const Common = require('@core/common.core')
+
+module.exports = {
+	enabled: Common.getEnvBool('CRON_ENABLED', true),
+	timezone: Common.getEnv('CRON_TIMEZONE', 'Asia/Jakarta'),
+	history: Common.getEnvBool('CRON_HISTORY', true),
+}

package/template/config/database.config.js

@@ -0,0 +1,51 @@
+'use strict'
+
+const Common = require('@core/common.core')
+const dialect = Common.getEnv('DB_DIALECT', 'mysql')
+
+const dialectOptions = {
+	mysql: { charset: 'utf8mb4', connectTimeout: Common.getEnvInt('DB_CONNECT_TIMEOUT', 10000) },
+	mariadb: { charset: 'utf8mb4', connectTimeout: Common.getEnvInt('DB_CONNECT_TIMEOUT', 10000) },
+	postgres: { ssl: Common.getEnvBool('DB_SSL', false) ? { rejectUnauthorized: false } : false },
+	mssql: { options: { encrypt: Common.getEnvBool('DB_SSL', false), trustServerCertificate: Common.getEnvBool('DB_TRUST_CERT', true), requestTimeout: Common.getEnvInt('DB_REQUEST_TIMEOUT', 30000) } },
+	sqlite: {},
+}
+
+module.exports = {
+	enabled: Common.getEnvBool('DB_ENABLED', false),
+	dialect,
+	host: Common.getEnv('DB_HOST', 'localhost'),
+	port: Common.getEnvInt('DB_PORT', getDefaultPort(dialect)),
+	username: Common.getEnv('DB_USER', null),
+	password: Common.getEnv('DB_PASS', null),
+	database: Common.getEnv('DB_NAME', null),
+	timezone: Common.getEnv('DB_TIMEZONE', '+00:00'),
+	logging: Common.getEnvBool('DB_LOGGING', false),
+	benchmark: Common.getEnvBool('DB_BENCHMARK', false),
+	logQueryParameters: Common.getEnvBool('DB_LOG_PARAMS', false),
+	define: {
+		underscored: Common.getEnvBool('DB_UNDERSCORED', false),
+		freezeTableName: Common.getEnvBool('DB_FREEZE_TABLE', false),
+		timestamps: Common.getEnvBool('DB_TIMESTAMPS', true),
+		paranoid: Common.getEnvBool('DB_PARANOID', false),
+	},
+	sync: {
+		force: Common.getEnvBool('DB_FORCE', false),
+		alter: Common.getEnvBool('DB_ALTER', false),
+	},
+	pool: {
+		max: Common.getEnvInt('DB_POOL_MAX', 10),
+		min: Common.getEnvInt('DB_POOL_MIN', 0),
+		acquire: Common.getEnvInt('DB_POOL_ACQUIRE', 30000),
+		idle: Common.getEnvInt('DB_POOL_IDLE', 10000),
+	},
+	retry: {
+		max: Common.getEnvInt('DB_RETRY_MAX', 3),
+	},
+	dialectOptions: dialectOptions[dialect] ?? {},
+}
+
+function getDefaultPort(dialect) {
+	const ports = { mysql: 3306, mariadb: 3306, postgres: 5432, mssql: 1433, sqlite: null }
+	return ports[dialect] ?? 3306
+}

package/template/config/express.config.js

@@ -0,0 +1,37 @@
+'use strict'
+
+const Common = require('@core/common.core')
+
+// HTTP layer configuration consumed by express.core.
+//
+// - bodyLimit:  max request body size for json/urlencoded parsers (DoS guard).
+// - trustProxy: number of proxy hops to trust, or false. Required for correct
+//               client IPs behind a load balancer / reverse proxy; also makes
+//               express-rate-limit key on the real client IP. Leave 0/false
+//               when the app is directly exposed.
+// - rateLimit:  global request throttle. Disable per-route logic in app code.
+module.exports = {
+	bodyLimit: Common.getEnv('EXPRESS_BODY_LIMIT', '10mb'),
+	trustProxy: Common.getEnvInt('EXPRESS_TRUST_PROXY', 0),
+	rateLimit: {
+		enabled: Common.getEnvBool('EXPRESS_RATE_LIMIT_ENABLED', true),
+		windowMs: Common.getEnvInt('EXPRESS_RATE_LIMIT_WINDOW_MS', 900000),
+		max: Common.getEnvInt('EXPRESS_RATE_LIMIT_MAX', 100),
+		standardHeaders: true,
+		legacyHeaders: false,
+		message: { status: false, code: 429, message: 'Too many requests', data: null, meta: null },
+	},
+	helmet: {
+		referrerPolicy: {
+			policy: 'origin',
+		},
+		contentSecurityPolicy: {
+			directives: {
+				defaultSrc: ["'self'"],
+				scriptSrc: ["'self'"],
+				imgSrc: ["'self'", 'data:'],
+				connectSrc: ["'self'"],
+			},
+		},
+	},
+}