tovuk 0.1.48 → 0.1.50

package/README.md

@@ -12,8 +12,8 @@ npx tovuk deploy --wait --json
 `npx tovuk` is the public npm command.
 
 Rust backends expect `Cargo.toml`, `Cargo.lock`, and `tovuk.toml`. They must
-pass `cargo fmt --all --check`, locked Cargo checks, listen on
-`0.0.0.0:$PORT`, and expose the configured health endpoint.
+pass `cargo fmt --all --check`, locked release-mode check/test/Clippy gates,
+listen on `0.0.0.0:$PORT`, and expose the configured health endpoint.
 
 Static frontends must use TypeScript browser source, stable native type-aware
 TypeScript checks, native linting such as `oxlint`, `biome check`, or

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tovuk",
-  "version": "0.1.48",
+  "version": "0.1.50",
   "description": "Deploy Rust backends, static frontends, and fullstack apps to Tovuk.",
   "type": "module",
   "bin": {

package/src/internal/config-validation.ts

@@ -1,4 +1,4 @@
-import { PROJECT_KINDS } from './constants.ts'
+import { JAVASCRIPT_BACKEND_RUNTIMES, PROJECT_KINDS, RUST_STRICT_CLIPPY_DENY_LINTS } from './constants.ts'
 import { commandTokens, hasFrontendInstallCommand, hasFrontendScriptRun, usesJavascriptLinter } from './frontend-policy.ts'
 import { isSafeRelativePath } from './project.ts'
 import type { ProjectKind, TovukConfig } from './types.ts'
@@ -34,6 +34,9 @@ function validateBuildConfig(config: TovukConfig): void {
     throw new Error('[build].check is required')
   }
   validateCheckCommand(config.kind, config.build.check)
+  if (config.kind === 'rust_backend') {
+    validateRustBuildCommand(config.build.command)
+  }
 }
 
 function validateStaticFrontendConfig(config: TovukConfig): void {
@@ -45,6 +48,7 @@ function validateRustBackendConfig(config: TovukConfig): void {
     throw new Error('[build].output is only valid for static_frontend')
   }
   requireCommand(config.run.command, '[run].command')
+  validateRustRunCommand(config.run.command)
   validatePort(config.run.port, '[run].port')
   validateHealth(config.run.health, '[run].health')
   validateResourceConfig(config)
@@ -62,8 +66,8 @@ function validateFullstackConfig(config: TovukConfig): void {
 
 function validateFullstackSections(config: TovukConfig): void {
   validateRustCheckCommand(requireCommand(config.backend.check, '[backend].check'))
-  requireCommand(config.backend.build, '[backend].build')
-  requireCommand(config.backend.command, '[backend].command')
+  validateRustBuildCommand(requireCommand(config.backend.build, '[backend].build'))
+  validateRustRunCommand(requireCommand(config.backend.command, '[backend].command'))
   validatePort(config.backend.port, '[backend].port')
   validateHealth(config.backend.health, '[backend].health')
   validateFrontendCheckCommand(requireCommand(config.frontend.check, '[frontend].check'))
@@ -104,11 +108,16 @@ function validateOutput(value: string | undefined, field: string): void {
 }
 
 function validateResourceConfig(config: TovukConfig): void {
-  if (!/^\d+\s*(mb|mib|gb|gib)$/iu.test(config.resources.memory)) {
-    throw new Error('[resources].memory must look like 512mb or 1gb')
+  const memoryMib = memoryToMib(config.resources.memory)
+  if (memoryMib < 128 || memoryMib > 2048) {
+    throw new Error('[resources].memory must be between 128mb and 2gb; use the smallest working value')
   }
-  if (!/^\d+(?:\.\d{1,3})?$/u.test(config.resources.cpu)) {
-    throw new Error('[resources].cpu must look like 0.25, 0.5, 1, or 2')
+  const cpuMillis = cpuToMillis(config.resources.cpu)
+  if (cpuMillis < 50 || cpuMillis > 2000) {
+    throw new Error('[resources].cpu must be between 0.05 and 2; use the smallest working value')
+  }
+  if (!Number.isInteger(config.resources.idle_timeout_minutes) || config.resources.idle_timeout_minutes < 1 || config.resources.idle_timeout_minutes > 60) {
+    throw new Error('[resources].idle_timeout_minutes must be between 1 and 60')
   }
 }
 
@@ -122,11 +131,40 @@ function validateCheckCommand(kind: ProjectKind, command: string): void {
 }
 
 function validateRustCheckCommand(command: string): void {
-  const required = ['cargo fmt --all --check', 'cargo check --locked', 'cargo clippy --locked', '--all-targets', '--all-features', '-D warnings']
+  const required = [
+    'cargo fmt --all --check',
+    'cargo check --locked --release --all-targets --all-features',
+    'cargo test --locked --release --all-targets --all-features',
+    'cargo clippy --locked --release --all-targets --all-features',
+    '-D warnings',
+    ...RUST_STRICT_CLIPPY_DENY_LINTS.map((lint) => `-D ${lint}`)
+  ]
   if (required.every((fragment) => command.includes(fragment))) {
     return
   }
-  throw new Error('[build].check must include cargo fmt --all --check, cargo check --locked, and cargo clippy --locked --all-targets --all-features -- -D warnings')
+  throw new Error('[build].check must run rustfmt, locked release-mode cargo check, locked release-mode tests, and strict Clippy resource lints')
+}
+
+function validateRustBuildCommand(command: string): void {
+  if (usesJavascriptBackendRuntime(command)) {
+    throw new Error('Rust backend build commands cannot invoke JavaScript or TypeScript runtimes; use cargo build --release')
+  }
+  const tokens = commandTokens(command)
+  if (tokens.some((token) => commandNameFromToken(token) === 'cargo') && tokens.includes('build') && tokens.includes('--release')) {
+    return
+  }
+  throw new Error('Rust backend build commands must run cargo build --release')
+}
+
+function validateRustRunCommand(command: string | undefined): void {
+  const value = command ?? ''
+  if (usesJavascriptBackendRuntime(value)) {
+    throw new Error('Rust backend runtime commands cannot invoke JavaScript or TypeScript runtimes; run ./target/release/<binary> instead')
+  }
+  if (commandTokens(value).some((token) => token.includes('target/release/'))) {
+    return
+  }
+  throw new Error('Rust backend runtime commands must start a binary under ./target/release/')
 }
 
 function validateFrontendCheckCommand(command: string): void {
@@ -147,6 +185,11 @@ function validateFrontendCheckCommand(command: string): void {
   throw new Error('[build].check must install dependencies and run package scripts, for example `bun ci && bun run typecheck && bun run lint` or `npm ci --prefer-offline --no-audit --fund=false && npm run typecheck && npm run lint`')
 }
 
+function usesJavascriptBackendRuntime(command: string): boolean {
+  return commandTokens(command)
+    .some((token) => JAVASCRIPT_BACKEND_RUNTIMES.has(commandNameFromToken(token)))
+}
+
 function isSafeRelativeDirectory(value: string): boolean {
   return value === '.' || isSafeRelativePath(value)
 }
@@ -155,4 +198,24 @@ function isNoopCommand(command: string): boolean {
   return command.trim() === ':' || command.trim() === 'true'
 }
 
+function commandNameFromToken(token: string): string {
+  return token.split('/').pop() ?? ''
+}
+
+function memoryToMib(value: string): number {
+  const match = value.trim().toLowerCase().match(/^(\d+)\s*(mb|mib|gb|gib)$/u)
+  if (!match) {
+    throw new Error('[resources].memory must look like 256mb, 512mb, or 1gb')
+  }
+  const amount = Number.parseInt(match[1] ?? '', 10)
+  return amount * ((match[2] ?? '').startsWith('g') ? 1024 : 1)
+}
+
+function cpuToMillis(value: string): number {
+  if (!/^\d+(?:\.\d{1,3})?$/u.test(value.trim())) {
+    throw new Error('[resources].cpu must look like 0.25, 0.5, 1, or 2')
+  }
+  return Math.round(Number.parseFloat(value) * 1000)
+}
+
 export { validateConfig }

package/src/internal/constants.ts

@@ -15,12 +15,36 @@ export const SESSION_ACCOUNT: string = 'session-token'
 export const SESSION_LABEL: string = 'Tovuk session'
 export const DEFAULT_LOGIN_EXPIRES_SECONDS: number = 600
 export const DEFAULT_LOGIN_INTERVAL_SECONDS: number = 5
-export const DEFAULT_RUST_CHECK_COMMAND: string = 'cargo fmt --all --check && cargo check --locked && cargo clippy --locked --all-targets --all-features -- -D warnings'
+export const RUST_STRICT_CLIPPY_DENY_LINTS: readonly string[] = [
+  'clippy::all',
+  'clippy::pedantic',
+  'clippy::dbg_macro',
+  'clippy::todo',
+  'clippy::unimplemented',
+  'clippy::panic',
+  'clippy::unwrap_used',
+  'clippy::expect_used',
+  'clippy::large_futures',
+  'clippy::large_include_file',
+  'clippy::large_stack_frames',
+  'clippy::mem_forget',
+  'clippy::rc_buffer',
+  'clippy::rc_mutex',
+  'clippy::redundant_clone',
+  'clippy::clone_on_ref_ptr'
+]
+export const DEFAULT_RUST_CHECK_COMMAND: string = [
+  'cargo fmt --all --check',
+  'cargo check --locked --release --all-targets --all-features',
+  'cargo test --locked --release --all-targets --all-features',
+  `cargo clippy --locked --release --all-targets --all-features -- -D warnings ${RUST_STRICT_CLIPPY_DENY_LINTS.map((lint) => `-D ${lint}`).join(' ')}`
+].join(' && ')
 export const DEFAULT_NPM_FRONTEND_CHECK_COMMAND: string = 'npm ci --prefer-offline --no-audit --fund=false && npm run typecheck && npm run lint'
 export const DEFAULT_BUN_FRONTEND_CHECK_COMMAND: string = 'bun ci && bun run typecheck && bun run lint'
 export const PROJECT_KINDS: ReadonlySet<string> = new Set(['fullstack', 'rust_backend', 'static_frontend'])
 export const PROJECT_TEMPLATES: ReadonlySet<string> = new Set(['rust-api', 'tanstack-static-frontend', 'fullstack-rust-tanstack'])
 export const JAVASCRIPT_LINTERS: ReadonlySet<string> = new Set(['eslint', 'eslint_d', 'jscs', 'jshint', 'prettier', 'prettierd', 'standard', 'xo'])
+export const JAVASCRIPT_BACKEND_RUNTIMES: ReadonlySet<string> = new Set(['astro', 'bun', 'deno', 'next', 'node', 'npm', 'npx', 'pnpm', 'svelte-kit', 'tsx', 'ts-node', 'vite', 'yarn'])
 export const FRONTEND_SOURCE_ROOTS: ReadonlySet<string> = new Set(['src', 'app', 'pages', 'routes', 'components'])
 export const FRONTEND_JAVASCRIPT_EXTENSIONS: readonly string[] = ['.js', '.jsx', '.mjs', '.cjs']
 export const FRONTEND_PACKAGE_MANAGERS: ReadonlySet<string> = new Set(['npm', 'bun', 'pnpm', 'yarn'])
@@ -126,9 +150,10 @@ Usage:
 
 Agent contract:
   - Fullstack apps set kind = "fullstack", keep backend and frontend roots in one tovuk.toml, serve the frontend at /, and serve the Rust API under /api.
-  - Rust backends keep Cargo.lock committed, pass rustfmt, listen on 0.0.0.0:$PORT, and return HTTP 200 from health.
+  - Rust backends keep Cargo.lock committed, pass rustfmt plus locked release-mode check/test/Clippy gates, listen on 0.0.0.0:$PORT, and return HTTP 200 from health.
   - Static frontends set kind = "static_frontend", keep TypeScript source, a package lockfile, stable native typecheck, native lint, and Fallow quality gates.
   - Plain static HTML/CSS/JS frontends may use kind = "static_frontend" with check = ":", command = ":", and output = ".".
+  - JavaScript and TypeScript are frontend-only on Tovuk; backend build and runtime commands must be Cargo release builds and Rust release binaries.
   - Frontends call Rust backends for APIs, managed Postgres, and server-side logic.
   - Run deploy from a fullstack repo root with one tovuk.toml to build backend and frontend together.
   - When split frontend and backend apps use different hostnames, configure backend CORS or use a same-origin custom domain.
@@ -136,6 +161,7 @@ Agent contract:
   - Create support tickets only with command output, app id, build id, deploy id, and the first actionable log line.
   - Resolve support tickets after the issue is fixed so later agents do not duplicate work.
   - Keep direct unsafe out of Rust source.
+  - Keep Rust backend resources small: 128mb-2gb memory, 0.05-2 CPU, and 1-60 minute idle timeout.
 `
 
 function packageVersion(): string {

package/src/internal/doctor.ts

@@ -4,7 +4,7 @@ import { doctorCheck } from './checks.ts'
 import { agentError } from './errors.ts'
 import { parseTovukToml, validateConfig } from './config.ts'
 import { discoverDeployProjects } from './workspace.ts'
-import { printJson } from './project.ts'
+import { printJson, walkProjectFiles } from './project.ts'
 import { rustDoctorChecks, unsafeCheck } from './rust-doctor.ts'
 import { frontendLockfileExists, frontendScriptChecks, frontendSourceChecks, isPlainStaticFrontend } from './frontend-policy.ts'
 import type { DoctorCheck, DoctorReport, WorkspaceDoctorReport, TovukConfig } from './types.ts'
@@ -67,6 +67,7 @@ function runDoctor(projectDir: string): DoctorReport {
   if (kind === 'static_frontend') {
     checks.push(...staticFrontendChecks(projectDir, configResult.valid))
   } else {
+    checks.push(backendJavascriptSourceCheck(projectDir))
     checks.push(...rustDoctorChecks(projectDir, configResult.valid))
   }
 
@@ -151,6 +152,7 @@ function fullstackChecks(projectDir: string, config: TovukConfig, configValid: b
   const frontendDir = path.join(projectDir, frontendRoot)
   return [
     ...requiredFilesAt(backendDir, backendRoot, ['Cargo.toml', 'Cargo.lock']),
+    backendJavascriptSourceCheck(backendDir, backendRoot),
     ...rustDoctorChecks(backendDir, configValid),
     ...requiredFilesAt(frontendDir, frontendRoot, isPlainStaticFrontend(frontendDir) ? ['index.html'] : ['package.json']),
     ...staticFrontendChecks(frontendDir, configValid)
@@ -181,6 +183,29 @@ function frontendLockfileCheck(projectDir: string): DoctorCheck {
   return doctorCheck('frontend lockfile', ok, 'found', 'missing', 'Commit package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, or bun.lockb, then retry.')
 }
 
+function backendJavascriptSourceCheck(projectDir: string, label = ''): DoctorCheck {
+  const matches: string[] = []
+  walkProjectFiles(projectDir, (_file, relative) => {
+    if (isBackendJavascriptOrTypescriptSource(relative)) {
+      matches.push(label ? `${label}/${relative}` : relative)
+    }
+  })
+  return doctorCheck(
+    'rust backend js/ts server source',
+    matches.length === 0,
+    'none found',
+    matches.slice(0, 5).join(', '),
+    'Move API routes, SSR handlers, middleware, and server logic to Rust. Keep JS/TS only in static frontend roots.'
+  )
+}
+
+function isBackendJavascriptOrTypescriptSource(relative: string): boolean {
+  if (relative.endsWith('.d.ts') || !/\.(?:cjs|js|jsx|mjs|ts|tsx)$/iu.test(relative)) {
+    return false
+  }
+  return relative.split('/').some((component) => ['api', 'app', 'pages', 'routes', 'server', 'src'].includes(component))
+}
+
 function isWorkspaceDoctorReport(report: DoctorReport | WorkspaceDoctorReport): report is WorkspaceDoctorReport {
   return 'projects' in report
 }

package/src/internal/frontend-policy.ts

@@ -7,6 +7,8 @@ import { readPackageJson, walkProjectFiles } from './project.ts'
 import type { DoctorCheck, FrontendSourceReport, PackageManifest } from './types.ts'
 
 const REQUIRED_FRONTEND_SCRIPTS = ['typecheck', 'lint'] as const
+const FRONTEND_PAGES_API_PREFIXES: readonly (readonly string[])[] = [['pages', 'api'], ['src', 'pages', 'api']]
+const FRONTEND_APP_API_PREFIXES: readonly (readonly string[])[] = [['app', 'api'], ['src', 'app', 'api']]
 type FrontendScriptName = typeof REQUIRED_FRONTEND_SCRIPTS[number]
 type CommandPredicate = (command: string) => boolean
 
@@ -95,18 +97,26 @@ function frontendSourceChecks(projectDir: string): DoctorCheck[] {
       message: report.typescript.length > 0 ? report.typescript.slice(0, 3).join(', ') : 'missing',
       agent_instruction: report.typescript.length > 0 ? null : 'Add browser source as .ts or .tsx under src, app, pages, routes, or components, then retry.'
     },
-    {
-      name: 'javascript source',
-      ok: report.javascript.length === 0,
-      message: report.javascript.length === 0 ? 'none found' : report.javascript.slice(0, 5).join(', '),
-      agent_instruction: report.javascript.length === 0 ? null : 'Rename browser .js, .jsx, .mjs, or .cjs source files to .ts or .tsx and fix type errors before deploying.'
-    }
+    forbiddenSourceCheck('javascript source', report.javascript, 'Rename browser .js, .jsx, .mjs, or .cjs source files to .ts or .tsx and fix type errors before deploying.'),
+    forbiddenSourceCheck('frontend server routes', report.serverRoutes, 'Move API routes, SSR handlers, middleware, and server logic to the Rust backend; static frontend source may only contain browser code.')
   ]
 }
 
+function forbiddenSourceCheck(name: string, files: readonly string[], instruction: string): DoctorCheck {
+  return {
+    name,
+    ok: files.length === 0,
+    message: files.length === 0 ? 'none found' : files.slice(0, 5).join(', '),
+    agent_instruction: files.length === 0 ? null : instruction
+  }
+}
+
 function frontendSourceReport(projectDir: string): FrontendSourceReport {
-  const report: FrontendSourceReport = { typescript: [], javascript: [] }
+  const report: FrontendSourceReport = { typescript: [], javascript: [], serverRoutes: [] }
   walkProjectFiles(projectDir, (_file, relative) => {
+    if (isFrontendServerRoute(relative)) {
+      report.serverRoutes.push(relative)
+    }
     const sourceKind = frontendSourceKind(relative)
     if (sourceKind) {
       report[sourceKind].push(relative)
@@ -138,6 +148,28 @@ function isFrontendJavascriptSource(relative: string): boolean {
   return FRONTEND_JAVASCRIPT_EXTENSIONS.some((extension) => relative.endsWith(extension))
 }
 
+function isFrontendServerRoute(relative: string): boolean {
+  if (!isFrontendTypescriptSource(relative) && !isFrontendJavascriptSource(relative)) {
+    return false
+  }
+  const parts = relative.toLowerCase().split('/')
+  const file = parts.at(-1) ?? ''
+  return isFrontendServerHandlerFile(file) || isFrontendApiRoute(parts, file)
+}
+
+function isFrontendServerHandlerFile(file: string): boolean {
+  return file.startsWith('+server.') || file.startsWith('middleware.')
+}
+
+function isFrontendApiRoute(pathParts: readonly string[], file: string): boolean {
+  return FRONTEND_PAGES_API_PREFIXES.some((prefix) => pathStartsWith(pathParts, prefix))
+    || (file.startsWith('route.') && FRONTEND_APP_API_PREFIXES.some((prefix) => pathStartsWith(pathParts, prefix)))
+}
+
+function pathStartsWith(pathParts: readonly string[], prefix: readonly string[]): boolean {
+  return pathParts.length >= prefix.length && prefix.every((part, index) => pathParts[index] === part)
+}
+
 function packageScriptValue(manifest: PackageManifest | null, script: string): string {
   const value = manifest?.scripts?.[script]
   return typeof value === 'string' ? value.trim() : ''

package/src/internal/rust-doctor.ts

@@ -1,6 +1,7 @@
 import { spawnSync } from 'node:child_process'
 import { readFileSync } from 'node:fs'
 import path from 'node:path'
+import { RUST_STRICT_CLIPPY_DENY_LINTS } from './constants.ts'
 import { walkProjectFiles } from './project.ts'
 import type { DoctorCheck } from './types.ts'
 
@@ -14,7 +15,7 @@ interface CargoCheckSpec {
 function rustDoctorChecks(projectDir: string, configValid: boolean): DoctorCheck[] {
   const checks = [cargoLints(projectDir), unsafeCheck(projectDir)]
   if (configValid) {
-    checks.push(cargoFmt(projectDir), cargoCheck(projectDir), cargoClippy(projectDir))
+    checks.push(cargoFmt(projectDir), cargoCheck(projectDir), cargoTest(projectDir), cargoClippy(projectDir))
   }
   return checks
 }
@@ -46,9 +47,18 @@ function scanUnsafe(projectDir: string): string[] {
 function cargoCheck(projectDir: string): DoctorCheck {
   return cargoCommandCheck(projectDir, {
     name: 'cargo check',
-    args: ['check', '--locked', '--quiet'],
-    missing: 'Install Rust and Cargo, then run `cargo check --locked` locally before deploying.',
-    failed: 'Run `cargo check --locked`, fix every compiler error and warning, then redeploy.'
+    args: ['check', '--locked', '--release', '--all-targets', '--all-features', '--quiet'],
+    missing: 'Install Rust and Cargo, then run `cargo check --locked --release --all-targets --all-features` locally before deploying.',
+    failed: 'Run `cargo check --locked --release --all-targets --all-features`, fix every compiler error and warning, then redeploy.'
+  })
+}
+
+function cargoTest(projectDir: string): DoctorCheck {
+  return cargoCommandCheck(projectDir, {
+    name: 'cargo test',
+    args: ['test', '--locked', '--release', '--all-targets', '--all-features', '--quiet'],
+    missing: 'Install Rust and Cargo, then run `cargo test --locked --release --all-targets --all-features` locally before deploying.',
+    failed: 'Run `cargo test --locked --release --all-targets --all-features`, fix every failed test, then redeploy.'
   })
 }
 
@@ -64,9 +74,9 @@ function cargoFmt(projectDir: string): DoctorCheck {
 function cargoClippy(projectDir: string): DoctorCheck {
   return cargoCommandCheck(projectDir, {
     name: 'cargo clippy',
-    args: ['clippy', '--locked', '--all-targets', '--all-features', '--quiet', '--', '-D', 'warnings'],
-    missing: 'Install Rust clippy, then run `cargo clippy --locked --all-targets --all-features -- -D warnings` before deploying.',
-    failed: 'Run `cargo clippy --locked --all-targets --all-features -- -D warnings`, fix every warning, then redeploy.'
+    args: ['clippy', '--locked', '--release', '--all-targets', '--all-features', '--quiet', '--', '-D', 'warnings', ...RUST_STRICT_CLIPPY_DENY_LINTS.flatMap((lint) => ['-D', lint])],
+    missing: 'Install Rust clippy, then run Tovuk strict Clippy checks before deploying.',
+    failed: 'Run the strict Tovuk Clippy command from tovuk.toml, fix every warning, panic/unwrap issue, and resource lint, then redeploy.'
   })
 }
 
@@ -110,17 +120,19 @@ function cargoLints(projectDir: string): DoctorCheck {
     }
   }
 
-  const ok = cargoLintLevel(source, 'unsafe_code') === 'forbid' &&
-    cargoLintLevel(source, 'warnings') === 'deny'
+  const requiredClippyLints = RUST_STRICT_CLIPPY_DENY_LINTS.map((lint) => lint.replace(/^clippy::/u, ''))
+  const ok = cargoLintLevel(source, 'rust', 'unsafe_code') === 'forbid' &&
+    cargoLintLevel(source, 'rust', 'warnings') === 'deny' &&
+    requiredClippyLints.every((lint) => cargoLintLevel(source, 'clippy', lint) === 'deny')
   return {
     name: 'cargo lints',
     ok,
-    message: ok ? 'strict' : 'missing unsafe_code=forbid or warnings=deny',
-    agent_instruction: ok ? null : 'Add `[lints.rust]` with `unsafe_code = "forbid"` and `warnings = "deny"`, then retry.'
+    message: ok ? 'strict' : 'missing strict Rust or Clippy resource lints',
+    agent_instruction: ok ? null : 'Add `[lints.rust]` with `unsafe_code = "forbid"` and `warnings = "deny"`, plus `[lints.clippy]` deny entries for all, pedantic, panic/unwrap bans, and resource lints, then retry.'
   }
 }
 
-function cargoLintLevel(source: string, lintName: string): string {
+function cargoLintLevel(source: string, lintGroup: 'clippy' | 'rust', lintName: string): string {
   let section = ''
   for (const rawLine of source.split(/\r?\n/u)) {
     const line = rawLine.replace(/#.*/u, '').trim()
@@ -129,7 +141,7 @@ function cargoLintLevel(source: string, lintName: string): string {
       section = nextSection
       continue
     }
-    if (!isRustLintSection(section)) {
+    if (!isLintSection(section, lintGroup)) {
       continue
     }
     const level = lintAssignmentLevel(line, lintName)
@@ -145,8 +157,8 @@ function tomlSection(line: string): string | null {
   return line.match(/^\[([^\]]+)\]$/u)?.[1] ?? null
 }
 
-function isRustLintSection(section: string): boolean {
-  return section === 'lints.rust' || section === 'workspace.lints.rust'
+function isLintSection(section: string, lintGroup: 'clippy' | 'rust'): boolean {
+  return section === `lints.${lintGroup}` || section === `workspace.lints.${lintGroup}`
 }
 
 function lintAssignmentLevel(line: string, lintName: string): string {

package/src/internal/templates.ts

@@ -67,6 +67,24 @@ publish = false
 [lints.rust]
 unsafe_code = "forbid"
 warnings = "deny"
+
+[lints.clippy]
+all = { level = "deny", priority = -1 }
+pedantic = { level = "deny", priority = -1 }
+dbg_macro = "deny"
+todo = "deny"
+unimplemented = "deny"
+panic = "deny"
+unwrap_used = "deny"
+expect_used = "deny"
+large_futures = "deny"
+large_include_file = "deny"
+large_stack_frames = "deny"
+mem_forget = "deny"
+rc_buffer = "deny"
+rc_mutex = "deny"
+redundant_clone = "deny"
+clone_on_ref_ptr = "deny"
 `],
     ['Cargo.lock', `# This file is automatically @generated by Cargo.
 version = 4

package/src/internal/types.ts

@@ -65,7 +65,7 @@ export type ProjectDoctorReport = DoctorReport & { relative: string }
 export type WorkspaceDoctorReport = JsonObject & { ok: boolean; workspace: string; projects: ProjectDoctorReport[] }
 export type DeployProjectInfo = { dir: string; relative: string; name: string; kind: DiscoveredProjectKind }
 export type DeployPlanProject = { project: DeployProjectInfo; wantsDatabase: boolean }
-export type FrontendSourceReport = { typescript: string[]; javascript: string[] }
+export type FrontendSourceReport = { typescript: string[]; javascript: string[]; serverRoutes: string[] }
 export type LoginStartResponse = JsonObject & { loginUrl?: string; userCode?: string; deviceCode?: string; expiresInSeconds?: number; intervalSeconds?: number }
 export type LoginPollResponse = JsonObject & { status?: string; token?: string; email?: string; intervalSeconds?: number }
 export type AppSummary = JsonObject & { id?: string; name?: string; url?: string; databaseStorageMib?: number }