npm - create-velox-app - Versions diffs - 0.4.2 → 0.4.4 - Mend

create-velox-app 0.4.2 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/dist/templates/auth.js CHANGED Viewed

@@ -1,1143 +1,89 @@
 /**
- * Auth Template
+ * Auth Template (Full-Stack with Authentication)
  *
- * Full authentication template with JWT auth, guards, rate limiting,
- * token rotation, and secure password hashing.
+ * Full-stack workspace template with:
+ * - apps/api: REST API with JWT authentication, guards, rate limiting
+ * - apps/web: React frontend with login/register UI
+ *
+ * Complete authentication system ready for production.
  */
-import { generateSharedFiles, VELOXTS_VERSION } from './shared.js';
+import { compileTemplate } from './compiler.js';
+import { AUTH_CONFIG } from './placeholders.js';
+import { generateRootFiles, generateWebBaseFiles, generateWebStyleFiles } from './shared/index.js';
 // ============================================================================
-// Package.json
+// API Template Compilation
 // ============================================================================
-function generatePackageJson(config) {
-    return JSON.stringify({
-        name: config.projectName,
-        version: '0.0.1',
-        description: 'A VeloxTS application with full authentication',
-        type: 'module',
-        main: 'dist/index.js',
-        scripts: {
-            build: 'tsup',
-            start: 'node dist/index.js',
-            dev: 'tsx watch src/index.ts',
-            'type-check': 'tsc --noEmit',
-            clean: "node -e \"require('fs').rmSync('dist',{recursive:true,force:true});require('fs').rmSync('tsconfig.tsbuildinfo',{force:true})\"",
-            'db:generate': 'prisma generate',
-            'db:push': 'prisma db push',
-            'db:studio': 'prisma studio',
-            postinstall: 'prisma generate',
-        },
-        dependencies: {
-            '@fastify/static': '^8.3.0',
-            '@prisma/adapter-better-sqlite3': '^7.1.0',
-            '@prisma/client': '^7.1.0',
-            '@veloxts/velox': `^${VELOXTS_VERSION}`,
-            bcrypt: '^5.1.1',
-            'better-sqlite3': '^12.5.0',
-            dotenv: '^17.2.3',
-            zod: '^3.24.4',
-        },
-        devDependencies: {
-            '@types/bcrypt': '^5.0.2',
-            prisma: '^7.1.0',
-            tsup: '^8.5.1',
-            tsx: '^4.21.0',
-            typescript: '^5.9.3',
-        },
-    }, null, 2);
+function generateApiPackageJson(config) {
+    return compileTemplate('api/package.auth.json', config);
 }
-// ============================================================================
-// Environment Files
-// ============================================================================
-function generateEnvExample() {
-    return `# Database URL
-# SQLite (local development):
-DATABASE_URL="file:./dev.db"
-# PostgreSQL (production):
-# DATABASE_URL="postgresql://user:password@localhost:5432/myapp"
-# Server Configuration
-PORT=3210
-HOST=0.0.0.0
-NODE_ENV=development
-# API Configuration
-API_PREFIX=/api
-# ============================================================================
-# Authentication (REQUIRED for production)
-# ============================================================================
-# Generate secrets with: openssl rand -base64 64
-#
-# JWT_SECRET=<your-access-token-secret>
-# JWT_REFRESH_SECRET=<your-refresh-token-secret>
-#
-# NOTE: In development mode, temporary secrets will be generated with a warning.
-# Always set these in production!
-# ============================================================================
-# Session Authentication (Alternative to JWT)
-# ============================================================================
-# If using cookie-based sessions instead of JWT, configure these:
-#
-# SESSION_SECRET=<your-session-secret>
-#
-# Generate with: openssl rand -base64 32
-`;
+function generateApiTsConfig() {
+    return compileTemplate('api/tsconfig.json', AUTH_CONFIG);
 }
-// ============================================================================
-// Prisma Schema (with password field)
-// ============================================================================
-function generatePrismaSchema() {
-    return `// Prisma Schema
-//
-// This schema defines the database structure with authentication support.
-// Using SQLite for simplicity - easily swap to PostgreSQL for production.
-generator client {
-  provider = "prisma-client"
-  output   = "../src/generated/prisma"
+function generateApiTsupConfig() {
+    return compileTemplate('api/tsup.config.ts', AUTH_CONFIG);
 }
-datasource db {
-  provider = "sqlite"
+function generateEnvExample(config) {
+    return compileTemplate('api/env.auth', config);
 }
-// ============================================================================
-// User Model
-// ============================================================================
-/// User model with authentication support
-model User {
-  id        String   @id @default(uuid())
-  name      String
-  email     String   @unique
-  password  String?  // Hashed password (optional for social auth)
-  roles     String   @default("[\\"user\\"]") // JSON array of roles
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@map("users")
+function generatePrismaSchema() {
+    return compileTemplate('api/prisma/schema.auth.prisma', AUTH_CONFIG);
 }
-`;
+function generatePrismaConfig() {
+    return compileTemplate('api/prisma.config.ts', AUTH_CONFIG);
 }
-// ============================================================================
-// Auth Config
-// ============================================================================
 function generateAuthConfig() {
-    return `/**
- * Authentication Configuration
- *
- * JWT-based authentication configuration.
- *
- * SECURITY: JWT secrets are required from environment variables.
- * The app will fail to start in production without them.
- */
-import type { AuthPluginOptions } from '@veloxts/velox';
-import { prisma } from '../database/index.js';
-// ============================================================================
-// Environment Variable Validation
-// ============================================================================
-/**
- * Gets required JWT secrets from environment variables.
- * Throws a clear error in production if secrets are not configured.
- */
-function getRequiredSecrets(): { jwtSecret: string; refreshSecret: string } {
-  const jwtSecret = process.env.JWT_SECRET;
-  const refreshSecret = process.env.JWT_REFRESH_SECRET;
-  const isDevelopment = process.env.NODE_ENV !== 'production';
-  if (!jwtSecret || !refreshSecret) {
-    if (isDevelopment) {
-      console.warn(
-        '\\n' +
-          '='.repeat(70) +
-          '\\n' +
-          '  WARNING: JWT secrets not configured!\\n' +
-          '  Using temporary development secrets. DO NOT USE IN PRODUCTION!\\n' +
-          '\\n' +
-          '  To configure secrets, add to .env:\\n' +
-          '    JWT_SECRET=<generate with: openssl rand -base64 64>\\n' +
-          '    JWT_REFRESH_SECRET=<generate with: openssl rand -base64 64>\\n' +
-          '='.repeat(70) +
-          '\\n'
-      );
-      return {
-        jwtSecret:
-          jwtSecret || \`dev-only-jwt-secret-\${Math.random().toString(36).substring(2).repeat(4)}\`,
-        refreshSecret:
-          refreshSecret ||
-          \`dev-only-refresh-secret-\${Math.random().toString(36).substring(2).repeat(4)}\`,
-      };
-    }
-    throw new Error(
-      '\\n' +
-        'CRITICAL: JWT secrets are required but not configured.\\n' +
-        '\\n' +
-        'Required environment variables:\\n' +
-        '  - JWT_SECRET: Secret for signing access tokens (64+ characters)\\n' +
-        '  - JWT_REFRESH_SECRET: Secret for signing refresh tokens (64+ characters)\\n' +
-        '\\n' +
-        'Generate secure secrets with:\\n' +
-        '  openssl rand -base64 64\\n' +
-        '\\n' +
-        'Add them to your environment or .env file before starting the server.\\n'
-    );
-  }
-  return { jwtSecret, refreshSecret };
-}
-// ============================================================================
-// Token Revocation Store
-// ============================================================================
-/**
- * In-memory token revocation store.
- *
- * PRODUCTION NOTE: Replace with Redis or database-backed store for:
- * - Persistence across server restarts
- * - Horizontal scaling (multiple server instances)
- */
-class InMemoryTokenStore {
-  private revokedTokens: Map<string, number> = new Map();
-  private usedRefreshTokens: Map<string, string> = new Map();
-  private cleanupInterval: NodeJS.Timeout | null = null;
-  constructor() {
-    this.cleanupInterval = setInterval(() => this.cleanup(), 5 * 60 * 1000);
-  }
-  revoke(jti: string, expiresInMs: number = 7 * 24 * 60 * 60 * 1000): void {
-    this.revokedTokens.set(jti, Date.now() + expiresInMs);
-  }
-  isRevoked(jti: string): boolean {
-    const expiry = this.revokedTokens.get(jti);
-    if (!expiry) return false;
-    if (Date.now() > expiry) {
-      this.revokedTokens.delete(jti);
-      return false;
-    }
-    return true;
-  }
-  markRefreshTokenUsed(jti: string, userId: string): void {
-    this.usedRefreshTokens.set(jti, userId);
-    setTimeout(() => this.usedRefreshTokens.delete(jti), 7 * 24 * 60 * 60 * 1000);
-  }
-  isRefreshTokenUsed(jti: string): string | undefined {
-    return this.usedRefreshTokens.get(jti);
-  }
-  revokeAllUserTokens(userId: string): void {
-    console.warn(
-      \`[Security] Token reuse detected for user \${userId}. \` +
-        'All tokens should be revoked. Implement proper user->token mapping for production.'
-    );
-  }
-  private cleanup(): void {
-    const now = Date.now();
-    for (const [jti, expiry] of this.revokedTokens.entries()) {
-      if (now > expiry) {
-        this.revokedTokens.delete(jti);
-      }
-    }
-  }
-}
-export const tokenStore = new InMemoryTokenStore();
-// ============================================================================
-// Role Parsing
-// ============================================================================
-const ALLOWED_ROLES = ['user', 'admin', 'moderator', 'editor'] as const;
-export function parseUserRoles(rolesJson: string | null): string[] {
-  if (!rolesJson) return ['user'];
-  try {
-    const parsed: unknown = JSON.parse(rolesJson);
-    if (!Array.isArray(parsed)) {
-      return ['user'];
-    }
-    const validRoles = parsed
-      .filter((role): role is string => typeof role === 'string')
-      .filter((role) => ALLOWED_ROLES.includes(role as (typeof ALLOWED_ROLES)[number]));
-    return validRoles.length > 0 ? validRoles : ['user'];
-  } catch {
-    return ['user'];
-  }
-}
-// ============================================================================
-// User Loader
-// ============================================================================
-async function userLoader(userId: string) {
-  const user = await prisma.user.findUnique({
-    where: { id: userId },
-  });
-  if (!user) return null;
-  return {
-    id: user.id,
-    email: user.email,
-    name: user.name,
-    roles: parseUserRoles(user.roles),
-  };
+    return compileTemplate('api/config/auth.ts', AUTH_CONFIG);
 }
-// ============================================================================
-// Auth Configuration
-// ============================================================================
-export function createAuthConfig(): AuthPluginOptions {
-  const { jwtSecret, refreshSecret } = getRequiredSecrets();
-  return {
-    jwt: {
-      secret: jwtSecret,
-      refreshSecret: refreshSecret,
-      accessTokenExpiry: '15m',
-      refreshTokenExpiry: '7d',
-      issuer: 'velox-app',
-      audience: 'velox-app-client',
-    },
-    userLoader,
-    isTokenRevoked: async (jti: string) => tokenStore.isRevoked(jti),
-    rateLimit: {
-      max: 100,
-      windowMs: 60000,
-    },
-  };
-}
-export const authConfig = createAuthConfig();
-`;
-}
-function generateConfigIndexWithAuth() {
-    return `/**
- * Configuration Exports
- */
-export * from './app.js';
-export * from './auth.js';
-`;
+function generateConfigApp(config) {
+    return compileTemplate('api/config/app.ts', config);
 }
-// ============================================================================
-// Auth Procedures
-// ============================================================================
 function generateAuthProcedures() {
-    return `/**
- * Auth Procedures
- *
- * Authentication procedures for user registration, login, and token management.
- *
- * REST Endpoints:
- * - POST /auth/register - Create new account
- * - POST /auth/login    - Authenticate and get tokens
- * - POST /auth/refresh  - Refresh access token
- * - POST /auth/logout   - Revoke current token
- * - GET  /auth/me       - Get current user (protected)
- */
-import {
-  AuthError,
-  authenticated,
-  createAuthRateLimiter,
-  hashPassword,
-  jwtManager,
-  verifyPassword,
-  defineProcedures,
-  procedure,
-  z,
-} from '@veloxts/velox';
-import { authConfig, parseUserRoles, tokenStore } from '../config/index.js';
-import { prisma } from '../database/index.js';
-// ============================================================================
-// Rate Limiter
-// ============================================================================
-const rateLimiter = createAuthRateLimiter({
-  login: {
-    maxAttempts: 5,
-    windowMs: 15 * 60 * 1000,
-    lockoutDurationMs: 15 * 60 * 1000,
-    progressiveBackoff: true,
-  },
-  register: {
-    maxAttempts: 3,
-    windowMs: 60 * 60 * 1000,
-    lockoutDurationMs: 60 * 60 * 1000,
-  },
-  refresh: {
-    maxAttempts: 10,
-    windowMs: 60 * 1000,
-    lockoutDurationMs: 60 * 1000,
-  },
-});
-// ============================================================================
-// Password Blacklist
-// ============================================================================
-const COMMON_PASSWORDS = new Set([
-  'password', 'password123', '12345678', '123456789',
-  'qwerty123', 'letmein', 'welcome', 'admin123',
-]);
-// ============================================================================
-// Schemas
-// ============================================================================
-const PasswordSchema = z
-  .string()
-  .min(12, 'Password must be at least 12 characters')
-  .max(128, 'Password must not exceed 128 characters')
-  .refine((pwd) => /[a-z]/.test(pwd), 'Password must contain at least one lowercase letter')
-  .refine((pwd) => /[A-Z]/.test(pwd), 'Password must contain at least one uppercase letter')
-  .refine((pwd) => /[0-9]/.test(pwd), 'Password must contain at least one number')
-  .refine(
-    (pwd) => !COMMON_PASSWORDS.has(pwd.toLowerCase()),
-    'Password is too common. Please choose a stronger password.'
-  );
-const EmailSchema = z
-  .string()
-  .email('Invalid email address')
-  .transform((email) => email.toLowerCase().trim());
-const RegisterInput = z.object({
-  name: z.string().min(2).max(100).trim(),
-  email: EmailSchema,
-  password: PasswordSchema,
-});
-const LoginInput = z.object({
-  email: EmailSchema,
-  password: z.string().min(1),
-});
-const RefreshInput = z.object({
-  refreshToken: z.string(),
-});
-const TokenResponse = z.object({
-  accessToken: z.string(),
-  refreshToken: z.string(),
-  expiresIn: z.number(),
-  tokenType: z.literal('Bearer'),
-});
-const UserResponse = z.object({
-  id: z.string(),
-  name: z.string(),
-  email: z.string(),
-  roles: z.array(z.string()),
-});
-const LogoutResponse = z.object({
-  success: z.boolean(),
-  message: z.string(),
-});
-// ============================================================================
-// JWT Manager
-// ============================================================================
-const jwt = jwtManager(authConfig.jwt);
-// Dummy hash for timing attack prevention
-const DUMMY_HASH = '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/X4.uy7dPSSXB5G6Uy';
-// ============================================================================
-// Auth Procedures
-// ============================================================================
-export const authProcedures = defineProcedures('auth', {
-  register: procedure()
-    .rest({ method: 'POST', path: '/auth/register' })
-    .use(rateLimiter.register())
-    .input(RegisterInput)
-    .output(TokenResponse)
-    .mutation(async ({ input }) => {
-      const normalizedEmail = input.email.toLowerCase().trim();
-      const existing = await prisma.user.findUnique({
-        where: { email: normalizedEmail },
-      });
-      if (existing) {
-        throw new AuthError(
-          'Registration failed. If this email is not already registered, please try again.',
-          400,
-          'REGISTRATION_FAILED'
-        );
-      }
-      const hashedPassword = await hashPassword(input.password);
-      const user = await prisma.user.create({
-        data: {
-          name: input.name.trim(),
-          email: normalizedEmail,
-          password: hashedPassword,
-          roles: JSON.stringify(['user']),
-        },
-      });
-      return jwt.createTokenPair({
-        id: user.id,
-        email: user.email,
-        roles: ['user'],
-      });
-    }),
-  login: procedure()
-    .rest({ method: 'POST', path: '/auth/login' })
-    .use(
-      rateLimiter.login((ctx) => {
-        const input = ctx.input as { email?: string } | undefined;
-        return input?.email?.toLowerCase() ?? '';
-      })
-    )
-    .input(LoginInput)
-    .output(TokenResponse)
-    .mutation(async ({ input }) => {
-      const normalizedEmail = input.email.toLowerCase().trim();
-      const user = await prisma.user.findUnique({
-        where: { email: normalizedEmail },
-      });
-      const hashToVerify = user?.password || DUMMY_HASH;
-      const isValid = await verifyPassword(input.password, hashToVerify);
-      if (!user || !user.password || !isValid) {
-        throw new AuthError('Invalid email or password', 401, 'INVALID_CREDENTIALS');
-      }
-      const roles = parseUserRoles(user.roles);
-      return jwt.createTokenPair({
-        id: user.id,
-        email: user.email,
-        roles,
-      });
-    }),
-  refresh: procedure()
-    .rest({ method: 'POST', path: '/auth/refresh' })
-    .use(rateLimiter.refresh())
-    .input(RefreshInput)
-    .output(TokenResponse)
-    .mutation(async ({ input }) => {
-      try {
-        const payload = jwt.verifyToken(input.refreshToken);
-        if (payload.type !== 'refresh') {
-          throw new AuthError('Invalid token type', 401, 'INVALID_TOKEN_TYPE');
-        }
-        if (payload.jti && tokenStore.isRevoked(payload.jti)) {
-          throw new AuthError('Token has been revoked', 401, 'TOKEN_REVOKED');
-        }
-        if (payload.jti) {
-          const previousUserId = tokenStore.isRefreshTokenUsed(payload.jti);
-          if (previousUserId) {
-            tokenStore.revokeAllUserTokens(previousUserId);
-            throw new AuthError(
-              'Security alert: Refresh token reuse detected.',
-              401,
-              'TOKEN_REUSE_DETECTED'
-            );
-          }
-          tokenStore.markRefreshTokenUsed(payload.jti, payload.sub);
-        }
-        const user = await prisma.user.findUnique({
-          where: { id: payload.sub },
-        });
-        if (!user) {
-          throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
-        }
-        return jwt.createTokenPair({
-          id: user.id,
-          email: user.email,
-          roles: parseUserRoles(user.roles),
-        });
-      } catch (error) {
-        if (error instanceof AuthError) throw error;
-        throw new AuthError('Invalid refresh token', 401, 'INVALID_REFRESH_TOKEN');
-      }
-    }),
-  logout: procedure()
-    .rest({ method: 'POST', path: '/auth/logout' })
-    .guard(authenticated)
-    .output(LogoutResponse)
-    .mutation(async ({ ctx }) => {
-      const tokenId = ctx.auth?.token?.jti;
-      if (tokenId) {
-        tokenStore.revoke(tokenId, 15 * 60 * 1000);
-      }
-      return {
-        success: true,
-        message: 'Successfully logged out',
-      };
-    }),
-  getMe: procedure()
-    .rest({ method: 'GET', path: '/auth/me' })
-    .guard(authenticated)
-    .output(UserResponse)
-    .query(async ({ ctx }) => {
-      const user = ctx.user;
-      if (!user) {
-        throw new AuthError('Not authenticated', 401, 'NOT_AUTHENTICATED');
-      }
-      return {
-        id: user.id,
-        name: (user.name as string) || '',
-        email: user.email,
-        roles: Array.isArray(user.roles) ? user.roles : ['user'],
-      };
-    }),
-});
-`;
+    return compileTemplate('api/procedures/auth.ts', AUTH_CONFIG);
 }
-// ============================================================================
-// User Procedures (with guards)
-// ============================================================================
 function generateUserProceduresWithAuth() {
-    return `/**
- * User Procedures
- *
- * CRUD procedures for user management with authentication guards.
- */
-import {
-  AuthError,
-  authenticated,
-  hasRole,
-  defineProcedures,
-  GuardError,
-  procedure,
-  paginationInputSchema,
-  z,
-} from '@veloxts/velox';
-import {
-  CreateUserInput,
-  UpdateUserInput,
-  type User,
-  UserSchema,
-} from '../schemas/user.js';
-// ============================================================================
-// Database Types
-// ============================================================================
-interface DbUser {
-  id: string;
-  name: string;
-  email: string;
-  createdAt: Date;
-  updatedAt: Date;
-}
-interface DbClient {
-  user: {
-    findUnique: (args: { where: { id: string } }) => Promise<DbUser | null>;
-    findMany: (args?: { skip?: number; take?: number }) => Promise<DbUser[]>;
-    create: (args: { data: { name: string; email: string } }) => Promise<DbUser>;
-    update: (args: { where: { id: string }; data: { name?: string; email?: string } }) => Promise<DbUser>;
-    delete: (args: { where: { id: string } }) => Promise<DbUser>;
-    count: () => Promise<number>;
-  };
-}
-function getDb(ctx: { db: unknown }): DbClient {
-  return ctx.db as DbClient;
-}
-function toUserResponse(dbUser: DbUser): User {
-  return {
-    id: dbUser.id,
-    name: dbUser.name,
-    email: dbUser.email,
-    createdAt: dbUser.createdAt instanceof Date ? dbUser.createdAt.toISOString() : dbUser.createdAt,
-    updatedAt: dbUser.updatedAt instanceof Date ? dbUser.updatedAt.toISOString() : dbUser.updatedAt,
-  };
-}
-// ============================================================================
-// User Procedures
-// ============================================================================
-export const userProcedures = defineProcedures('users', {
-  getUser: procedure()
-    .input(z.object({ id: z.string().uuid() }))
-    .output(UserSchema.nullable())
-    .query(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      const user = await db.user.findUnique({ where: { id: input.id } });
-      return user ? toUserResponse(user) : null;
-    }),
-  listUsers: procedure()
-    .input(paginationInputSchema.optional())
-    .output(
-      z.object({
-        data: z.array(UserSchema),
-        meta: z.object({
-          page: z.number(),
-          limit: z.number(),
-          total: z.number(),
-        }),
-      })
-    )
-    .query(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      const page = input?.page ?? 1;
-      const limit = input?.limit ?? 10;
-      const skip = (page - 1) * limit;
-      const [dbUsers, total] = await Promise.all([
-        db.user.findMany({ skip, take: limit }),
-        db.user.count(),
-      ]);
-      return {
-        data: dbUsers.map(toUserResponse),
-        meta: { page, limit, total },
-      };
-    }),
-  createUser: procedure()
-    .guard(authenticated)
-    .input(CreateUserInput)
-    .output(UserSchema)
-    .mutation(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      const user = await db.user.create({ data: input });
-      return toUserResponse(user);
-    }),
-  updateUser: procedure()
-    .guard(authenticated)
-    .input(z.object({ id: z.string().uuid() }).merge(UpdateUserInput))
-    .output(UserSchema)
-    .mutation(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      const { id, ...data } = input;
-      if (!ctx.user) {
-        throw new AuthError('Authentication required', 401, 'NOT_AUTHENTICATED');
-      }
-      const isOwner = ctx.user.id === id;
-      const isAdmin = Array.isArray(ctx.user.roles) && ctx.user.roles.includes('admin');
-      if (!isOwner && !isAdmin) {
-        throw new GuardError('ownership', 'You can only update your own profile', 403);
-      }
-      const updated = await db.user.update({ where: { id }, data });
-      return toUserResponse(updated);
-    }),
-  patchUser: procedure()
-    .guard(authenticated)
-    .input(z.object({ id: z.string().uuid() }).merge(UpdateUserInput))
-    .output(UserSchema)
-    .mutation(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      const { id, ...data } = input;
-      if (!ctx.user) {
-        throw new AuthError('Authentication required', 401, 'NOT_AUTHENTICATED');
-      }
-      const isOwner = ctx.user.id === id;
-      const isAdmin = Array.isArray(ctx.user.roles) && ctx.user.roles.includes('admin');
-      if (!isOwner && !isAdmin) {
-        throw new GuardError('ownership', 'You can only update your own profile', 403);
-      }
-      const updated = await db.user.update({ where: { id }, data });
-      return toUserResponse(updated);
-    }),
-  deleteUser: procedure()
-    .guard(hasRole('admin'))
-    .input(z.object({ id: z.string().uuid() }))
-    .output(z.object({ success: z.boolean() }))
-    .mutation(async ({ input, ctx }) => {
-      const db = getDb(ctx);
-      await db.user.delete({ where: { id: input.id } });
-      return { success: true };
-    }),
-});
-`;
+    return compileTemplate('api/procedures/users.auth.ts', AUTH_CONFIG);
 }
-// ============================================================================
-// Entry Point (with auth plugin)
-// ============================================================================
 function generateIndexTs() {
-    return `/**
- * Application Entry Point
- */
-import 'dotenv/config';
-import path from 'node:path';
-import fastifyStatic from '@fastify/static';
-import {
-  veloxApp,
-  VELOX_VERSION,
-  databasePlugin,
-  authPlugin,
-  rest,
-  getRouteSummary,
-} from '@veloxts/velox';
-import { authConfig, config } from './config/index.js';
-import { prisma } from './database/index.js';
-import { authProcedures, healthProcedures, userProcedures } from './procedures/index.js';
-// ============================================================================
-// Application Bootstrap
-// ============================================================================
-async function createApp() {
-  const app = await veloxApp({
-    port: config.port,
-    host: config.host,
-    logger: config.logger,
-  });
-  // Register database plugin
-  await app.register(databasePlugin({ client: prisma }));
-  // Register auth plugin
-  await app.register(authPlugin(authConfig));
-  console.log('[Auth] JWT authentication enabled');
-  // Register static file serving
-  await app.server.register(fastifyStatic, {
-    root: path.join(process.cwd(), 'public'),
-    prefix: '/',
-  });
-  // Register REST API routes
-  const collections = [authProcedures, userProcedures, healthProcedures];
-  app.routes(rest(collections, { prefix: config.apiPrefix }));
-  return { app, collections };
-}
-function printBanner(collections: Parameters<typeof getRouteSummary>[0]) {
-  const divider = '═'.repeat(50);
-  console.log(\`\\n\${divider}\`);
-  console.log(\`  VeloxTS Application v\${VELOX_VERSION}\`);
-  console.log(\`  Environment: \${config.env}\`);
-  console.log(divider);
-  const routes = getRouteSummary(collections);
-  console.log('\\n📍 Registered Routes:\\n');
-  for (const route of routes) {
-    const method = route.method.padEnd(6);
-    const path = route.path.padEnd(25);
-    console.log(\`   \${method} \${path} → \${route.namespace}.\${route.procedure}\`);
-  }
-  console.log(\`\\n\${divider}\`);
-  console.log(\`  Frontend: http://localhost:\${config.port}\`);
-  console.log(\`  REST API: http://localhost:\${config.port}\${config.apiPrefix}\`);
-  console.log(\`\${divider}\\n\`);
-  console.log('📝 Example requests:\\n');
-  console.log('   # Register');
-  console.log(\`   curl -X POST http://localhost:\${config.port}\${config.apiPrefix}/auth/register \\\\\`);
-  console.log('        -H "Content-Type: application/json" \\\\');
-  console.log('        -d \\'{"name":"John Doe","email":"john@example.com","password":"SecurePass123"}\\'');
-  console.log('');
-  console.log('   # Login');
-  console.log(\`   curl -X POST http://localhost:\${config.port}\${config.apiPrefix}/auth/login \\\\\`);
-  console.log('        -H "Content-Type: application/json" \\\\');
-  console.log('        -d \\'{"email":"john@example.com","password":"SecurePass123"}\\'');
-  console.log('');
-  console.log('   # Protected endpoint');
-  console.log(\`   curl http://localhost:\${config.port}\${config.apiPrefix}/auth/me \\\\\`);
-  console.log('        -H "Authorization: Bearer <your-access-token>"');
-  console.log('');
-}
-async function main() {
-  try {
-    const { app, collections } = await createApp();
-    await app.start();
-    printBanner(collections);
-  } catch (error) {
-    console.error('Failed to start application:', error);
-    process.exit(1);
-  }
-}
-main();
-`;
+    return compileTemplate('api/index.auth.ts', AUTH_CONFIG);
 }
-function generateDatabaseIndex() {
-    return `/**
- * Database Client (Prisma 7.x)
- */
-import { PrismaBetterSqlite3 } from '@prisma/adapter-better-sqlite3';
-import { PrismaClient } from '../generated/prisma/client.js';
-if (!process.env.DATABASE_URL) {
-  throw new Error('DATABASE_URL environment variable is required');
-}
-const adapter = new PrismaBetterSqlite3({ url: process.env.DATABASE_URL });
-export const prisma = new PrismaClient({ adapter });
-`;
+function generateConfigDatabase() {
+    return compileTemplate('api/config/database.ts', AUTH_CONFIG);
 }
-function generateProceduresIndex() {
-    return `/**
- * Procedure Exports
- */
-export * from './auth.js';
-export * from './health.js';
-export * from './users.js';
-`;
-}
-function generateSchemasIndex() {
-    return `/**
- * Schema Exports
- */
-export * from './user.js';
-`;
+function generateHealthProcedures() {
+    return compileTemplate('api/procedures/health.ts', AUTH_CONFIG);
 }
 function generateUserSchema() {
-    return `/**
- * User Schemas
- */
-import { createIdSchema, emailSchema, z } from '@veloxts/velox';
-export const UserSchema = z.object({
-  id: createIdSchema('uuid'),
-  name: z.string().min(1).max(100),
-  email: emailSchema,
-  createdAt: z.coerce.date().transform((d) => d.toISOString()),
-  updatedAt: z.coerce.date().transform((d) => d.toISOString()),
-});
-export type User = z.infer<typeof UserSchema>;
-export const CreateUserInput = z.object({
-  name: z.string().min(1).max(100),
-  email: emailSchema,
-});
-export type CreateUserData = z.infer<typeof CreateUserInput>;
-export const UpdateUserInput = z.object({
-  name: z.string().min(1).max(100).optional(),
-  email: emailSchema.optional(),
-});
-export type UpdateUserData = z.infer<typeof UpdateUserInput>;
-`;
-}
-// ============================================================================
-// CLAUDE.md for Auth
-// ============================================================================
-function generateClaudeMd(config) {
-    return `# CLAUDE.md
-This file provides guidance to Claude Code and other AI assistants when working with this VeloxTS project.
-## Project Overview
-**${config.projectName}** is a VeloxTS application with full JWT authentication.
-**Features:**
-- JWT authentication with access/refresh tokens
-- Rate limiting on auth endpoints
-- Token rotation with reuse detection
-- Role-based authorization guards
-- Strong password requirements
-## Commands
-\`\`\`bash
-${config.packageManager} dev          # Start development server
-${config.packageManager} build        # Build for production
-${config.packageManager} db:push      # Push database schema
-${config.packageManager} db:studio    # Open Prisma Studio
-\`\`\`
-## Authentication
-### Endpoints
-| Endpoint | Method | Description |
-|----------|--------|-------------|
-| \`/auth/register\` | POST | Create new account |
-| \`/auth/login\` | POST | Login and get tokens |
-| \`/auth/refresh\` | POST | Refresh access token |
-| \`/auth/logout\` | POST | Revoke current token |
-| \`/auth/me\` | GET | Get current user (protected) |
-### Usage
-1. **Register/Login** to get tokens
-2. **Include token** in Authorization header: \`Bearer <accessToken>\`
-3. **Refresh token** when access token expires
-### Security Features
-- **Rate Limiting**: Login 5/15min, Register 3/hour
-- **Token Rotation**: Refresh tokens are single-use
-- **Reuse Detection**: Token reuse triggers security alert
-- **Password Policy**: 12+ chars, uppercase, lowercase, number
-## Guards
-\`\`\`typescript
-// Require authentication
-procedure().guard(authenticated)
-// Require specific role
-procedure().guard(hasRole('admin'))
-// Custom owner-or-admin check
-if (!isOwner && !isAdmin) {
-  throw new GuardError('ownership', 'Access denied', 403);
-}
-\`\`\`
-## Alternative: Session-Based Authentication
-VeloxTS also supports cookie-based session authentication as an alternative to JWT.
-Session auth is useful for:
-- Traditional web applications with server-side rendering
-- Applications where token storage in the browser is a concern
-- Simple authentication flows without refresh token management
-\`\`\`typescript
-import { sessionMiddleware, loginSession, logoutSession } from '@veloxts/velox';
-// Create session middleware
-const session = sessionMiddleware({
-  secret: process.env.SESSION_SECRET!,
-  cookie: { secure: true, httpOnly: true, sameSite: 'lax' },
-  expiration: { ttl: 86400, sliding: true },
-  userLoader: async (userId) => prisma.user.findUnique({ where: { id: userId } }),
-});
-// Use in procedures
-const getProfile = procedure()
-  .use(session.requireAuth())
-  .query(async ({ ctx }) => ctx.user);
-// Login helper
-await loginSession(ctx.session, user); // Regenerates session ID
-// Logout helper
-await logoutSession(ctx.session); // Destroys session
-\`\`\`
-## Environment Variables
-\`\`\`bash
-# Required for JWT authentication
-JWT_SECRET=<64+ chars>
-JWT_REFRESH_SECRET=<64+ chars>
-# Generate with: openssl rand -base64 64
-# Required for session-based authentication (alternative to JWT)
-SESSION_SECRET=<32+ chars>
-# Generate with: openssl rand -base64 32
-\`\`\`
-## Project Structure
-\`\`\`
-src/
-├── config/
-│   ├── app.ts         # App configuration
-│   └── auth.ts        # Auth configuration + token store
-├── procedures/
-│   ├── auth.ts        # Auth endpoints
-│   ├── users.ts       # User CRUD with guards
-│   └── health.ts      # Health check
-├── schemas/
-│   └── user.ts        # Zod schemas
-└── index.ts           # Entry point
-\`\`\`
-`;
+    return compileTemplate('api/schemas/user.ts', AUTH_CONFIG);
 }
 // ============================================================================
 // Auth Template Generator
 // ============================================================================
 export function generateAuthTemplate(config) {
     const files = [
-        // Root files
-        { path: 'package.json', content: generatePackageJson(config) },
-        { path: '.env.example', content: generateEnvExample() },
-        { path: '.env', content: generateEnvExample() },
-        { path: 'CLAUDE.md', content: generateClaudeMd(config) },
+        // API package files
+        { path: 'apps/api/package.json', content: generateApiPackageJson(config) },
+        { path: 'apps/api/tsconfig.json', content: generateApiTsConfig() },
+        { path: 'apps/api/tsup.config.ts', content: generateApiTsupConfig() },
+        { path: 'apps/api/prisma.config.ts', content: generatePrismaConfig() },
+        { path: 'apps/api/.env.example', content: generateEnvExample(config) },
+        { path: 'apps/api/.env', content: generateEnvExample(config) },
         // Prisma
-        { path: 'prisma/schema.prisma', content: generatePrismaSchema() },
-        // Source files
-        { path: 'src/index.ts', content: generateIndexTs() },
-        { path: 'src/config/index.ts', content: generateConfigIndexWithAuth() },
-        { path: 'src/config/auth.ts', content: generateAuthConfig() },
-        { path: 'src/database/index.ts', content: generateDatabaseIndex() },
-        { path: 'src/procedures/index.ts', content: generateProceduresIndex() },
-        { path: 'src/procedures/auth.ts', content: generateAuthProcedures() },
-        { path: 'src/procedures/users.ts', content: generateUserProceduresWithAuth() },
-        { path: 'src/schemas/index.ts', content: generateSchemasIndex() },
-        { path: 'src/schemas/user.ts', content: generateUserSchema() },
+        { path: 'apps/api/prisma/schema.prisma', content: generatePrismaSchema() },
+        // API Source files
+        { path: 'apps/api/src/index.ts', content: generateIndexTs() },
+        { path: 'apps/api/src/config/app.ts', content: generateConfigApp(config) },
+        { path: 'apps/api/src/config/auth.ts', content: generateAuthConfig() },
+        { path: 'apps/api/src/config/database.ts', content: generateConfigDatabase() },
+        { path: 'apps/api/src/procedures/health.ts', content: generateHealthProcedures() },
+        { path: 'apps/api/src/procedures/auth.ts', content: generateAuthProcedures() },
+        { path: 'apps/api/src/procedures/users.ts', content: generateUserProceduresWithAuth() },
+        { path: 'apps/api/src/schemas/user.ts', content: generateUserSchema() },
     ];
-    // Add shared files, but filter out config/index.ts since auth template has its own
-    const sharedFiles = generateSharedFiles(config).filter((file) => file.path !== 'src/config/index.ts');
-    return [...files, ...sharedFiles];
+    // Add root workspace files
+    const rootFiles = generateRootFiles(config, true);
+    // Add web package files (with auth UI)
+    const webBaseFiles = generateWebBaseFiles(config, true);
+    const webStyleFiles = generateWebStyleFiles();
+    return [...files, ...rootFiles, ...webBaseFiles, ...webStyleFiles];
 }
 //# sourceMappingURL=auth.js.map