forgedev 1.0.0

package/templates/claude-code/skills/security-api/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: Security (API)
+description: API security best practices
+---
+
+# API Security
+
+## Authentication & Authorization
+- Use JWT tokens with short expiration (15-30 min)
+- Implement refresh token rotation
+- Hash passwords with bcrypt (passlib)
+- Use `Depends(get_current_user)` on all protected endpoints
+- Implement role-based access control (RBAC)
+
+## Input Validation
+- Validate all input with Pydantic models
+- Set max lengths on string fields
+- Validate email formats, URLs, phone numbers
+- Reject unexpected fields (Pydantic does this by default)
+- Validate file uploads (size, type, extension)
+
+## SQL Injection Prevention
+- Use SQLAlchemy ORM — never raw SQL strings
+- If raw SQL needed, use `text()` with bound parameters
+- Never interpolate user input into queries
+
+## Rate Limiting
+- Implement per-IP rate limiting on auth endpoints
+- Use sliding window or token bucket algorithms
+- Return `429 Too Many Requests` with `Retry-After` header
+
+## CORS
+- Whitelist specific origins, never use `*` in production
+- Restrict allowed methods and headers
+- Set `allow_credentials=True` only when needed
+
+## Error Handling
+- Never expose stack traces to clients
+- Use generic error messages for auth failures
+- Log detailed errors server-side only
+- Return structured error responses: `{ error: { code, message } }`
+
+## Secrets Management
+- Store secrets in environment variables, never in code
+- Use `.env.example` for documentation (no real values)
+- Rotate secrets regularly
+- Never log secrets or include in error responses

package/templates/claude-code/skills/security-web/SKILL.md

@@ -0,0 +1,41 @@
+---
+name: Security (Web)
+description: Web application security best practices
+---
+
+# Web Application Security
+
+## XSS Prevention
+- React escapes by default — never use `dangerouslySetInnerHTML`
+- Sanitize user input before rendering
+- Use Content Security Policy headers
+- Validate URLs before using in `href` or `src`
+
+## CSRF Protection
+- Use SameSite cookies (Lax or Strict)
+- NextAuth handles CSRF tokens automatically
+- For custom forms, include CSRF tokens in hidden fields
+
+## Authentication
+- Store tokens in httpOnly cookies, never localStorage
+- Use secure, SameSite cookies in production
+- Implement proper session expiration
+- Rate limit login attempts
+
+## Headers
+- Set `X-Content-Type-Options: nosniff`
+- Set `X-Frame-Options: DENY`
+- Set `Strict-Transport-Security` for HTTPS
+- Configure CSP to restrict script sources
+
+## Input Validation
+- Validate all user input with Zod schemas
+- Validate on both client and server
+- Never trust client-side validation alone
+- Sanitize file uploads (check MIME type, size, extension)
+
+## Data Exposure
+- Never return sensitive fields (passwords, tokens) in API responses
+- Use Prisma `select` or `omit` to control returned fields
+- Never log sensitive data
+- Strip internal IDs from client-facing responses when possible

package/templates/database/prisma-postgres/.env.example

@@ -0,0 +1 @@
+DATABASE_URL="postgresql://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}"

package/templates/database/prisma-postgres/prisma/schema.prisma.template

@@ -0,0 +1,18 @@
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+// Add your models below
+// Example:
+// model User {
+//   id        String   @id @default(cuid())
+//   email     String   @unique
+//   name      String?
+//   createdAt DateTime @default(now())
+//   updatedAt DateTime @updatedAt
+// }

package/templates/database/sqlalchemy-postgres/.env.example

@@ -0,0 +1 @@
+DATABASE_URL="postgresql+asyncpg://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}"

package/templates/database/sqlalchemy-postgres/backend/alembic/env.py.template

@@ -0,0 +1,40 @@
+import asyncio
+from logging.config import fileConfig
+
+from alembic import context
+from sqlalchemy.ext.asyncio import create_async_engine
+
+from app.core.config import settings
+from app.db.base import Base
+
+config = context.config
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+target_metadata = Base.metadata
+
+
+def run_migrations_offline() -> None:
+    url = settings.database_url
+    context.configure(url=url, target_metadata=target_metadata, literal_binds=True)
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def do_run_migrations(connection):
+    context.configure(connection=connection, target_metadata=target_metadata)
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+async def run_migrations_online() -> None:
+    connectable = create_async_engine(settings.database_url)
+    async with connectable.connect() as connection:
+        await connection.run_sync(do_run_migrations)
+    await connectable.dispose()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    asyncio.run(run_migrations_online())

package/templates/database/sqlalchemy-postgres/backend/alembic.ini.template

@@ -0,0 +1,36 @@
+[alembic]
+script_location = alembic
+sqlalchemy.url = postgresql+asyncpg://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}
+
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

package/templates/database/sqlalchemy-postgres/backend/app/db/base.py

@@ -0,0 +1,5 @@
+from sqlalchemy.orm import DeclarativeBase
+
+
+class Base(DeclarativeBase):
+    pass

package/templates/database/sqlalchemy-postgres/backend/app/db/session.py.template

@@ -0,0 +1,48 @@
+import asyncio
+import logging
+
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+
+from app.core.config import settings
+
+logger = logging.getLogger(__name__)
+
+engine = create_async_engine(
+    settings.database_url,
+    echo=settings.debug,
+    pool_size=5,
+    max_overflow=10,
+    pool_pre_ping=True,
+)
+
+async_session = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)
+
+
+async def connect_with_retry(
+    engine, max_retries: int = 3, base_delay: float = 1.0
+) -> None:
+    """Attempt database connection with exponential backoff."""
+    for attempt in range(1, max_retries + 1):
+        try:
+            async with engine.connect() as conn:
+                await conn.execute(
+                    __import__("sqlalchemy").text("SELECT 1")
+                )
+            logger.info("Database connected successfully")
+            return
+        except Exception as e:
+            if attempt == max_retries:
+                logger.error(f"Database connection failed after {max_retries} attempts: {e}")
+                raise
+            delay = base_delay * (2 ** (attempt - 1))
+            logger.warning(
+                f"Database connection attempt {attempt}/{max_retries} failed. "
+                f"Retrying in {delay:.1f}s..."
+            )
+            await asyncio.sleep(delay)
+
+
+async def get_db():
+    """Dependency for FastAPI endpoints."""
+    async with async_session() as session:
+        yield session

package/templates/frontend/nextjs/next.config.ts.template

@@ -0,0 +1,7 @@
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  // {{PROJECT_NAME}} configuration
+};
+
+export default nextConfig;

package/templates/frontend/nextjs/package.json.template

@@ -0,0 +1,41 @@
+{
+  "name": "{{PROJECT_NAME}}",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "eslint .",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:e2e": "playwright test",
+    "db:push": "prisma db push",
+    "db:studio": "prisma studio",
+    "db:generate": "prisma generate"
+  },
+  "dependencies": {
+    "next": "^15.3.0",
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0",
+    "@prisma/client": "^6.6.0",
+    "clsx": "^2.1.1",
+    "tailwind-merge": "^3.2.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.8.3",
+    "@types/node": "^22.14.0",
+    "@types/react": "^19.1.0",
+    "@types/react-dom": "^19.1.0",
+    "tailwindcss": "^4.1.3",
+    "@tailwindcss/postcss": "^4.1.3",
+    "postcss": "^8.5.3",
+    "eslint": "^9.25.0",
+    "eslint-config-next": "^15.3.0",
+    "prisma": "^6.6.0",
+    "vitest": "^3.1.1",
+    "@playwright/test": "^1.52.0",
+    "@testing-library/react": "^16.3.0"
+  }
+}

package/templates/frontend/nextjs/postcss.config.mjs

@@ -0,0 +1,7 @@
+const config = {
+  plugins: {
+    "@tailwindcss/postcss": {},
+  },
+};
+
+export default config;

package/templates/frontend/nextjs/src/app/api/health/route.ts.template

@@ -0,0 +1,10 @@
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  return NextResponse.json({
+    status: 'ok',
+    timestamp: new Date().toISOString(),
+    uptime: process.uptime(),
+    service: '{{PROJECT_NAME}}',
+  });
+}

package/templates/frontend/nextjs/src/app/globals.css

@@ -0,0 +1 @@
+@import "tailwindcss";

package/templates/frontend/nextjs/src/app/layout.tsx.template

@@ -0,0 +1,22 @@
+import type { Metadata } from 'next';
+import { Inter } from 'next/font/google';
+import './globals.css';
+
+const inter = Inter({ subsets: ['latin'] });
+
+export const metadata: Metadata = {
+  title: '{{PROJECT_NAME_PASCAL}}',
+  description: '{{STACK_DESCRIPTION}}',
+};
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <html lang="en">
+      <body className={inter.className}>{children}</body>
+    </html>
+  );
+}

package/templates/frontend/nextjs/src/app/page.tsx.template

@@ -0,0 +1,10 @@
+export default function Home() {
+  return (
+    <main className="flex min-h-screen flex-col items-center justify-center p-24">
+      <h1 className="text-4xl font-bold mb-4">{{PROJECT_NAME_PASCAL}}</h1>
+      <p className="text-lg text-gray-600">
+        Your project is ready. Start building!
+      </p>
+    </main>
+  );
+}

package/templates/frontend/nextjs/src/lib/db.ts.template

@@ -0,0 +1,40 @@
+import { PrismaClient } from '@prisma/client';
+
+const MAX_RETRIES = 3;
+const RETRY_DELAY_MS = 1000;
+
+async function connectWithRetry(prisma: PrismaClient, retries = MAX_RETRIES): Promise<void> {
+  for (let attempt = 1; attempt <= retries; attempt++) {
+    try {
+      await prisma.$connect();
+      return;
+    } catch (error) {
+      if (attempt === retries) throw error;
+      const delay = RETRY_DELAY_MS * Math.pow(2, attempt - 1);
+      console.warn(`Database connection attempt ${attempt} failed. Retrying in ${delay}ms...`);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+}
+
+const globalForPrisma = globalThis as unknown as { prisma: PrismaClient };
+
+export const prisma =
+  globalForPrisma.prisma ??
+  new PrismaClient({
+    log: process.env.NODE_ENV === 'development' ? ['query', 'error', 'warn'] : ['error'],
+  });
+
+if (process.env.NODE_ENV !== 'production') {
+  globalForPrisma.prisma = prisma;
+}
+
+// Graceful shutdown
+const shutdownHandler = async () => {
+  await prisma.$disconnect();
+};
+
+process.on('SIGTERM', shutdownHandler);
+process.on('SIGINT', shutdownHandler);
+
+export { connectWithRetry };

package/templates/frontend/nextjs/src/lib/errors.ts

@@ -0,0 +1,28 @@
+import { NextResponse } from 'next/server';
+
+export class AppError extends Error {
+  constructor(
+    message: string,
+    public statusCode: number = 500,
+    public code: string = 'INTERNAL_ERROR'
+  ) {
+    super(message);
+    this.name = 'AppError';
+  }
+}
+
+export function errorResponse(error: unknown) {
+  if (error instanceof AppError) {
+    return NextResponse.json(
+      { error: { code: error.code, message: error.message } },
+      { status: error.statusCode }
+    );
+  }
+
+  // Never leak internal error details
+  console.error('Unhandled error:', error);
+  return NextResponse.json(
+    { error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' } },
+    { status: 500 }
+  );
+}

package/templates/frontend/nextjs/src/lib/utils.ts

@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}

package/templates/frontend/nextjs/tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "ES2017",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}

package/templates/infra/docker-compose/docker-compose.yml.template

@@ -0,0 +1,19 @@
+services:
+  postgres:
+    image: postgres:17-alpine
+    environment:
+      POSTGRES_DB: {{PROJECT_NAME_SNAKE}}
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  postgres_data:

package/templates/testing/playwright/e2e/example.spec.ts.template

@@ -0,0 +1,15 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('{{PROJECT_NAME_PASCAL}} E2E', () => {
+  test('home page loads', async ({ page }) => {
+    await page.goto('/');
+    await expect(page).toHaveTitle(/{{PROJECT_NAME_PASCAL}}/);
+  });
+
+  test('health endpoint responds', async ({ request }) => {
+    const response = await request.get('/api/health');
+    expect(response.ok()).toBeTruthy();
+    const body = await response.json();
+    expect(body.status).toBe('ok');
+  });
+});

package/templates/testing/playwright/playwright.config.ts.template

@@ -0,0 +1,22 @@
+import { defineConfig, devices } from '@playwright/test';
+
+export default defineConfig({
+  testDir: './e2e',
+  fullyParallel: true,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 2 : 0,
+  workers: process.env.CI ? 1 : undefined,
+  reporter: 'html',
+  use: {
+    baseURL: 'http://localhost:3000',
+    trace: 'on-first-retry',
+  },
+  projects: [
+    { name: 'chromium', use: { ...devices['Desktop Chrome'] } },
+  ],
+  webServer: {
+    command: 'npm run dev',
+    url: 'http://localhost:3000',
+    reuseExistingServer: !process.env.CI,
+  },
+});

package/templates/testing/vitest/src/__tests__/example.test.ts.template

@@ -0,0 +1,12 @@
+import { describe, it, expect } from 'vitest';
+
+describe('{{PROJECT_NAME_PASCAL}}', () => {
+  it('should pass a basic test', () => {
+    expect(1 + 1).toBe(2);
+  });
+
+  it('should have the project name defined', () => {
+    const projectName = '{{PROJECT_NAME}}';
+    expect(projectName).toBeTruthy();
+  });
+});