forgedev 1.1.0 → 1.2.0

package/templates/claude-code/skills/security-api/SKILL.md

@@ -16,7 +16,7 @@ description: API security best practices
 - Validate all input with Pydantic models
 - Set max lengths on string fields
 - Validate email formats, URLs, phone numbers
-- Reject unexpected fields (Pydantic does this by default)
+- Reject unexpected fields (set `extra = "forbid"` in Pydantic model config)
 - Validate file uploads (size, type, extension)
 
 ## SQL Injection Prevention
@@ -38,7 +38,7 @@ description: API security best practices
 - Never expose stack traces to clients
 - Use generic error messages for auth failures
 - Log detailed errors server-side only
-- Return structured error responses: `{ error: { code, message } }`
+- Return structured error responses: `{ "error": { "code": "ERR_CODE", "message": "Error description" } }`
 
 ## Secrets Management
 - Store secrets in environment variables, never in code

package/templates/claude-code/skills/security-web/SKILL.md

@@ -39,3 +39,4 @@ description: Web application security best practices
 - Use Prisma `select` or `omit` to control returned fields
 - Never log sensitive data
 - Strip internal IDs from client-facing responses when possible
+

package/templates/database/sqlalchemy-postgres/.env.example

@@ -1 +1,2 @@
 DATABASE_URL="postgresql+asyncpg://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}"
+JWT_SECRET_KEY="change-me-generate-a-random-secret"

package/templates/infra/github-actions/.github/workflows/ci.yml.template

@@ -0,0 +1,49 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:17-alpine
+        env:
+          POSTGRES_DB: {{PROJECT_NAME_SNAKE}}
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: {{LINT_COMMAND}}
+
+      - name: Type check
+        run: {{TYPE_CHECK_COMMAND}}
+
+      - name: Test
+        run: {{TEST_COMMAND}}
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}

package/templates/testing/pytest/backend/tests/conftest.py.template

@@ -0,0 +1,11 @@
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+from app.main import app
+
+
+@pytest.fixture
+async def client():
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://test") as ac:
+        yield ac

package/templates/testing/pytest/backend/tests/test_health.py.template

@@ -0,0 +1,10 @@
+import pytest
+
+
+@pytest.mark.asyncio
+async def test_health_endpoint(client):
+    response = await client.get("/health")
+    assert response.status_code == 200
+    data = response.json()
+    assert data["status"] == "ok"
+    assert data["service"] == "{{PROJECT_NAME}}"

package/templates/testing/vitest/vitest.config.ts.template

@@ -0,0 +1,18 @@
+import { defineConfig } from 'vitest/config';
+import path from 'path';
+
+export default defineConfig({
+  test: {
+    environment: 'node',
+    include: ['src/**/*.test.{ts,tsx}'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html'],
+    },
+  },
+  resolve: {
+    alias: {
+      '@': path.resolve(__dirname, './src'),
+    },
+  },
+});

package/CLAUDE.md

@@ -1,38 +0,0 @@
-# DevForge
-
-## WHAT
-- Node.js CLI tool for universal project scaffolding
-- ESM modules only (no require/CommonJS)
-- Dependencies: Inquirer.js (prompts), Chalk (colors), Vitest (tests)
-
-## Directory Map
-- `bin/` — CLI entry point (`devforge.js`)
-- `src/` — Core logic (index, prompts, recommender, composer, claude-configurator, uat-generator, utils)
-- `templates/` — Scaffold templates organized by category (base, frontend, backend, database, auth, testing, infra, claude-code)
-- `tests/` — Vitest test files
-- `docs/` — Reference documentation (prompt library, playbook, multi-agent verification)
-
-## HOW
-- Lint: `npx eslint . --ext .js` (when eslint is added)
-- Test: `npx vitest run`
-- Test (watch): `npx vitest`
-- Manual test: `node bin/devforge.js test-output`
-
-## Commands
-- `/workflows`, `/status`, `/next`, `/done` — daily workflow
-- `/verify-all`, `/audit-spec`, `/audit-wiring`, `/audit-security` — verification
-- `/pre-pr`, `/run-uat` — release workflow
-
-## Agents (all READ-ONLY, disallowedTools: Write/Edit/MultiEdit)
-- code-quality-reviewer, security-reviewer, spec-validator, production-readiness, uat-validator
-
-## RULES
-- ESM only — use `import`/`export`, never `require()`
-- All source files are plain `.js` (no TypeScript for the CLI itself)
-- Templates use `{{VARIABLE_NAME}}` placeholders — replaced via simple regex
-- Files ending in `.template` get variable substitution; all others are binary-copied
-- Template modules are composable: `templates/<category>/<stack>/` mirrors the output project structure
-- Never modify files in `docs/` — those are read-only reference documents
-- Keep `src/` files focused: each file has a single responsibility
-- The recommender is a pure function: `(serviceType, refinements) → stackConfig`
-- V1 supports 3 stacks: Next.js full-stack, FastAPI backend, polyglot (Next.js + FastAPI)