forgedev 1.4.0 → 1.4.1

package/templates/infra/github-actions/.github/workflows/ci.yml.template

@@ -1,52 +1,61 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  lint-and-test:
-    runs-on: ubuntu-latest
-
-    services:
-      postgres:
-        image: postgres:17-alpine
-        env:
-          POSTGRES_DB: {{PROJECT_NAME_SNAKE}}
-          POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: postgres
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Lint
-        run: {{LINT_COMMAND}}
-
-      - name: Type check
-        run: {{TYPE_CHECK_COMMAND}}
-
-      - name: Build
-        run: {{BUILD_COMMAND}}
-
-      - name: Test
-        run: {{TEST_COMMAND}}
-        env:
-          DATABASE_URL: postgresql://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:17-alpine
+        env:
+          POSTGRES_DB: {{PROJECT_NAME_SNAKE}}
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: {{LINT_COMMAND}}
+
+      - name: Type check
+        run: {{TYPE_CHECK_COMMAND}}
+
+      - name: Build
+        run: {{BUILD_COMMAND}}
+
+      - name: Test
+        run: {{TEST_COMMAND}}
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}
+
+      - name: Security audit (npm)
+        run: npm audit --audit-level=high
+        continue-on-error: true
+
+      - name: Security audit (pip)
+        if: hashFiles('**/requirements.txt') != ''
+        run: pip install pip-audit && pip-audit -r requirements.txt
+        continue-on-error: true

package/templates/infra/k8s/k8s/deployment.yml.template

@@ -1,70 +1,70 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{PROJECT_NAME}}
-  labels:
-    app: {{PROJECT_NAME}}
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: {{PROJECT_NAME}}
-  template:
-    metadata:
-      labels:
-        app: {{PROJECT_NAME}}
-    spec:
-      automountServiceAccountToken: false
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        fsGroup: 1000
-      containers:
-        - name: {{PROJECT_NAME}}
-          image: {{PROJECT_NAME}}:{{IMAGE_TAG}}  # Update to match your CI-built image tag
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: {{APP_PORT}}
-          env:
-            - name: PORT
-              value: "{{APP_PORT}}"
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: {{PROJECT_NAME}}-secrets
-                  key: database-url
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: {{APP_PORT}}
-            initialDelaySeconds: 10
-            periodSeconds: 15
-            timeoutSeconds: 5
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: {{APP_PORT}}
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 3
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-      volumes:
-        - name: tmp
-          emptyDir: {}
-      terminationGracePeriodSeconds: 30
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{PROJECT_NAME}}
+  labels:
+    app: {{PROJECT_NAME}}
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: {{PROJECT_NAME}}
+  template:
+    metadata:
+      labels:
+        app: {{PROJECT_NAME}}
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+      containers:
+        - name: {{PROJECT_NAME}}
+          image: {{PROJECT_NAME}}:{{IMAGE_TAG}}  # Update to match your CI-built image tag
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: {{APP_PORT}}
+          env:
+            - name: PORT
+              value: "{{APP_PORT}}"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{PROJECT_NAME}}-secrets
+                  key: database-url
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: {{APP_PORT}}
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{APP_PORT}}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+      volumes:
+        - name: tmp
+          emptyDir: {}
+      terminationGracePeriodSeconds: 30

package/templates/infra/k8s/k8s/hpa.yml.template

@@ -1,24 +1,24 @@
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{PROJECT_NAME}}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{PROJECT_NAME}}
-  minReplicas: 2
-  maxReplicas: 10
-  metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 70
-    - type: Resource
-      resource:
-        name: memory
-        target:
-          type: Utilization
-          averageUtilization: 80
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{PROJECT_NAME}}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{PROJECT_NAME}}
+  minReplicas: 2
+  maxReplicas: 10
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: 80

package/templates/infra/k8s/k8s/ingress.yml.template

@@ -1,26 +1,26 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{PROJECT_NAME}}
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
-    nginx.ingress.kubernetes.io/limit-rps: "10"
-    nginx.ingress.kubernetes.io/limit-connections: "5"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: {{PROJECT_NAME}}.example.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{PROJECT_NAME}}
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - {{PROJECT_NAME}}.example.com
-      secretName: {{PROJECT_NAME}}-tls
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{PROJECT_NAME}}
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/limit-rps: "10"
+    nginx.ingress.kubernetes.io/limit-connections: "5"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{PROJECT_NAME}}.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{PROJECT_NAME}}
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - {{PROJECT_NAME}}.example.com
+      secretName: {{PROJECT_NAME}}-tls

package/templates/infra/k8s/k8s/kustomization.yml.template

@@ -1,13 +1,13 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: {{PROJECT_NAME}}
-
-resources:
-  - namespace.yml
-  - deployment.yml
-  - service.yml
-  - ingress.yml
-  - secrets.yml
-  - hpa.yml
-  - networkpolicy.yml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: {{PROJECT_NAME}}
+
+resources:
+  - namespace.yml
+  - deployment.yml
+  - service.yml
+  - ingress.yml
+  - secrets.yml
+  - hpa.yml
+  - networkpolicy.yml

package/templates/infra/k8s/k8s/namespace.yml.template

@@ -1,4 +1,4 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{PROJECT_NAME}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{PROJECT_NAME}}

package/templates/infra/k8s/k8s/networkpolicy.yml.template

@@ -1,41 +1,41 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{PROJECT_NAME}}
-spec:
-  podSelector:
-    matchLabels:
-      app: {{PROJECT_NAME}}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: ingress-nginx
-      ports:
-        - port: {{APP_PORT}}
-  egress:
-    # Database
-    - to:
-        - podSelector:
-            matchLabels:
-              app: postgres
-      ports:
-        - port: 5432
-    # DNS (UDP + TCP for large responses)
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    # Uncomment to allow outbound HTTPS (external APIs, OAuth, webhooks)
-    # - to: []
-    #   ports:
-    #     - port: 443
-    #       protocol: TCP
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{PROJECT_NAME}}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{PROJECT_NAME}}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: {{APP_PORT}}
+  egress:
+    # Database
+    - to:
+        - podSelector:
+            matchLabels:
+              app: postgres
+      ports:
+        - port: 5432
+    # DNS (UDP + TCP for large responses)
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Uncomment to allow outbound HTTPS (external APIs, OAuth, webhooks)
+    # - to: []
+    #   ports:
+    #     - port: 443
+    #       protocol: TCP

package/templates/infra/k8s/k8s/secrets.yml.template

@@ -1,10 +1,10 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{PROJECT_NAME}}-secrets
-type: Opaque
-stringData:
-  # IMPORTANT: Replace these placeholder values before deploying.
-  # In production, use sealed-secrets, external-secrets, or your cloud provider's secret manager.
-  # Do NOT commit real credentials to version control.
-  database-url: "postgresql://USER:CHANGE_ME_BEFORE_DEPLOY@postgres:5432/{{PROJECT_NAME_SNAKE}}"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{PROJECT_NAME}}-secrets
+type: Opaque
+stringData:
+  # IMPORTANT: Replace these placeholder values before deploying.
+  # In production, use sealed-secrets, external-secrets, or your cloud provider's secret manager.
+  # Do NOT commit real credentials to version control.
+  database-url: "postgresql://USER:CHANGE_ME_BEFORE_DEPLOY@postgres:5432/{{PROJECT_NAME_SNAKE}}?sslmode=require"

package/templates/infra/k8s/k8s/service.yml.template

@@ -1,15 +1,15 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{PROJECT_NAME}}
-  labels:
-    app: {{PROJECT_NAME}}
-spec:
-  type: ClusterIP
-  selector:
-    app: {{PROJECT_NAME}}
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{APP_PORT}}
-      protocol: TCP
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{PROJECT_NAME}}
+  labels:
+    app: {{PROJECT_NAME}}
+spec:
+  type: ClusterIP
+  selector:
+    app: {{PROJECT_NAME}}
+  ports:
+    - name: http
+      port: 80
+      targetPort: {{APP_PORT}}
+      protocol: TCP

package/templates/testing/load/k6/README.md.template

@@ -1,48 +1,48 @@
-# Load Testing — {{PROJECT_NAME_PASCAL}}
-
-Uses [k6](https://k6.io/) for load testing.
-
-## Setup
-
-```bash
-# macOS
-brew install k6
-
-# Windows (scoop)
-scoop install k6
-
-# Docker (no install)
-docker run --rm -i grafana/k6 run - <load-test.js
-```
-
-## Run
-
-```bash
-# Smoke test (quick, single request)
-k6 run --vus 1 --iterations 1 k6/load-test.js
-
-# Full load test against local server
-k6 run k6/load-test.js
-
-# Against staging
-k6 run -e BASE_URL=https://staging.example.com k6/load-test.js
-```
-
-## Thresholds
-
-| Metric | Threshold | Meaning |
-|--------|-----------|---------|
-| `http_req_duration p(95)` | < 500ms | 95th percentile response time |
-| `http_req_duration p(99)` | < 1.5s | 99th percentile response time |
-| `http_req_failed` | < 1% | Error rate |
-| `checks` | > 99% | Assertion pass rate |
-
-## CI Integration
-
-Add to your CI pipeline after deployment:
-
-```yaml
-- name: Load test
-  run: |
-    k6 run -e BASE_URL=${{ secrets.STAGING_URL }} k6/load-test.js
-```
+# Load Testing — {{PROJECT_NAME_PASCAL}}
+
+Uses [k6](https://k6.io/) for load testing.
+
+## Setup
+
+```bash
+# macOS
+brew install k6
+
+# Windows (scoop)
+scoop install k6
+
+# Docker (no install)
+docker run --rm -i grafana/k6 run - <load-test.js
+```
+
+## Run
+
+```bash
+# Smoke test (quick, single request)
+k6 run --vus 1 --iterations 1 k6/load-test.js
+
+# Full load test against local server
+k6 run k6/load-test.js
+
+# Against staging
+k6 run -e BASE_URL=https://staging.example.com k6/load-test.js
+```
+
+## Thresholds
+
+| Metric | Threshold | Meaning |
+|--------|-----------|---------|
+| `http_req_duration p(95)` | < 500ms | 95th percentile response time |
+| `http_req_duration p(99)` | < 1.5s | 99th percentile response time |
+| `http_req_failed` | < 1% | Error rate |
+| `checks` | > 99% | Assertion pass rate |
+
+## CI Integration
+
+Add to your CI pipeline after deployment:
+
+```yaml
+- name: Load test
+  run: |
+    k6 run -e BASE_URL=${{ secrets.STAGING_URL }} k6/load-test.js
+```