Developer MessagesClaude MessagesShow Tool Use

jeff

Hello! I have been working on another project for a few weeks, but now it is time to resume our work on CWC.
I would like to work through the following issues step-by-step / one-by-one, but I will let you choose the order in which we address them.

MariaDB secrets
Originally, when we created the cwc-deployment package, we put the MariaDB secrets in {cwcSecretsPath}/database/mariadb/secrets.json. In order to avoid duplication/confusion, I think that we should locate the MariaDB secrets in
{cwcSecretsPath}/configuration-helper/{runtimeEnv}-secrets.json. We will need to update the loadDatabaseSecrets function in ./packages/cwc-deployment/src/core/config.ts (and possibly other code files?) with this change.
Coding style and the impact on searchability and maintainability.
I wonder if there is a good reason why the following code was written this way:
```
const secretsFilePath = path.join(secretsPath, 'database', 'mariadb', 'secrets.json');
```
instead of:
```
const secretsFilePath = path.join(secretsPath, 'database/mariadb/secrets.json');
```
I did't get any results when searching the code for database/mariadb, so I had to search for mariadb and look through many results to find what I was looking for. What is the reasoning for choosing this syntax that makes it harder for me to find what I'm looking for? Please identify other places in the code that we can improve the readability and searchability.
Naming of authenticationPublicKey / AUTHENTICATION_PUBLIC_KEY config secret value.
This is a perfect example of why naming is so important ... it has been a few weeks since I worked on CWC and I apparently forgot that we named the Sql Client Api key as authenticationPublicKey. This morning when I was looking at the configuration-helper code, it was not totally clear to me that authenticationPublicKey applied to SqlClient and is not related to authentication in the cwc-auth package - I should have caught this when we were planning the cwc-sql development work. Once an app has been built, it is really common for months to go by before a developer goes back to the code, or when a new developer joins the project - it is really important that we name configuration values (and everything else) in a way that clearly indicates its context and purpose. For clarity, let's rename authenticationPublicKey and AUTHENTICATION_PUBLIC_KEY to sqlClientApiKey and SQL_CLIENT_API_KEY. I have renamed {cwcSecretsPath}/data-api-keys/ to {cwcSecretsPath}/sql-client-api-keys/ and changed the naming of the api key files from {runtime-env}/data-api-jwt-public.pem to {runtime-env}/sql-client-api-key-public.pem and from {runtime-env}/data-api-jwt-private.pem to {runtime-env}/sql-client-api-key-private.pem. Does that make sense? Can you identify all of the places in the mono-repo code and documentation (CLAUDE.md and README.md files) that need to be updated? Be sure to search for occurrences of data-api as well. Let's also document the importance of meaningful naming in the root CLAUDE.md file.
cwc-configuration-helper improvements.
When I run the config helper generate command, I am still seeing values like , , , etc. in the generated secrets files. This means that I have not provided the values in the associated {cwcSecretsPath}/configuration-helper/{runtimeEnv}-secrets.json files. I would prefer it if the generate command returns detailed error information for the missing values rather than setting these dummy values and indicating that the process was successful.

Claude

Welcome back! It's great to resume work on CWC. These are all important improvements around maintainability, clarity, and developer experience.

Let me explore the codebase to understand the current state of each issue before we discuss the approach.

I now have a comprehensive understanding of all four issues. Let me summarize what I found and ask some clarifying questions before creating the plan.

Summary of Findings

Issue 1: MariaDB Secrets Location

Currently in loadDatabaseSecrets() at packages/cwc-deployment/src/core/config.ts:32
Uses path.join(secretsPath, 'database', 'mariadb', 'secrets.json')
Also documented in packages/cwc-deployment/README.md:53
The DatabaseSecrets type has: rootPwd, mariadbUser, mariadbPwd

Issue 2: Path.join Syntax

Found multiple instances of segmented path.join usage across cwc-deployment
Example: path.join(secretsPath, 'deployment', 'servers.json') in config.ts:14

Issue 3: authenticationPublicKey Rename

Code files to update:

packages/cwc-sql/src/config/config.types.ts:10 - Type definition
packages/cwc-sql/src/config/loadConfig.ts:167,216 - Config loading
packages/cwc-sql/src/auth/verifyToken.ts:65 - JWT verification
packages/cwc-sql/src/__tests__/config.test.ts - ~20 occurrences
packages/cwc-sql/src/__tests__/queryCache.test.ts:27
packages/cwc-backend-utils/src/SqlClientKeysUtil.ts:43-46 - File paths

Documentation to update:

packages/cwc-sql/README.md:288,318-319
packages/cwc-sql/CLAUDE.md:133
packages/cwc-backend-utils/README.md:408-414
packages/cwc-configuration-helper/README.md:94

Issue 4: Configuration Helper Generate Command

Placeholders created in envGenerator.ts via getDefaultValue() (lines 237-306) and getSecretValue() (lines 314-321)
Validation in validate.ts intentionally skips placeholders (lines 207-210)
Would need to modify both functions to throw errors instead of returning placeholders

Claude is asking...

DB SecretsFor the MariaDB secrets consolidation: Should the database secrets (ROOT_PWD, MARIADB_USER, MARIADB_PWD) be added to the configuration-helper secrets file format, making it the single source of truth for all secrets?

Consolidate into config-helper- Add database secrets to {runtimeEnv}-secrets.json alongside other secrets like SQL_CLIENT_API_KEY

Keep separate structure- Keep database secrets in a dedicated location but update the path pattern

Error ModeFor the generate command error handling: How should missing values be reported?

Collect all then fail (Recommended)- Collect all missing values across all packages and report them together at the end, then exit with error

Fail immediately- Stop on the first missing value and report it

Add --strict flag- Keep placeholder behavior by default, add a --strict flag that enables error-on-missing

Developer Response

Q: For the MariaDB secrets consolidation: Should the database secrets (ROOT_PWD, MARIADB_USER, MARIADB_PWD) be added to the configuration-helper secrets file format, making it the single source of truth for all secrets?

A: "Consolidate into config-helper"

Q: For the generate command error handling: How should missing values be reported?

A: "Collect all then fail (Recommended)"

Now I have your preferences. Let me read some key files to understand the implementation details before creating the plan.

I have all the information needed. Let me now create the plan file.

File	Changes
`packages/cwc-sql/src/config/config.types.ts:10`	Type property: `authenticationPublicKey` → `sqlClientApiKey`
`packages/cwc-sql/src/config/loadConfig.ts:167`	Assignment and env var: `AUTHENTICATION_PUBLIC_KEY` → `SQL_CLIENT_API_KEY`
`packages/cwc-sql/src/config/loadConfig.ts:216`	Console log message
`packages/cwc-sql/src/auth/verifyToken.ts:65`	Property access: `config.secrets.authenticationPublicKey` → `config.secrets.sqlClientApiKey`
`packages/cwc-sql/src/__tests__/config.test.ts`	~20 occurrences of env var and property names
`packages/cwc-sql/src/__tests__/queryCache.test.ts:27`	Test config property
`packages/cwc-backend-utils/src/SqlClientKeysUtil.ts:43-46`	File paths: `data-api-keys` → `sql-client-api-keys`, `data-api-jwt-.pem` → `sql-client-api-key-.pem`

File	Changes
`packages/cwc-sql/README.md:288,318-319`	Env var and file path examples
`packages/cwc-sql/CLAUDE.md:133`	Configuration specification
`packages/cwc-backend-utils/README.md:408-414`	Key file location references
`packages/cwc-configuration-helper/README.md:94`	Secrets file format example
Root `CLAUDE.md`	Add naming guidelines section

I've created the plan. Before exiting plan mode, I have one clarifying question about Issue 1.

Claude is asking...

Env MappingFor the MariaDB secrets path, how should deployment name map to runtimeEnv? For example, if deploying with --deployment-name 'test', should it read from 'test-secrets.json'?

Direct mapping (Recommended)- Deployment name maps directly: 'test' → 'test-secrets.json', 'dev' → 'dev-secrets.json', 'prod' → 'prod-secrets.json'

Add explicit flag- Add a new --runtime-env flag to the deploy command to specify which secrets file to use

Developer Response

Q: For the MariaDB secrets path, how should deployment name map to runtimeEnv? For example, if deploying with --deployment-name 'test', should it read from 'test-secrets.json'?

A: "Direct mapping (Recommended)"

Let me update the plan with this clarification.

The plan is complete with all clarifications incorporated. Here's a summary of what we'll implement:

Order of Implementation:

Issue 3 - Rename authenticationPublicKey → sqlClientApiKey (clear naming)
Issue 2 - Improve path.join syntax for searchability
Issue 1 - Consolidate MariaDB secrets (direct mapping: deployment name → secrets file)
Issue 4 - Configuration helper: collect all missing values, report together, then fail

We'll work through these step-by-step as you requested, discussing each one before implementing.

Exited plan mode

Work interrupted

let's keep planning

Of course, let's continue planning. What aspects would you like to discuss further or refine?

jeff

It seems that the details of your plan have disappeared, but I noticed some inconsistencies between your version of the env-secrets.json file and what I was envisioning. Here is what I thought would be needed: {
"DATABASE_USER": "...",
"DATABASE_PASSWORD": "...",
"AUTHENTICATION_PUBLIC_KEY": "...",
"USER_JWT_SECRET": "...",
"TEMP_JWT_SECRET": "..."
}. I may be overlooking some requirements, but why to you have ROOT_PASSWORD?

Claude

You raise an important point. Let me clarify the distinction:

Current cwc-deployment DatabaseSecrets (for deploying MariaDB):

rootPwd - Root password for MariaDB server administration
mariadbUser - Application database user name
mariadbPwd - Application database user password

Your runtime application secrets (for cwc-sql, cwc-auth, etc.):

DATABASE_USER - Same as mariadbUser
DATABASE_PASSWORD - Same as mariadbPwd

The rootPwd is used during database deployment to:

Authenticate as root to create schemas
Create the application user with proper permissions

At runtime, applications only need DATABASE_USER / DATABASE_PASSWORD (they never use root).

Claude is asking...

Root PasswordHow should we handle the MariaDB root password, which is only needed during database deployment (not at runtime)?

Include in same file- Add MARIADB_ROOT_PASSWORD to the {env}-secrets.json alongside DATABASE_USER, DATABASE_PASSWORD, etc.

Keep deployment secrets separate- Keep a dedicated deployment secrets file for root password, use DATABASE_USER/DATABASE_PASSWORD from config-helper for the app user credentials

Developer Response

Q: How should we handle the MariaDB root password, which is only needed during database deployment (not at runtime)?

A: "Okay, thank you. Let's call it DATABASE_ROOT_PASSWORD."

Got it. All secrets in one file with DATABASE_ROOT_PASSWORD. Let me update the plan with the correct secrets file format.

Let me read the updated plan to verify it's complete and consistent.

Tool Result

     1→# Plan: CWC Configuration Improvements
     2→
     3→This plan addresses 4 issues related to secrets management, code searchability, naming clarity, and configuration helper improvements.
     4→
     5→## Recommended Order
     6→
     7→1. **Issue 3** - Rename `authenticationPublicKey` → `sqlClientApiKey` (naming clarity first)
     8→2. **Issue 2** - Improve path.join syntax (searchability improvements)
     9→3. **Issue 1** - Consolidate MariaDB secrets (depends on secrets file format)
    10→4. **Issue 4** - Configuration helper error handling (final enhancement)
    11→
    12→---
    13→
    14→## Issue 1: Consolidate MariaDB Secrets into Configuration Helper
    15→
    16→**Goal:** Move MariaDB secrets from dedicated file to the centralized configuration-helper secrets files.
    17→
    18→### Changes Required
    19→
    20→**File: `packages/cwc-deployment/src/core/config.ts`**
    21→- Update `loadDatabaseSecrets()` signature to accept `deploymentName` parameter
    22→- Change path from `{secretsPath}/database/mariadb/secrets.json` to `{secretsPath}/configuration-helper/{deploymentName}-secrets.json`
    23→- Direct mapping: 'test' → 'test-secrets.json', 'dev' → 'dev-secrets.json', 'prod' → 'prod-secrets.json'
    24→- Read keys as `DATABASE_ROOT_PASSWORD`, `DATABASE_USER`, `DATABASE_PASSWORD` and map to internal types
    25→
    26→**File: `packages/cwc-deployment/src/types/config.ts`**
    27→- Keep existing `DatabaseSecrets` type (rootPwd, mariadbUser, mariadbPwd)
    28→- Mapping happens in `loadDatabaseSecrets()` when reading JSON keys
    29→
    30→**File: `packages/cwc-deployment/src/commands/deploy.ts`**
    31→- Pass `deploymentName` (already available in options) to `loadDatabaseSecrets()` call
    32→
    33→**File: `packages/cwc-deployment/README.md`**
    34→- Update secrets path documentation
    35→
    36→**Secrets File Format:**
    37→```json
    38→// {cwcSecretsPath}/configuration-helper/{deploymentName}-secrets.json
    39→{
    40→  "DATABASE_ROOT_PASSWORD": "...",
    41→  "DATABASE_USER": "...",
    42→  "DATABASE_PASSWORD": "...",
    43→  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n...",
    44→  "USER_JWT_SECRET": "...",
    45→  "TEMP_JWT_SECRET": "..."
    46→}
    47→```
    48→
    49→**Key Mapping in cwc-deployment:**
    50→- `rootPwd` → reads `DATABASE_ROOT_PASSWORD`
    51→- `mariadbUser` → reads `DATABASE_USER`
    52→- `mariadbPwd` → reads `DATABASE_PASSWORD`
    53→
    54→---
    55→
    56→## Issue 2: Improve path.join Syntax for Searchability
    57→
    58→**Goal:** Use concatenated path strings for better grep/search results.
    59→
    60→### Changes Required
    61→
    62→**File: `packages/cwc-deployment/src/core/config.ts`**
    63→- Line 14: `path.join(secretsPath, 'deployment', 'servers.json')` → `path.join(secretsPath, 'deployment/servers.json')`
    64→- Line 32: Will be updated as part of Issue 1
    65→
    66→**Other files to scan:** Search for similar `path.join(..., 'x', 'y', ...)` patterns
    67→
    68→### Pattern
    69→```typescript
    70→// BEFORE (hard to search for "database/mariadb")
    71→path.join(secretsPath, 'database', 'mariadb', 'secrets.json')
    72→
    73→// AFTER (searchable)
    74→path.join(secretsPath, 'database/mariadb/secrets.json')
    75→```
    76→
    77→---
    78→
    79→## Issue 3: Rename authenticationPublicKey → sqlClientApiKey
    80→
    81→**Goal:** Clarify that this key is for SQL Client API authentication, not general auth.
    82→
    83→### Code Files to Update
    84→
    85→| File | Changes |
    86→|------|---------|
    87→| `packages/cwc-sql/src/config/config.types.ts:10` | Type property: `authenticationPublicKey` → `sqlClientApiKey` |
    88→| `packages/cwc-sql/src/config/loadConfig.ts:167` | Assignment and env var: `AUTHENTICATION_PUBLIC_KEY` → `SQL_CLIENT_API_KEY` |
    89→| `packages/cwc-sql/src/config/loadConfig.ts:216` | Console log message |
    90→| `packages/cwc-sql/src/auth/verifyToken.ts:65` | Property access: `config.secrets.authenticationPublicKey` → `config.secrets.sqlClientApiKey` |
    91→| `packages/cwc-sql/src/__tests__/config.test.ts` | ~20 occurrences of env var and property names |
    92→| `packages/cwc-sql/src/__tests__/queryCache.test.ts:27` | Test config property |
    93→| `packages/cwc-backend-utils/src/SqlClientKeysUtil.ts:43-46` | File paths: `data-api-keys` → `sql-client-api-keys`, `data-api-jwt-*.pem` → `sql-client-api-key-*.pem` |
    94→
    95→### Documentation to Update
    96→
    97→| File | Changes |
    98→|------|---------|
    99→| `packages/cwc-sql/README.md:288,318-319` | Env var and file path examples |
   100→| `packages/cwc-sql/CLAUDE.md:133` | Configuration specification |
   101→| `packages/cwc-backend-utils/README.md:408-414` | Key file location references |
   102→| `packages/cwc-configuration-helper/README.md:94` | Secrets file format example |
   103→| Root `CLAUDE.md` | Add naming guidelines section |
   104→
   105→### Naming Guideline to Add to CLAUDE.md
   106→
   107→```markdown
   108→## Naming Conventions for Configuration Values
   109→
   110→**Clarity is critical for maintainability.** Configuration names should clearly indicate:
   111→1. **What** the value is for (its purpose)
   112→2. **Where** it's used (which service/context)
   113→
   114→**Examples:**
   115→- `sqlClientApiKey` - Clear: API key for SQL Client authentication
   116→- `authenticationPublicKey` - Unclear: Could apply to any auth system
   117→
   118→**Rule:** When naming configuration values, prefer verbose, descriptive names over short, ambiguous ones.
   119→```
   120→
   121→---
   122→
   123→## Issue 4: Configuration Helper - Error on Missing Values
   124→
   125→**Goal:** The `generate` command should collect all missing values and fail with detailed error info, instead of silently inserting placeholders.
   126→
   127→### Changes Required
   128→
   129→**File: `packages/cwc-configuration-helper/src/envGenerator.ts`**
   130→
   131→1. Add `MissingValueCollector` type and tracking mechanism
   132→2. Modify `getDefaultValue()` (lines 237-306) to track missing values
   133→3. Modify `getSecretValue()` (lines 314-321) to track missing secrets
   134→4. Export function to check for missing values
   135→
   136→**File: `packages/cwc-configuration-helper/src/commands/generate.ts`**
   137→
   138→1. Collect missing values across all packages
   139→2. After all packages processed, if any missing values:
   140→   - Display detailed error report grouped by package
   141→   - Exit with non-zero status code
   142→
   143→### Error Report Format
   144→```
   145→Error: Missing configuration values detected
   146→
   147→Package: cwc-sql
   148→  - DATABASE_PASSWORD (secret)
   149→  - SERVICE_PORT (number, no default)
   150→
   151→Package: cwc-auth
   152→  - CORS_ORIGIN (string, no default for prod environment)
   153→  - USER_JWT_SECRET (secret)
   154→
   155→Total: 4 missing values across 2 packages
   156→
   157→Please update your secrets file: {secretsPath}/configuration-helper/{env}-secrets.json
   158→```
   159→
   160→### Implementation Approach
   161→
   162→```typescript
   163→// New types in envGenerator.ts
   164→type MissingValue = {
   165→  envVarName: string;
   166→  propertyName: string;
   167→  type: 'secret' | 'regular';
   168→  tsType: string;
   169→  reason: string; // "no default", "not in secrets file", etc.
   170→};
   171→
   172→type GenerationResult = {
   173→  content: string;
   174→  missingValues: MissingValue[];
   175→};
   176→
   177→// Modify generateEnvContent to return GenerationResult
   178→// Modify generate.ts to aggregate results and fail if any missing
   179→```
   180→
   181→---
   182→
   183→## Files Summary
   184→
   185→### Must Modify
   186→- `packages/cwc-deployment/src/core/config.ts`
   187→- `packages/cwc-deployment/src/commands/deploy.ts`
   188→- `packages/cwc-deployment/src/types/config.ts`
   189→- `packages/cwc-deployment/README.md`
   190→- `packages/cwc-sql/src/config/config.types.ts`
   191→- `packages/cwc-sql/src/config/loadConfig.ts`
   192→- `packages/cwc-sql/src/auth/verifyToken.ts`
   193→- `packages/cwc-sql/src/__tests__/config.test.ts`
   194→- `packages/cwc-sql/src/__tests__/queryCache.test.ts`
   195→- `packages/cwc-sql/README.md`
   196→- `packages/cwc-sql/CLAUDE.md`
   197→- `packages/cwc-backend-utils/src/SqlClientKeysUtil.ts`
   198→- `packages/cwc-backend-utils/README.md`
   199→- `packages/cwc-configuration-helper/README.md`
   200→- `packages/cwc-configuration-helper/src/envGenerator.ts`
   201→- `packages/cwc-configuration-helper/src/commands/generate.ts`
   202→- Root `CLAUDE.md`
   203→
   204→### Typecheck After Each Issue
   205→Run `pnpm typecheck` after completing each issue to ensure no breaks.
   206→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

The plan is now updated and consistent. Here's the summary:

Consolidated Secrets File Format:

{
  "DATABASE_ROOT_PASSWORD": "...",
  "DATABASE_USER": "...",
  "DATABASE_PASSWORD": "...",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n...",
  "USER_JWT_SECRET": "...",
  "TEMP_JWT_SECRET": "..."
}

Implementation Order:

Issue 3 - Rename authenticationPublicKey → sqlClientApiKey
Issue 2 - Improve path.join syntax for searchability
Issue 1 - Consolidate MariaDB secrets (using the format above)
Issue 4 - Configuration helper: collect all missing values, then fail with detailed report

Is there anything else you'd like to discuss or refine in the plan before we proceed?

jeff

no, thank you, let's get started!

Claude

Exited plan mode

Plan approved

Let me set up the task list and start with Issue 3 (renaming authenticationPublicKey → sqlClientApiKey).

Starting with Issue 3: Rename authenticationPublicKey → sqlClientApiKey.

Let me read the code files that need to be updated.

Now let me make the code changes. Starting with the type definition and config loading.

Good progress. Now let me update the test files and the SqlClientKeysUtil.

Now let me update the test files. I'll use replace_all for efficient bulk updates.

Now let me update the SqlClientKeysUtil.ts with the new file paths.

Excellent. Now let me update the documentation files. First, let me read them.

Now let me update all the documentation files.

Now let me add the naming guidelines section to the root CLAUDE.md. Let me find a good location for it.

Now let me run the typecheck to verify all changes compile correctly.

There's a pre-existing issue with missing @types/uuid. Let me install it and try again.

Typecheck passes. Issue 3 is complete. Let me update the todo list and move to Issue 2.

Issue 3 complete! Now starting Issue 2: Improve path.join syntax for searchability.

Let me search for segmented path.join patterns across the codebase.

Found the patterns. Let me update the ones that benefit from searchability (constant path segments, not directory navigation).

Let me also add this as a coding guideline in the root CLAUDE.md and verify the typecheck passes.

Now let me add this as a coding guideline. I'll add it to the TypeScript section.

Issue 2 is complete. Let me update the todo list and move to Issue 1 (consolidating MariaDB secrets).

Issue 2 complete! Now starting Issue 1: Consolidate MariaDB secrets into configuration-helper.

Let me read the current implementation and update it.

Now let me update the loadDatabaseSecrets function to use the new path and key mapping.

Now let me update the call site in deploy.ts to pass the deploymentName.

Now let me update the README.md documentation for cwc-deployment.

Let me run the typecheck to verify the changes compile correctly.

Issue 1 is complete. Let me update the todo list and move to Issue 4 (configuration helper error handling).

Issue 1 complete! Now starting Issue 4: Configuration helper - error on missing values.

Let me read the current implementation to understand how to add the error tracking.

Now I understand the structure. Let me implement the error tracking for missing values.

Let me add the new types and update the generator to track missing values.

Now let me update envGenerator.ts to track missing values and return GenerationResult.

Now let me update the getDefaultValue function to return ValueResult.

Now let me update the getSecretValue function to return ValueResult.

Now let me update the generate.ts command to aggregate missing values and report errors.

Let me run the typecheck to verify everything compiles correctly.

The issue is TypeScript doesn't narrow the type properly. Let me fix it.

Now let me run the full typecheck to ensure all packages work together.

All typechecks pass. Let me mark Issue 4 as complete.

All four issues are now complete. Here's a summary of what was implemented:

Summary of Changes

Issue 3: Rename authenticationPublicKey → sqlClientApiKey ✅

Files modified:

packages/cwc-sql/src/config/config.types.ts - Type definition
packages/cwc-sql/src/config/loadConfig.ts - Config loading (env var: SQL_CLIENT_API_KEY)
packages/cwc-sql/src/auth/verifyToken.ts - JWT verification
packages/cwc-sql/src/__tests__/config.test.ts - Test updates
packages/cwc-sql/src/__tests__/queryCache.test.ts - Test updates
packages/cwc-backend-utils/src/SqlClientKeysUtil.ts - File paths (sql-client-api-keys/sql-client-api-key-*.pem)
Documentation: cwc-sql README/CLAUDE.md, cwc-backend-utils README/CLAUDE.md, cwc-configuration-helper README/CLAUDE.md
Root CLAUDE.md - Added naming conventions section

Issue 2: Improve path.join syntax for searchability ✅

Files modified:

packages/cwc-deployment/src/core/config.ts - Changed to deployment/servers.json
packages/cwc-configuration-helper/src/packageDiscovery.ts - Changed to src/config/loadConfig.ts
Root CLAUDE.md - Added path construction guideline

Issue 1: Consolidate MariaDB secrets ✅

Files modified:

packages/cwc-deployment/src/core/config.ts - Updated loadDatabaseSecrets() to read from configuration-helper/{deploymentName}-secrets.json
packages/cwc-deployment/src/commands/deploy.ts - Pass deploymentName parameter
packages/cwc-deployment/README.md - Updated secrets documentation

Issue 4: Configuration helper - error on missing values ✅

Files modified:

packages/cwc-configuration-helper/src/types.ts - Added MissingValue and GenerationResult types
packages/cwc-configuration-helper/src/envGenerator.ts - Updated generateEnvContent(), getDefaultValue(), and getSecretValue() to track missing values
packages/cwc-configuration-helper/src/commands/generate.ts - Aggregate missing values and exit with error

New behavior: The generate command now:

Collects all missing values across all packages
Displays a detailed error report grouped by package
Exits with non-zero status code if any values are missing

Additional Fix

Installed @types/uuid for cwc-backend-utils (pre-existing missing dependency)

jeff

Thank you! I will review those changes, while I do that please look for SERVICE_API_ALLOWED_IPS, allowedServiceIps, and serviceApiAllowedIps - if I remember correctly, we implemented docker compose networking and we will not refer to the services by IP address any more. In order to white-list services, will will need to use service name or something similar, correct? I think that this applies to cwc-auth and cwc-sql, are there other services that should white-list the services that can connect to it?

Claude

Let me explore the codebase to understand the current implementation and how Docker networking affects this.

Tool Result

Perfect. Now let me create a comprehensive summary report based on my findings:

## Comprehensive Search Results: IP Whitelisting and Service Authentication

I've completed a thorough search of the monorepo. Here are all the findings related to IP whitelisting and service authentication:

---

### 1. Configuration Type Definitions

**Files:**
- `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/src/config/config.types.ts` (Line 53)
- `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-sql/src/config/config.types.ts` (Line 37)

**Content:**

Both packages define the same configuration property in their type definitions:

```typescript
// cwc-auth/src/config/config.types.ts - Line 53
serviceApiAllowedIps: string[];
```

```typescript
// cwc-sql/src/config/config.types.ts - Line 37
serviceApiAllowedIps: string[];
```

---

### 2. Configuration Loading

**cwc-auth Configuration Loading:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/src/config/loadConfig.ts`
- **Lines 27-33:** Parsing function for IP lists:
  ```typescript
  function parseIpList(envVar: string, defaultValue: string): string[] {
    const value = optionalEnv(envVar, defaultValue);
    if (!value || value.trim() === '') {
      return [];
    }
    return value.split(',').map((ip) => ip.trim()).filter((ip) => ip.length > 0);
  }
  ```
- **Line 97:** Parses environment variable:
  ```typescript
  serviceApiAllowedIps: parseIpList('SERVICE_API_ALLOWED_IPS', ''),
  ```
- **Line 149:** Debug logging output:
  ```typescript
  console.log(`  Allowed Service IPs: ${config.serviceApiAllowedIps.join(', ') || '(none)'}`);
  ```

**cwc-sql Configuration Loading:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-sql/src/config/loadConfig.ts`
- **Lines 57-67:** Array parsing function:
  ```typescript
  function parseArray(name: string, defaultValue: string[] = []): string[] {
    const value = process.env[name];
    if (value === undefined || value === '') {
      return defaultValue;
    }
    return value
      .split(',')
      .map((item) => item.trim())
      .filter((item) => item.length > 0);
  }
  ```
- **Line 138:** Parses environment variable:
  ```typescript
  serviceApiAllowedIps: parseArray('SERVICE_API_ALLOWED_IPS'),
  ```
- **Line 217:** Debug logging output:
  ```typescript
  console.log(`  Allowed IPs: ${config.serviceApiAllowedIps.length > 0 ? config.serviceApiAllowedIps.join(', ') : 'all'}`);
  ```

---

### 3. IP Extraction and Validation (Service API Implementation)

**cwc-auth IP Validation:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/src/apis/ServiceApiV1/index.ts`

**IP Address Extraction (Lines 7-31):**
```typescript
function getRemoteIpAddress(req: Request): string {
  const requestIp = req.ip ?? '';

  // Handle IPv6 localhost
  if (requestIp === '::1') {
    return requestIp;
  }

  // Handle IPv4-mapped IPv6 addresses (::ffff:192.168.1.1 -> 192.168.1.1)
  if (requestIp.startsWith('::ffff:')) {
    return requestIp.substring(7);
  }

  return requestIp;
}
```

**Service IP Validation (Lines 74-88):**
```typescript
private validateServiceIp(req: Request): boolean {
  // In development/test, allow all IPs if whitelist is empty
  if (!this.config.isProduction && this.allowedIps.size === 0) {
    return true;
  }

  const remoteIp = getRemoteIpAddress(req);

  if (!remoteIp) {
    return false;
  }

  // Check if IP is in whitelist
  return this.allowedIps.has(remoteIp);
}
```

**IP Whitelist Validation in Handler (Lines 115-129):**
```typescript
// Validate IP whitelist
if (!this.validateServiceIp(req)) {
  // Log the IP internally for debugging, but never expose in response
  const remoteIp = getRemoteIpAddress(req);
  logError('Service IP not allowed', 'IP not in whitelist', { remoteIp });
  res.status(403).json({
    data: {
      success: false,
      jwtType: undefined,
      // SECURITY: Never expose requesting IP in response - log only
    },
    jwt: undefined,
  });
  return;
}
```

**ServiceApiV1 Class Constructor (Lines 52-61):**
```typescript
constructor(
  config: CwcAuthConfig,
  sqlClient: SqlClient,
  logger: ILogger | undefined
) {
  this.config = config;
  this.logger = logger;
  this.routes = getRoutes({ sqlClient, config, logger });
  this.allowedIps = new Set(config.serviceApiAllowedIps);
}
```

---

### 4. Alternative IP Extraction Method in Backend Utils

**File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-backend-utils/src/express/requestUtils.ts`

This provides an alternative/legacy IP extraction method used elsewhere:
```typescript
export const getRemoteIpAddress = (req: Request): string => {
  // Resolution order:
  // 1. x-real-ip header (set by nginx proxy)
  // 2. origin header hostname
  // 3. req.ip (with IPv6 prefix handling)
  
  const xRealIp = req.headers['x-real-ip'] as string;
  if (xRealIp) {
    return xRealIp;
  }

  const origin = req.headers.origin;
  if (origin) {
    const url = new URL(origin);
    return url.hostname;
  }

  const requestIp = req.ip;
  if (requestIp === '::1') {
    return requestIp;
  }
  if (requestIp?.startsWith('::ffff:')) {
    return requestIp.substring(7);
  }
  return requestIp ?? '';
};
```

---

### 5. Service API Routes

**File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/src/apis/ServiceApiV1/routes.ts`

Protected route configuration:
```typescript
export const getRoutes = (deps: AuthDependencies): ServiceRouteConfigs => {
  const renewSessionWorker = createRenewSessionWorker(deps);

  return {
    '/renew-session': {
      handlerType: 'renew-session',
      path: '/renew-session',
      method: 'POST',
      worker: renewSessionWorker,
    },
  };
};
```

---

### 6. cwc-sql Service Usage

**File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-sql/src/index.ts`

**Lines 34-36:** Configuration adapter that converts IP list to comma-separated string:
```typescript
serviceApi: {
  allowedIps: sqlConfig.serviceApiAllowedIps.join(','),
},
```

This is passed to the Express service factory from `cwc-backend-utils`.

---

### 7. Test Coverage

**cwc-auth Configuration Tests:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/src/__tests__/config.test.ts`
- **Lines 90-111:** IP list parsing tests
  - Parses comma-separated IPs
  - Handles empty IP lists
  - Handles single IPs
  - Tests include examples: `'192.168.1.1, 192.168.1.2 , 192.168.1.3'`

**cwc-sql Configuration Tests:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-sql/src/__tests__/config.test.ts`
- **Lines 184-208:** IP list parsing tests
  - Line 196: `process.env.SERVICE_API_ALLOWED_IPS = '192.168.1.1, 192.168.1.2 , 192.168.1.3'`;
  - Line 207: Expects parsed result `['192.168.1.1', '192.168.1.2', '192.168.1.3']`
  - Lines 64, 112, 142, 168, 196, 263, 289, 315, 341, 370, 399, 425, 458: Multiple references throughout tests

---

### 8. Environment Variable Documentation

**cwc-auth CLAUDE.md:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-auth/CLAUDE.md`
- **Line 113:** Example configuration:
  ```bash
  SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.1
  ```
- **Lines 142-144:** Description of Service API Protection:
  ```
  - IP whitelist for `/renew-session` endpoint
  - Only internal services (cwc-api) can renew sessions
  ```

**cwc-sql CLAUDE.md:**
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-sql/CLAUDE.md`
- **Lines 76-77:** Configuration rule:
  ```
  SERVICE_API_ALLOWED_IPS: Split by comma, trim whitespace
  ```

---

### 9. Docker Compose

**Search Result:** No docker-compose files found in the monorepo using the glob pattern `**/docker-compose*.{yml,yaml}`

However, there is a reference to Docker composition in documentation:
- **File:** `/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-deployment/docker-compose-upgrade.md`

---

### Summary of Architecture

**IP Whitelisting Flow:**

1. **Configuration Loading:** Both cwc-auth and cwc-sql read `SERVICE_API_ALLOWED_IPS` environment variable
2. **Parsing:** Comma-separated string parsed into array of IPs
3. **Initialization:** ServiceApiV1 converts array to Set for O(1) lookup
4. **Validation:** For each service-to-service request:
   - Extract IP from request (via `req.ip` with IPv6 handling)
   - Check if IP exists in whitelist Set
   - Allow only if: (non-prod AND empty whitelist) OR (IP in whitelist)
   - Return 403 Forbidden if not allowed
5. **Logging:** IPs logged internally for debugging, never exposed in responses

**Protected Service Endpoints:**

- `POST /auth/v1/renew-session` in cwc-auth
- IP validation occurs before JWT validation
- Used by cwc-api to refresh user session claims after project operations

**Security Considerations:**

- In production, IP whitelist is enforced
- In development/test, empty whitelist allows all IPs
- IPv6-mapped IPv4 addresses are normalized (e.g., `::ffff:192.168.1.1` becomes `192.168.1.1`)
- IPv6 localhost (`::1`) is handled correctly
- Requesting IP is logged internally but never exposed in error responses
agentId: a2d176c (for resuming to continue this agent's work if needed)

Based on the exploration, here's what I found:

Current STATE_API_ALLOWED_IPS Usage

Package	Purpose	Callers
cwc-sql	Whitelist IPs for database access	cwc-api, cwc-auth, cwc-admin-api
cwc-auth	Whitelist IPs for `/renew-session` endpoint	cwc-api

The Problem with Docker Compose Networking

You're correct. With Docker Compose:

Services communicate by service name (e.g., http://cwc-sql:5020)
IP addresses are dynamically assigned within the Docker network
IP-based whitelisting becomes unreliable/meaningless

Current Security Layers

cwc-sql already has JWT authentication - The SQL_CLIENT_API_KEY validates that only authorized backend services (cwc-api, cwc-auth, cwc-admin-api) can call it. The IP whitelist may be redundant.
Docker network isolation - Services on the same Docker network can communicate, but external access is controlled.

Let me update the plan file and ask some clarifying questions.

Package	Config Property	Env Variable	Purpose
cwc-sql	`serviceApiAllowedIps`	`SERVICE_API_ALLOWED_IPS`	Whitelist which services can access the database API
cwc-auth	`serviceApiAllowedIps`	`SERVICE_API_ALLOWED_IPS`	Whitelist which services can call `/renew-session`

Tool Result

The file /Users/jeffbazinet/.claude/plans/elegant-wobbling-popcorn.md has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→# Plan: Replace IP Whitelisting with Service Name Whitelisting
     2→
     3→## Background
     4→
     5→With Docker Compose networking, services communicate by service name rather than IP address. The current `SERVICE_API_ALLOWED_IPS` configuration uses IP-based whitelisting, which doesn't work well with dynamic Docker networking.
     6→
     7→## Current Usage
     8→
     9→| Package | Config Property | Env Variable | Purpose |
    10→|---------|-----------------|--------------|---------|
    11→| cwc-sql | `serviceApiAllowedIps` | `SERVICE_API_ALLOWED_IPS` | Whitelist which services can access the database API |
    12→| cwc-auth | `serviceApiAllowedIps` | `SERVICE_API_ALLOWED_IPS` | Whitelist which services can call `/renew-session` |
    13→
    14→## Files Affected
    15→
    16→### cwc-sql
    17→- `packages/cwc-sql/src/config/config.types.ts:37`
    18→- `packages/cwc-sql/src/config/loadConfig.ts:138`
    19→- `packages/cwc-sql/src/__tests__/config.test.ts` (multiple lines)
    20→- `packages/cwc-sql/CLAUDE.md`
    21→
    22→### cwc-auth
    23→- `packages/cwc-auth/src/config/config.types.ts:53`
    24→- `packages/cwc-auth/src/config/loadConfig.ts:97`
    25→- `packages/cwc-auth/src/apis/ServiceApiV1/index.ts` (IP validation logic)
    26→- `packages/cwc-auth/src/__tests__/config.test.ts`
    27→- `packages/cwc-auth/CLAUDE.md`
    28→
    29→### cwc-backend-utils
    30→- `packages/cwc-backend-utils/src/express/requestUtils.ts` (getRemoteIpAddress)
    31→
    32→## Options to Consider
    33→
    34→### Option A: Remove IP whitelisting entirely
    35→- **cwc-sql** already validates with JWT (SQL_CLIENT_API_KEY) - IP whitelist may be redundant
    36→- **cwc-auth** `/renew-session` could rely on JWT validation instead
    37→- Simplifies configuration
    38→
    39→### Option B: Replace with service name whitelisting
    40→- Change from IP addresses to Docker service names
    41→- Parse the `Host` header or use a custom header to identify callers
    42→- Example: `SERVICE_API_ALLOWED_SERVICES=cwc-api,cwc-admin-api`
    43→
    44→### Option C: Keep IP whitelisting for non-Docker deployments
    45→- Make it optional/configurable based on deployment type
    46→- Empty list = allow all (current dev behavior)
    47→
    48→## Questions to Resolve
    49→
    50→1. Is the IP whitelisting redundant given JWT authentication?
    51→2. Should we require service identification beyond JWT?
    52→3. Do we need to support non-Docker deployments with IP whitelisting?
    53→

System

Claude

Based on my investigation, here's what I found regarding SERVICE_API_ALLOWED_IPS:

Summary

Package	Config Property	Env Variable	Purpose
cwc-sql	`serviceApiAllowedIps`	`SERVICE_API_ALLOWED_IPS`	Whitelist which services can access the database API
cwc-auth	`serviceApiAllowedIps`	`SERVICE_API_ALLOWED_IPS`	Whitelist which services can call `/renew-session`

My Recommendation: Remove IP Whitelisting (Option A)

For cwc-sql: IP whitelisting is redundant because:

JWT authentication (via SQL_CLIENT_API_KEY) already validates that the caller possesses the private key
Only authorized services have access to the private key
The IP check adds no real security benefit on top of JWT validation
In dev environments, it's already set to empty array (allow all)

For cwc-auth: The /renew-session endpoint should rely on JWT validation instead:

If the endpoint validates the incoming JWT before renewing, IP whitelisting is redundant
Service identity is already proven by possession of valid JWT

Benefits of removing IP whitelisting:

Simpler configuration (no IP lists to maintain)
Works naturally with Docker Compose networking
No need to track service IPs or container names
Security is maintained through JWT authentication

Files to Modify

cwc-sql:

packages/cwc-sql/src/config/config.types.ts - Remove serviceApiAllowedIps
packages/cwc-sql/src/config/loadConfig.ts - Remove parsing logic
packages/cwc-sql/src/__tests__/config.test.ts - Update tests

cwc-auth:

packages/cwc-auth/src/config/config.types.ts - Remove serviceApiAllowedIps
packages/cwc-auth/src/config/loadConfig.ts - Remove parsing logic
packages/cwc-auth/src/apis/ServiceApiV1/index.ts - Remove IP validation logic
packages/cwc-auth/src/__tests__/config.test.ts - Update tests

cwc-backend-utils:

packages/cwc-backend-utils/src/express/requestUtils.ts - Keep getRemoteIpAddress (may be useful for logging/debugging)

cwc-configuration-helper:

packages/cwc-configuration-helper/src/configuration.ts - Remove serviceApiAllowedIps from config

Let me know if you'd like me to proceed with this approach, or if you prefer a different option (like replacing with service name whitelisting instead).

jeff

my original thought/intention for service whitelisting was to immediately reject a request if it is coming from an unknown source and avoid expending any processing resources on that request. do you think that there is any performance benefit to using a whitelisting approach?

Claude

That's a good consideration. Let me analyze the performance tradeoff:

Performance Analysis

Cost of JWT Verification (RS256):

Parse JWT structure (header, payload, signature)
Base64 decode
RSA signature verification (the expensive part - cryptographic operation)
Typically: 1-5ms per verification

Cost of Whitelist Check:

Array lookup or string comparison
Typically: <0.01ms (negligible)

Potential Savings:

If you receive 1000 requests/second from unknown sources, whitelisting saves ~1-5 seconds of CPU time per second
For legitimate traffic, both checks run anyway (no savings)

However, Docker Networking Changes the Equation

With Docker Compose networking:

Network isolation is built-in - only containers on the same Docker network can reach your services
External traffic doesn't hit internal services directly (they're not exposed)
The "unknown source" scenario becomes much less likely

Attack surface comparison:

Deployment	Can unknown sources reach cwc-sql?
Traditional (exposed ports)	Yes - whitelist provides early rejection
Docker Compose (internal network)	No - only compose services can connect

My Updated Recommendation

Given Docker Compose networking, the performance benefit of whitelisting is minimal because:

Only authorized containers can reach the service anyway
Those containers have the JWT key (legitimate callers)

But if you want to keep the early-rejection pattern for defense-in-depth, we could:

Replace IP whitelisting with service name identification via a custom header (e.g., X-Service-Name: cwc-api)
Check header before JWT validation
Simple string comparison, very fast

Would you prefer:

Remove whitelisting entirely - rely on Docker network isolation + JWT
Replace with service name header - keep early-rejection pattern with minimal overhead

jeff

Thank you. 1. Remove whitelisting entirely

Claude

I'll update the plan file with the final approach.

The plan is ready. I'll remove IP whitelisting from both cwc-sql and cwc-auth, keeping getRemoteIpAddress in cwc-backend-utils for logging purposes.

Exited plan mode

Plan approved

Now I'll make the changes to cwc-sql. First, removing serviceApiAllowedIps from the config types.

Now let me read the cwc-sql test file and CLAUDE.md to update them.

I need to update the test file. I'll remove all references to SERVICE_API_ALLOWED_IPS and the specific test for comma-separated IPs.

Now let me remove the "should parse comma-separated IPs" test entirely.

Now let me update cwc-sql CLAUDE.md.

Now I'll make the changes to cwc-auth. Let me start with config.types.ts.

Now let me update the ServiceApiV1/index.ts to remove IP validation.

Let me update the cwc-auth test file and CLAUDE.md.

Let me search for any remaining references to serviceApiAllowedIps in the configuration-helper package.

Good, there are no references to serviceApiAllowedIps in cwc-configuration-helper. Let me also search the whole codebase to make sure we didn't miss anything.

Found several more places. Let me fix them.

I need to check the BackendUtilsConfig type in cwc-backend-utils.

I see serviceApi is optional in BackendUtilsConfig. Let me remove it from the config objects in cwc-auth and cwc-sql, and also clean up the type definition.

Now let me fix the remaining test files and README.

Let me also clean up the BackendUtilsConfig type and README in cwc-backend-utils.

All changes complete. Typecheck passes (13/13 successful).

Summary of Changes

Removed IP whitelisting (SERVICE_API_ALLOWED_IPS / serviceApiAllowedIps) from:

cwc-sql

src/config/config.types.ts - Removed serviceApiAllowedIps property
src/config/loadConfig.ts - Removed parseArray function and parsing logic
src/index.ts - Removed serviceApi from BackendUtilsConfig creation
src/__tests__/config.test.ts - Removed test cases and env var references
src/__tests__/queryCache.test.ts - Removed from mock config
CLAUDE.md - Removed from environment variables documentation
README.md - Removed from environment variables documentation

cwc-auth

src/config/config.types.ts - Removed serviceApiAllowedIps property
src/config/loadConfig.ts - Removed parseIpList function and parsing logic
src/index.ts - Removed serviceApi from BackendUtilsConfig creation
src/apis/ServiceApiV1/index.ts - Removed getRemoteIpAddress, validateServiceIp, IP validation middleware, and allowedIps property
src/__tests__/config.test.ts - Removed IP list parsing test block
CLAUDE.md - Updated ServiceApiV1 table and security patterns

cwc-backend-utils

src/backendUtils.types.ts - Removed optional serviceApi property from BackendUtilsConfig
README.md - Removed serviceApi from type documentation

Rationale: With Docker Compose networking, only containers on the same network can reach internal services. JWT authentication already validates caller identity, making IP whitelisting redundant.

System

jeff

I would like your help with a couple of config values, DEV_CORS_ORIGIN and DEV_MACHINES, and the related functionality. To prevent the public from using the test website, in the past on other projects, I have blocked access to the test website using firewall rules, only allowing specific IP addresses (identified in DEV_MACHINES) to connect. The DEV_MACHINES config values were added when I was working from 2 different locations that had different public IP addresses and I needed a way to determine if the traffic should be allowed by the services. I'm not sure if any of that is relevant anymore and I would like your assessment of the concept as well as a review of the implementation and recommendations for how to handle this scenario. A separate issue, when I run the cwc-website (yet to be built) pointed at the test services, running on the test server rather than locally, the services implement cors checks and I want to avoid cors errors in this situation. packages/cwc-backend-utils/src/express/cors.ts implements this and I see some hard-coded IP addresses - this is tech-debt from when I originally wrote the backend-utils code. Please review the code and offer your ideas about how this should be implemented.

Claude

I'll explore the codebase to understand how DEV_MACHINES, DEV_CORS_ORIGIN, and the CORS implementation are currently used.

Let me read the cors.ts file directly to ensure I have the complete picture.

Now I have a comprehensive understanding. Let me summarize what I found and ask some clarifying questions.

Current Implementation Analysis

DEV_MACHINES Purpose

Array of {name, ip} objects parsed from JSON environment variable
Used only in test environment to identify developer machines by their public IP
When a request's x-real-ip (set by nginx) matches a devMachine AND the request origin matches devCorsOrigin, the middleware allows the alternative CORS origin
Use case: Running cwc-website locally (localhost:3000) while pointing at test services

DEV_CORS_ORIGIN Purpose

The alternative origin to allow when request comes from a dev machine
Example: http://localhost:3000 (local development server)
Only works in combination with DEV_MACHINES

Hard-coded Docker IPs (Lines 38-39)

const isFromCwcApi = requestIp === '192.1.1.4';
const isFromCwcContent = requestIp === '192.1.1.20';

These are Docker Compose network IPs for internal services
Used to allow service-to-service CORS (different from developer machine access)
The comment on line 37 acknowledges this is tech debt

Key Inconsistency

Hard-coded IPs check req.ip (direct connection)
devMachines check x-real-ip header (nginx proxy)
These are extracted differently, which is confusing

Claude is asking...

Test AccessDo you still need the ability to block external access to the test website (firewall + IP whitelisting), or is the test environment accessible only internally (e.g., VPN, private network)?

Still need IP-based blocking- Test site is publicly accessible, need to restrict by IP

No longer needed- Test environment is already network-isolated (VPN, private network, etc.)

Unsure- Need to think about the test environment setup

Local DevFor running cwc-website locally against test services, what is the typical workflow?

Run website on localhost, point to test API- localhost:3000 → test.api.codingwithclaude.com

Run everything locally via Docker- Full local stack, no connection to test server

Both scenarios- Sometimes local → test, sometimes fully local

Docker IPsFor the hard-coded Docker IPs (192.1.1.4, 192.1.1.20), what services do these represent and are they still accurate?

Still accurate- These Docker network IPs are still used and correct

Outdated/unknown- Not sure if these are still the right IPs

No longer needed- Service-to-service CORS isn't needed (services communicate differently)

Developer Response

Q: Do you still need the ability to block external access to the test website (firewall + IP whitelisting), or is the test environment accessible only internally (e.g., VPN, private network)?

A: "The test website is available on the internet, test.codingwithclaude.dev, so I can test on my phone or other remote scenarios. Is IP whitelisting the best approach or wouuld you recommend an alternative approach?"

Q: For running cwc-website locally against test services, what is the typical workflow?

A: "Both scenarios"

Q: For the hard-coded Docker IPs (192.1.1.4, 192.1.1.20), what services do these represent and are they still accurate?

A: "The services represented are `cwc-api` and `cwc-content` - neither of which have been built yet, but I do plan to create those soon. I think that we should remove the `isFromCwcApi` and `isFromCwcContent` code and worry about that if/when it becomes an issue."

Great context. Let me address your question about IP whitelisting alternatives for protecting the test environment, then proceed with the plan.

Analysis: Protecting test.codingwithclaude.dev

IP Whitelisting Challenges:

Mobile networks change IPs frequently (4G/5G)
Different WiFi networks = different public IPs
Hard to manage when testing from multiple locations
Dynamic home ISP IPs require constant updates

Recommended Alternative: HTTP Basic Auth at nginx

This is the standard approach for protecting staging/test environments:

# In nginx server.conf for test environment
location / {
    auth_basic "Test Environment";
    auth_basic_user_file /etc/nginx/.htpasswd;
    # ... rest of config
}

Benefits:

Works from any device/location (phone, laptop, anywhere)
No code changes required (nginx config only)
Browsers cache credentials for convenience
Can share access with testers by giving them the password
Easy to toggle per environment
Industry-standard approach for staging environments

For your CORS scenario (localhost → test API):
The DEV_CORS_ORIGIN concept is still useful and separate from access control. When running locally against test services, you need CORS to allow http://localhost:3000 to call https://test.api.codingwithclaude.dev.

Claude is asking...

Test AuthFor protecting the test website, would you like to use HTTP Basic Auth at nginx (recommended), or keep exploring code-level options?

nginx Basic Auth (Recommended)- Configure at nginx level, no code changes needed

Keep IP whitelisting- Continue with DEV_MACHINES approach despite limitations

Other approach- Want to explore a different solution

Dev CORSShould we keep DEV_CORS_ORIGIN + DEV_MACHINES for the 'localhost → test API' CORS scenario, or simplify to something else?

Keep DEV_CORS_ORIGIN (Recommended)- Useful for local dev against test services

Remove entirely- Will configure CORS differently when needed

Simplify implementation- Keep concept but clean up the code

Developer Response

Q: For protecting the test website, would you like to use HTTP Basic Auth at nginx (recommended), or keep exploring code-level options?

A: "Yes, let's use nginx basic auth. fyi: I think that the uri for the api will be https://test.codingwithclaude.dev/api/v1 rather than https://test.api.codingwithclaude.dev since I don't want to create a separate dns record for each service"

Q: Should we keep DEV_CORS_ORIGIN + DEV_MACHINES for the 'localhost → test API' CORS scenario, or simplify to something else?

A: "Keep DEV_CORS_ORIGIN (Recommended)"

Excellent. Now I have all the information needed to create a plan. Let me update the plan file.

Let me verify the configuration helper has devMachines so I include it correctly in the plan.

Good - devMachines isn't actually in configuration.ts. It's only referenced in documentation/examples. Let me update the plan to be accurate.

Let me verify I haven't missed any devMachines references.

Found more files. Let me update the plan to be complete.

Let me read the final plan to verify it's complete.

The plan is complete. Here's a summary:

Summary

Problem: DEV_MACHINES, DEV_CORS_ORIGIN, and hard-coded Docker IPs in cors.ts needed review.

Decisions Made:

Test environment protection: Use nginx Basic Auth (configured separately, not code changes)
CORS for localhost dev: Keep DEV_CORS_ORIGIN, but simplify - just check origin header, no IP validation
Remove DEV_MACHINES: IP checking is unnecessary for CORS (browsers enforce origin headers)
Remove hard-coded Docker IPs: cwc-api/cwc-content don't exist yet

Files to modify: 16 files across cwc-backend-utils, cwc-auth, cwc-storage, cwc-sql, and cwc-configuration-helper

Key insight: CORS origin headers cannot be forged by browsers, so checking the origin alone is sufficient. The IP check was defense-in-depth but added friction without real security benefit.

Exited plan mode

Work interrupted

before we start, your comment "CORS origin headers cannot be forged by browsers" - what if we were also building a mobile app? would you recommend an alternate approach?

Excellent question. Here's the key distinction:

CORS and Mobile Apps

CORS is a browser-only security mechanism. Mobile apps (iOS, Android, React Native, Flutter) are NOT restricted by CORS - they can set any headers they want, including Origin.

This means:

A malicious mobile app could forge Origin: http://localhost:3000
But this was always true, even with IP whitelisting
CORS was never designed to protect APIs from native apps

How APIs Are Actually Protected

Attack Vector	Protection
Malicious website	CORS origin checking (browser-enforced)
Malicious mobile app	JWT authentication
Random internet user on test env	nginx Basic Auth
Unauthorized API access	JWT + authorization checks

For your API endpoints:

JWT authentication is the real security layer (required for all meaningful API calls)
devCorsOrigin just tells the browser "it's okay to let localhost:3000 make requests"
A mobile app would authenticate the same way (JWT) without needing CORS headers

If Building a Mobile App

Your current architecture already supports it:

User authenticates (gets JWT from cwc-auth)
App includes JWT in Authorization header
API validates JWT (already implemented)
CORS headers are simply ignored by mobile apps

Recommendation: The plan is still sound. The devCorsOrigin simplification doesn't weaken security - JWT is the real gate. The IP check was adding friction without meaningful protection (since native apps bypass CORS entirely anyway).

Do you want me to proceed with the plan, or would you like to discuss further?

Exited plan mode

Plan approved

Now let me update backendUtils.types.ts to remove devMachines.

I need to remove the unused parseJson import from cwc-storage loadConfig.ts.

All typechecks pass.

Summary

Successfully cleaned up the CORS implementation and removed DEV_MACHINES configuration.

Changes Made

cwc-backend-utils (4 files):

cors.ts - Simplified test-mode CORS to just check origin (removed IP extraction and hard-coded Docker IPs)
backendUtils.types.ts - Removed devMachines property from BackendUtilsConfig
CLAUDE.md - Updated CORS documentation
README.md - Removed devMachines from type docs and examples

cwc-auth (4 files):

config.types.ts - Removed devMachines
loadConfig.ts - Removed DEV_MACHINES parsing
index.ts - Removed devMachines from config mapping
config.test.ts - Removed DEV_MACHINES cleanup

cwc-storage (5 files):

config.types.ts - Removed devMachines
loadConfig.ts - Removed DEV_MACHINES parsing and unused parseJson import
index.ts - Removed devMachines from config mapping
environment.d.ts - Removed DEV_MACHINES type declaration
CLAUDE.md - Removed from env vars documentation

cwc-sql (1 file):

index.ts - Removed devMachines: undefined line

cwc-configuration-helper (2 files):

nameConverter.ts - Removed devMachines from example comment
CLAUDE.md - Removed devMachines from name conversion table

New CORS Behavior (Test Mode)

// Before: Complex IP checking
if ((isFromCwcDevMachine || isFromCwcApi || isFromCwcContent) && 
    config.devCorsOrigin && req.headers.origin === config.devCorsOrigin) { ... }

// After: Simple origin check
if (config.devCorsOrigin && req.headers.origin === config.devCorsOrigin) { ... }

All 13 packages pass typecheck ✅

Remaining Action (Out of Scope)

Configure nginx Basic Auth for the test environment (test.codingwithclaude.dev) to protect it from public access. This is an infrastructure task, not a code change.

jeff

can you provide a description of the steps involved to configure nginx Basic Auth for the test environment (test.codingwithclaude.dev) to protect it from public access please?

Claude

This is an informational request, so I'll provide the steps directly rather than using the planning workflow.

Configuring nginx Basic Auth for Test Environment

Step 1: Create Password File

On your test server, create a password file using htpasswd:

# Install apache2-utils if not already installed (provides htpasswd)
sudo apt-get install apache2-utils

# Create password file with first user
sudo htpasswd -c /etc/nginx/.htpasswd testuser

# Add additional users (without -c flag)
sudo htpasswd /etc/nginx/.htpasswd anotheruser

Step 2: Update nginx Configuration

In your nginx server block for test.codingwithclaude.dev:

server {
    listen 443 ssl;
    server_name test.codingwithclaude.dev;

    # SSL configuration...
    
    # Basic Auth for entire site
    auth_basic "Test Environment";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Your existing location blocks...
    location / {
        # proxy_pass or root directives...
    }
    
    # Optional: Exclude health check endpoints from auth
    location /health {
        auth_basic off;
        proxy_pass http://backend;
    }
}

Step 3: Test and Reload nginx

# Test configuration syntax
sudo nginx -t

# Reload nginx (no downtime)
sudo nginx -s reload

Step 4: Verify

Visit https://test.codingwithclaude.dev - browser should prompt for username/password.

Notes

Password storage: The .htpasswd file uses bcrypt or SHA hashing (not plaintext)
API calls: Your local development against test APIs will also need auth. Options:
- Include credentials in requests: curl -u testuser:password https://test.codingwithclaude.dev/api/...
- Or exclude API paths from auth if they have their own JWT protection
Browser caching: Browsers cache Basic Auth credentials for the session

Optional: Exclude API Routes

If your APIs already have JWT protection and you only want to protect the website:

# Protect website
location / {
    auth_basic "Test Environment";
    auth_basic_user_file /etc/nginx/.htpasswd;
    # ...
}

# API routes - rely on JWT auth instead
location /api/ {
    auth_basic off;
    proxy_pass http://cwc-api:5040;
}

location /auth/ {
    auth_basic off;
    proxy_pass http://cwc-auth:5005;
}

Would you like me to help with anything else related to this configuration?

jeff

Thank you! I'm testing the changes that we made earlier to the cwc-configuration-helper. In ./src/configuration.ts, I have added
values for:
devCorsOrigin
smtp
endToEndMockValues
databaseServer
databaseName
databaseConnectTimeout
databaseConnectionAcquireTimeout
databaseConnectionQueueLimit
databaseConnectionLimit
queryCacheEnabled
queryCacheTtl
queryCacheMaxKeys
Some of these values are not getting set in the unit.cwc-auth.env output file. I also added a debug statement to the generateEnvContent function to log out the values for each config property.
You can run this command to test and debug it: pnpm config-helper generate -e unit -s ~/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json -o ./env-files --overwrite.
Please check the output and can you help determine why some values are not getting set?

Claude

Let me run the command to see the debug output and understand what's happening.

Tool Result

Exit code 1

> coding-with-claude-application@1.0.0 config-helper /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application
> pnpm --filter cwc-configuration-helper "generate" "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"


> cwc-configuration-helper@1.0.0 generate /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper
> tsc && node ./dist/index.js generate "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"


=== cwc-configuration-helper: generate ===

Monorepo root: /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application
Loading secrets from: /Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json
✓ Secrets loaded
Found 3 package(s) with configuration:

Processing cwc-auth...
  Config type: CwcAuthConfig
  Properties: 19
  Secrets: 2
***********************************************************
{
  prop: {
    propertyName: 'servicePort',
    envVarName: 'SERVICE_PORT',
    tsType: 'number',
    isOptional: false,
    isSecret: false,
    comment: undefined
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5005,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: { value: '5005' }
}
***********************************************************
{
  prop: {
    propertyName: 'corsOrigin',
    envVarName: 'CORS_ORIGIN',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: 'Security'
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5005,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: { value: '*' }
}
getDefaultValue {
  name: 'devcorsorigin',
  prop: {
    propertyName: 'devCorsOrigin',
    envVarName: 'DEV_CORS_ORIGIN',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: 'Development settings'
  }
}
***********************************************************
{
  prop: {
    propertyName: 'devCorsOrigin',
    envVarName: 'DEV_CORS_ORIGIN',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: 'Development settings'
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues:

... [55896 characters truncated] ...

: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: { value: 'OFF' }
}
***********************************************************
{
  prop: {
    propertyName: 'storageVolumePath',
    envVarName: 'STORAGE_VOLUME_PATH',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: 'Storage-specific settings'
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5030,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: {
    value: '<PATH>',
    missing: {
      envVarName: 'STORAGE_VOLUME_PATH',
      propertyName: 'storageVolumePath',
      type: 'regular',
      tsType: 'string',
      reason: 'no path value configured'
    }
  }
}
***********************************************************
{
  prop: {
    propertyName: 'logPath',
    envVarName: 'LOG_PATH',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: undefined
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5030,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: {
    value: '<PATH>',
    missing: {
      envVarName: 'LOG_PATH',
      propertyName: 'logPath',
      type: 'regular',
      tsType: 'string',
      reason: 'no path value configured'
    }
  }
}
  ✓ Generated: env-files/unit.cwc-storage.env
  ⚠ 4 missing value(s)

=== Error: Missing configuration values detected ===

Package: cwc-auth
  - DEV_CORS_ORIGIN (string): no CORS origin configured for unit environment
  - END_TO_END_MOCK_VALUES (Record | undefined): no value configured

Package: cwc-sql
  - DATABASE_SERVER (string): no value configured
  - DATABASE_NAME (string): no value configured
  - DATABASE_CONNECT_TIMEOUT (number): no numeric value configured
  - DATABASE_CONNECTION_ACQUIRE_TIMEOUT (number): no numeric value configured
  - DATABASE_CONNECTION_QUEUE_LIMIT (number): no numeric value configured
  - DATABASE_CONNECTION_LIMIT (number): no numeric value configured
  - QUERY_CACHE_TTL (number): no numeric value configured
  - QUERY_CACHE_MAX_KEYS (number): no numeric value configured
  - END_TO_END_MOCK_VALUES (Record): no value configured

Package: cwc-storage
  - DEV_CORS_ORIGIN (string): no CORS origin configured for unit environment
  - STORAGE_VOLUME_PATH (string): no path value configured
  - LOG_PATH (string): no path value configured
  - STORAGE_API_KEY (secret): not found in secrets file

Total: 15 missing value(s) across 3 package(s)

Please update your secrets file: /Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json

/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper:
 ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL  cwc-configuration-helper@1.0.0 generate: `tsc && node ./dist/index.js generate "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"`
Exit status 1
 ELIFECYCLE  Command failed with exit code 1.

I can see the issue from the debug output. Looking at the getDefaultValue log:

getDefaultValue {
  name: 'devcorsorigin',  // lowercase
  prop: {
    propertyName: 'devCorsOrigin',  // camelCase
    ...
  }
}

The lookup is using lowercase 'devcorsorigin' but the centralConfig has the property as camelCase devCorsOrigin. Let me check the envGenerator.ts to understand the logic.

Tool Result

     1→/**
     2→ * Environment file generator
     3→ *
     4→ * Generates .env files from parsed configuration types
     5→ */
     6→
     7→import fs from 'fs';
     8→import path from 'path';
     9→import type {
    10→  ConfigProperty,
    11→  GenerationResult,
    12→  MissingValue,
    13→  PackageConfig,
    14→  RuntimeEnvironment,
    15→  SecretsFile,
    16→} from './types.js';
    17→import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';
    18→
    19→/**
    20→ * Options for generating .env content
    21→ */
    22→export type EnvGeneratorOptions = {
    23→  /** Runtime environment */
    24→  environment: RuntimeEnvironment;
    25→  /** Secrets data loaded from secrets file */
    26→  secrets?: SecretsFile | undefined;
    27→};
    28→
    29→/**
    30→ * Result of getting a value, including whether it's missing
    31→ */
    32→type ValueResult = {
    33→  value: string;
    34→  missing?: MissingValue | undefined;
    35→};
    36→
    37→/**
    38→ * Generates .env file content for a package
    39→ *
    40→ * @param config Parsed package configuration
    41→ * @param options Generator options
    42→ * @returns GenerationResult with content and any missing values
    43→ */
    44→export function generateEnvContent(
    45→  config: PackageConfig,
    46→  options: EnvGeneratorOptions
    47→): GenerationResult {
    48→  const lines: string[] = [];
    49→  const missingValues: MissingValue[] = [];
    50→  const { environment, secrets } = options;
    51→
    52→  // Get centralized config if this is a known service
    53→  const centralConfig = isKnownService(config.packageName)
    54→    ? getConfig(environment, config.packageName)
    55→    : undefined;
    56→
    57→  // Runtime environment (always first)
    58→  lines.push('# Runtime Environment');
    59→  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
    60→  lines.push('');
    61→
    62→  // Group non-secret properties by category (based on naming patterns)
    63→  const categorized = categorizeProperties(config.properties);
    64→
    65→  for (const [category, props] of Object.entries(categorized)) {
    66→    if (props.length === 0) continue;
    67→
    68→    lines.push(`# ${category}`);
    69→    for (const prop of props) {
    70→      const result = getDefaultValue(prop, environment, centralConfig);
    71→
    72→      console.log('***********************************************************');
    73→      console.log({ prop, environment, centralConfig, result });
    74→
    75→      lines.push(`${prop.envVarName}=${result.value}`);
    76→      if (result.missing) {
    77→        missingValues.push(result.missing);
    78→      }
    79→    }
    80→    lines.push('');
    81→  }
    82→
    83→  // Secrets section
    84→  if (config.secrets.length > 0) {
    85→    lines.push('# Secrets');
    86→    for (const prop of config.secrets) {
    87→      const result = getSecretValue(prop, secrets);
    88→      lines.push(`${prop.envVarName}=${result.value}`);
    89→      if (result.missing) {
    90→        missingValues.push(result.missing);
    91→      }
    92→    }
    93→    lines.push('');
    94→  }
    95→
    96→  return {
    97→    content: lines.join('\n'),
    98→    missingValues,
    99→  };
   100→}
   101→
   102→/**
   103→ * Writes .env file to disk
   104→ *
   105→ * @param content .env file content
   106→ * @param outputPath Output file path
   107→ * @param overwrite Whether to overwrite existing file
   108→ */
   109→export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
   110→  const dir = path.dirname(outputPath);
   111→
   112→  // Create directory if it doesn't exist
   113→  if (!fs.existsSync(dir)) {
   114→    fs.mkdirSync(dir, { recursive: true });
   115→  }
   116→
   117→  // Check if file exists and overwrite flag
   118→  if (fs.existsSync(outputPath) && !overwrite) {
   119→    throw new Error(`File ${outputPath} already exists. Use --overwrite to replace it.`);
   120→  }
   121→
   122→  fs.writeFileSync(outputPath, content, 'utf-8');
   123→}
   124→
   125→/**
   126→ * Loads secrets from a JSON file
   127→ *
   128→ * @param secretsPath Path to secrets JSON file
   129→ * @returns Parsed secrets file
   130→ */
   131→export function loadSecretsFile(secretsPath: string): SecretsFile {
   132→  if (!fs.existsSync(secretsPath)) {
   133→    throw new Error(`Secrets file not found: ${secretsPath}`);
   134→  }
   135→
   136→  const content = fs.readFileSync(secretsPath, 'utf-8');
   137→  try {
   138→    return JSON.parse(content) as SecretsFile;
   139→  } catch (error) {
   140→    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
   141→  }
   142→}
   143→
   144→/**
   145→ * Categorizes properties into logical groups
   146→ */
   147→function categorizeProperties(properties: ConfigProperty[]): Record<string, ConfigProperty[]> {
   148→  const categories: Record<string, ConfigProperty[]> = {
   149→    Service: [],
   150→    Security: [],
   151→    'Rate Limiting': [],
   152→    Database: [],
   153→    JWT: [],
   154→    SMTP: [],
   155→    Development: [],
   156→    Debugging: [],
   157→    Storage: [],
   158→    Logging: [],
   159→    Other: [],
   160→  };
   161→
   162→  for (const prop of properties) {
   163→    const category = inferCategory(prop);
   164→    if (categories[category]) {
   165→      categories[category].push(prop);
   166→    } else {
   167→      categories['Other']?.push(prop);
   168→    }
   169→  }
   170→
   171→  return categories;
   172→}
   173→
   174→/**
   175→ * Infers category from property name
   176→ */
   177→function inferCategory(prop: ConfigProperty): string {
   178→  const name = prop.propertyName.toLowerCase();
   179→
   180→  if (name.includes('port') || name === 'serviceport') return 'Service';
   181→  if (name.includes('cors') || name.includes('allowed')) return 'Security';
   182→  if (name.includes('ratelimiter')) return 'Rate Limiting';
   183→  if (name.includes('database') || (name.includes('data') && name.includes('uri')))
   184→    return 'Database';
   185→  if (name.includes('jwt')) return 'JWT';
   186→  if (name.includes('smtp')) return 'SMTP';
   187→  if (name.includes('dev') || name.includes('development')) return 'Development';
   188→  if (name.includes('debug')) return 'Debugging';
   189→  if (name.includes('storage') || name.includes('volume')) return 'Storage';
   190→  if (name.includes('log')) return 'Logging';
   191→
   192→  return 'Other';
   193→}
   194→
   195→/**
   196→ * Maps a property name to its value from centralized config
   197→ */
   198→function getValueFromCentralConfig(
   199→  propName: string,
   200→  config: ServiceConfigValues
   201→): string | undefined {
   202→  // Direct property mappings
   203→  const directMappings: Record<string, unknown> = {
   204→    servicePort: config.port,
   205→    corsOrigin: config.corsOrigin,
   206→    dataUri: config.dataUri,
   207→    storageUri: config.storageUri,
   208→    authUri: config.authUri,
   209→    appUrl: config.appUrl,
   210→    debugMode: config.debugMode,
   211→    logErrorsToDatabase: config.logErrorsToDatabase,
   212→    userJwtExpiresIn: config.userJwtExpiresIn,
   213→    userJwtExpiresInKulo: config.userJwtExpiresInKulo,
   214→    tempJwtExpiresIn: config.tempJwtExpiresIn,
   215→  };
   216→
   217→  // Rate limiter mappings
   218→  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
   219→    return String(config.rateLimiter.points);
   220→  }
   221→  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
   222→    return String(config.rateLimiter.duration);
   223→  }
   224→
   225→  // SMTP mappings (flatten nested smtp object)
   226→  if (config.smtp) {
   227→    const smtpMappings: Record<string, unknown> = {
   228→      smtpUseSandbox: config.smtp.useSandbox,
   229→      smtpSandboxAddress: config.smtp.sandboxAddress,
   230→      smtpServiceName: config.smtp.serviceName,
   231→      smtpAuthType: config.smtp.authType,
   232→      smtpSenderAddress: config.smtp.senderAddress,
   233→      smtpSenderName: config.smtp.senderName,
   234→    };
   235→    if (propName in smtpMappings) {
   236→      const value = smtpMappings[propName];
   237→      if (typeof value === 'boolean') {
   238→        return value ? 'ON' : 'OFF';
   239→      }
   240→      return value !== undefined ? String(value) : undefined;
   241→    }
   242→  }
   243→
   244→  // Check direct mappings
   245→  if (propName in directMappings) {
   246→    const value = directMappings[propName];
   247→    if (value === undefined) return undefined;
   248→
   249→    // Convert booleans to ON/OFF
   250→    if (typeof value === 'boolean') {
   251→      return value ? 'ON' : 'OFF';
   252→    }
   253→
   254→    return String(value);
   255→  }
   256→
   257→  return undefined;
   258→}
   259→
   260→/**
   261→ * Gets default value for a property based on type, environment, and centralized config
   262→ * Returns ValueResult with the value and optional missing info if using a placeholder
   263→ */
   264→function getDefaultValue(
   265→  prop: ConfigProperty,
   266→  environment: RuntimeEnvironment,
   267→  centralConfig: ServiceConfigValues | undefined
   268→): ValueResult {
   269→  // If we have a default value from parsing, use it
   270→  if (prop.defaultValue !== undefined) {
   271→    return { value: prop.defaultValue };
   272→  }
   273→
   274→  // Try to get value from centralized config first
   275→  if (centralConfig) {
   276→    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
   277→    if (configValue !== undefined) {
   278→      return { value: configValue };
   279→    }
   280→  }
   281→
   282→  // Fallback: provide reasonable defaults based on type and name
   283→  const name = prop.propertyName.toLowerCase();
   284→
   285→  // Boolean defaults - these have sensible defaults, not considered "missing"
   286→  if (prop.tsType === 'boolean') {
   287→    if (name.includes('debug')) {
   288→      return { value: environment === 'dev' ? 'ON' : 'OFF' };
   289→    }
   290→    if (name.includes('log')) {
   291→      return { value: environment === 'prod' ? 'ON' : 'OFF' };
   292→    }
   293→    return { value: 'OFF' };
   294→  }
   295→
   296→  // Number defaults
   297→  if (prop.tsType === 'number') {
   298→    if (name.includes('points')) {
   299→      return { value: '15' };
   300→    }
   301→    if (name.includes('duration')) {
   302→      return { value: '1' };
   303→    }
   304→    // Port and other numbers need to be provided
   305→    if (name.includes('port')) {
   306→      return {
   307→        value: '<PORT>',
   308→        missing: {
   309→          envVarName: prop.envVarName,
   310→          propertyName: prop.propertyName,
   311→          type: 'regular',
   312→          tsType: prop.tsType,
   313→          reason: 'no port value configured',
   314→        },
   315→      };
   316→    }
   317→    return {
   318→      value: '<NUMBER>',
   319→      missing: {
   320→        envVarName: prop.envVarName,
   321→        propertyName: prop.propertyName,
   322→        type: 'regular',
   323→        tsType: prop.tsType,
   324→        reason: 'no numeric value configured',
   325→      },
   326→    };
   327→  }
   328→
   329→  // Array defaults - empty array is a reasonable default
   330→  if (prop.tsType.includes('[]')) {
   331→    return { value: '[]' };
   332→  }
   333→
   334→  // String defaults
   335→  if (prop.tsType === 'string') {
   336→    // Dev environment allows wildcard CORS
   337→    if (name.includes('origin') && environment === 'dev') {
   338→      return { value: '*' };
   339→    }
   340→    // Expires has a sensible default
   341→    if (name.includes('expires')) {
   342→      return { value: '15m' };
   343→    }
   344→
   345→    // These need to be provided
   346→    if (name.includes('origin')) {
   347→      console.log('getDefaultValue', { name, prop });
   348→      return {
   349→        value: '<CORS_ORIGIN>',
   350→        missing: {
   351→          envVarName: prop.envVarName,
   352→          propertyName: prop.propertyName,
   353→          type: 'regular',
   354→          tsType: prop.tsType,
   355→          reason: `no CORS origin configured for ${environment} environment`,
   356→        },
   357→      };
   358→    }
   359→    if (name.includes('path')) {
   360→      return {
   361→        value: '<PATH>',
   362→        missing: {
   363→          envVarName: prop.envVarName,
   364→          propertyName: prop.propertyName,
   365→          type: 'regular',
   366→          tsType: prop.tsType,
   367→          reason: 'no path value configured',
   368→        },
   369→      };
   370→    }
   371→    if (name.includes('uri')) {
   372→      return {
   373→        value: '<URI>',
   374→        missing: {
   375→          envVarName: prop.envVarName,
   376→          propertyName: prop.propertyName,
   377→          type: 'regular',
   378→          tsType: prop.tsType,
   379→          reason: 'no URI value configured',
   380→        },
   381→      };
   382→    }
   383→    return {
   384→      value: '<VALUE>',
   385→      missing: {
   386→        envVarName: prop.envVarName,
   387→        propertyName: prop.propertyName,
   388→        type: 'regular',
   389→        tsType: prop.tsType,
   390→        reason: 'no value configured',
   391→      },
   392→    };
   393→  }
   394→
   395→  return {
   396→    value: '<VALUE>',
   397→    missing: {
   398→      envVarName: prop.envVarName,
   399→      propertyName: prop.propertyName,
   400→      type: 'regular',
   401→      tsType: prop.tsType,
   402→      reason: 'no value configured',
   403→    },
   404→  };
   405→}
   406→
   407→/**
   408→ * Gets secret value from secrets file or returns missing info
   409→ *
   410→ * Looks up the env var name directly in the flat secrets structure.
   411→ * The same secret value is used across all packages that need it.
   412→ */
   413→function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
   414→  const secretValue = secrets?.[prop.envVarName];
   415→  if (secretValue !== undefined) {
   416→    return { value: secretValue };
   417→  }
   418→
   419→  // Return placeholder and mark as missing
   420→  return {
   421→    value: `<SECRET:${prop.envVarName}>`,
   422→    missing: {
   423→      envVarName: prop.envVarName,
   424→      propertyName: prop.propertyName,
   425→      type: 'secret',
   426→      tsType: prop.tsType,
   427→      reason: 'not found in secrets file',
   428→    },
   429→  };
   430→}
   431→
   432→/**
   433→ * Generates the output path for a .env file
   434→ *
   435→ * @param packageName Package name
   436→ * @param environment Runtime environment
   437→ * @param outputDir Base output directory
   438→ * @returns Full output path
   439→ */
   440→export function getEnvOutputPath(
   441→  packageName: string,
   442→  environment: RuntimeEnvironment,
   443→  outputDir: string
   444→): string {
   445→  // Pattern: {outputDir}/{environment}.{packageName}.env
   446→  // e.g., ./env-files/dev.cwc-sql.env
   447→  const filename = `${environment}.${packageName}.env`;
   448→  return path.join(outputDir, filename);
   449→}
   450→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

I found the issue. The getValueFromCentralConfig function in envGenerator.ts has a hardcoded directMappings object that only maps a subset of properties. The new properties you added to configuration.ts are not included in this mapping.

Let me check what properties are available in the ServiceConfigValues type.

Tool Result

     1→import type { RuntimeEnvironment } from 'cwc-types';
     2→
     3→/*
     4→----------------------------------------------------------
     5→Service Configuration
     6→----------------------------------------------------------
     7→
     8→Service ports (used for both Docker and localhost development):
     9→
    10→service               port
    11→-------               ----
    12→cwc-admin-api         5004
    13→cwc-auth              5005
    14→cwc-content           5008
    15→cwc-sql               5020
    16→cwc-storage           5030
    17→cwc-api               5040
    18→cwc-website           (nginx)
    19→cwc-dashboard         (nginx)
    20→
    21→For Docker Compose deployments, services communicate via DNS names (e.g., cwc-sql:5020).
    22→For localhost development, services communicate via localhost (e.g., localhost:5020).
    23→
    24→See docker-compose-upgrade.md in cwc-deployment for migration details.
    25→*/
    26→
    27→export type RuntimeConfigValues = {
    28→  corsOrigin: string;
    29→  devCorsOrigin: string;
    30→  authUri: string;
    31→  dataUri: string;
    32→  storageUri: string;
    33→  appUrl: string;
    34→  debugMode: boolean; // maps to ON | OFF
    35→  logErrorsToDatabase: boolean; // maps to ON | OFF
    36→  userJwtExpiresIn: string;
    37→  userJwtExpiresInKulo: string;
    38→  tempJwtExpiresIn: string;
    39→  smtp:
    40→    | {
    41→        useSandbox: boolean; // maps to ON | OFF
    42→        sandboxAddress: string; // recipient email when sandbox is ON
    43→        serviceName: string;
    44→        authType: string; // OAuth2
    45→        senderAddress: string;
    46→        senderName: string;
    47→      }
    48→    | undefined;
    49→  endToEndMockValues: Record<string, string> | undefined;
    50→  databaseServer: string;
    51→  databaseName: string;
    52→  databaseConnectTimeout: number;
    53→  databaseConnectionAcquireTimeout: number;
    54→  databaseConnectionQueueLimit: number;
    55→  databaseConnectionLimit: number;
    56→  queryCacheEnabled: boolean;
    57→  queryCacheTtl: number; // minutes
    58→  queryCacheMaxKeys: number;
    59→};
    60→
    61→type RuntimeConfigs = Record<RuntimeEnvironment, RuntimeConfigValues>;
    62→
    63→const runtimeConfigs: RuntimeConfigs = {
    64→  prod: {
    65→    corsOrigin: 'codingwithclaude.dev',
    66→    devCorsOrigin: 'http://localhost:3000',
    67→    authUri: 'http://cwc-auth:5005/auth/v1',
    68→    dataUri: 'http://cwc-sql:5020/data/v1',
    69→    storageUri: 'http://cwc-storage:5030/storage/v1',
    70→    logErrorsToDatabase: true,
    71→    userJwtExpiresIn: '15m',
    72→    userJwtExpiresInKulo: '30d',
    73→    tempJwtExpiresIn: '5m',
    74→    appUrl: 'https://codingwithclaude.dev',
    75→    debugMode: false,
    76→    smtp: {
    77→      useSandbox: false,
    78→      sandboxAddress: 'sandbox@codingwithclaude.dev',
    79→      serviceName: 'gmail',
    80→      authType: 'OAuth2',
    81→      senderAddress: 'support@codingwithclaude.dev',
    82→      senderName: 'Coding with Claude',
    83→    },
    84→    endToEndMockValues: undefined,
    85→    databaseServer: 'cwc-database',
    86→    databaseName: 'cwc',
    87→    databaseConnectTimeout: 10000,
    88→    databaseConnectionAcquireTimeout: 30000,
    89→    databaseConnectionQueueLimit: 1000,
    90→    databaseConnectionLimit: 20,
    91→    queryCacheEnabled: true,
    92→    queryCacheTtl: 5, // minutes
    93→    queryCacheMaxKeys: 1000,
    94→  },
    95→  test: {
    96→    corsOrigin: 'test.codingwithclaude.dev',
    97→    devCorsOrigin: 'http://localhost:3000',
    98→    authUri: 'http://cwc-auth:5005/auth/v1',
    99→    dataUri: 'http://cwc-sql:5020/data/v1',
   100→    storageUri: 'http://cwc-storage:5030/storage/v1',
   101→    logErrorsToDatabase: true,
   102→    userJwtExpiresIn: '15m',
   103→    userJwtExpiresInKulo: '30d',
   104→    tempJwtExpiresIn: '5m',
   105→    appUrl: 'https://test.codingwithclaude.dev',
   106→    debugMode: false,
   107→    smtp: {
   108→      useSandbox: true,
   109→      sandboxAddress: 'sandbox@codingwithclaude.dev',
   110→      serviceName: 'gmail',
   111→      authType: 'OAuth2',
   112→      senderAddress: 'support@codingwithclaude.dev',
   113→      senderName: 'Coding with Claude',
   114→    },
   115→    endToEndMockValues: undefined,
   116→    databaseServer: 'cwc-database',
   117→    databaseName: 'cwc',
   118→    databaseConnectTimeout: 10000,
   119→    databaseConnectionAcquireTimeout: 30000,
   120→    databaseConnectionQueueLimit: 1000,
   121→    databaseConnectionLimit: 20,
   122→    queryCacheEnabled: true,
   123→    queryCacheTtl: 5, // minutes
   124→    queryCacheMaxKeys: 1000,
   125→  },
   126→  dev: {
   127→    corsOrigin: '*',
   128→    devCorsOrigin: 'http://localhost:3000',
   129→    authUri: 'http://localhost:5005/auth/v1',
   130→    dataUri: 'http://localhost:5020/data/v1',
   131→    storageUri: 'http://localhost:5030/storage/v1',
   132→    logErrorsToDatabase: true,
   133→    userJwtExpiresIn: '15m',
   134→    userJwtExpiresInKulo: '30d',
   135→    tempJwtExpiresIn: '5m',
   136→    appUrl: 'http://localhost:3000',
   137→    debugMode: false,
   138→    smtp: {
   139→      useSandbox: true,
   140→      sandboxAddress: 'sandbox@codingwithclaude.dev',
   141→      serviceName: 'gmail',
   142→      authType: 'OAuth2',
   143→      senderAddress: 'support@codingwithclaude.dev',
   144→      senderName: 'Coding with Claude',
   145→    },
   146→    endToEndMockValues: undefined,
   147→    databaseServer: 'cwc-database',
   148→    databaseName: 'cwc',
   149→    databaseConnectTimeout: 10000,
   150→    databaseConnectionAcquireTimeout: 30000,
   151→    databaseConnectionQueueLimit: 1000,
   152→    databaseConnectionLimit: 20,
   153→    queryCacheEnabled: true,
   154→    queryCacheTtl: 5, // minutes
   155→    queryCacheMaxKeys: 1000,
   156→  },
   157→  unit: {
   158→    corsOrigin: '*',
   159→    devCorsOrigin: 'http://localhost:3000',
   160→    authUri: 'http://localhost:5005/auth/v1',
   161→    dataUri: 'http://localhost:5020/data/v1',
   162→    storageUri: 'http://localhost:5030/storage/v1',
   163→    logErrorsToDatabase: false,
   164→    userJwtExpiresIn: '15m',
   165→    userJwtExpiresInKulo: '30d',
   166→    tempJwtExpiresIn: '5m',
   167→    appUrl: 'http://localhost:3000',
   168→    debugMode: false,
   169→    smtp: {
   170→      useSandbox: true,
   171→      sandboxAddress: 'sandbox@codingwithclaude.dev',
   172→      serviceName: 'gmail',
   173→      authType: 'OAuth2',
   174→      senderAddress: 'support@codingwithclaude.dev',
   175→      senderName: 'Coding with Claude',
   176→    },
   177→    endToEndMockValues: undefined,
   178→    databaseServer: 'cwc-database',
   179→    databaseName: 'cwc',
   180→    databaseConnectTimeout: 10000,
   181→    databaseConnectionAcquireTimeout: 30000,
   182→    databaseConnectionQueueLimit: 1000,
   183→    databaseConnectionLimit: 20,
   184→    queryCacheEnabled: true,
   185→    queryCacheTtl: 5, // minutes
   186→    queryCacheMaxKeys: 1000,
   187→  },
   188→  e2e: {
   189→    corsOrigin: '*',
   190→    devCorsOrigin: 'http://localhost:3000',
   191→    authUri: 'http://localhost:5005/auth/v1',
   192→    dataUri: 'http://localhost:5020/data/v1',
   193→    storageUri: 'http://localhost:5030/storage/v1',
   194→    logErrorsToDatabase: false,
   195→    userJwtExpiresIn: '15m',
   196→    userJwtExpiresInKulo: '30d',
   197→    tempJwtExpiresIn: '5m',
   198→    appUrl: 'http://localhost:3000',
   199→    debugMode: false,
   200→    smtp: {
   201→      useSandbox: true,
   202→      sandboxAddress: 'sandbox@codingwithclaude.dev',
   203→      serviceName: 'gmail',
   204→      authType: 'OAuth2',
   205→      senderAddress: 'support@codingwithclaude.dev',
   206→      senderName: 'Coding with Claude',
   207→    },
   208→    endToEndMockValues: {
   209→      testValue: 'just a test',
   210→    },
   211→    databaseServer: 'cwc-database',
   212→    databaseName: 'cwc',
   213→    databaseConnectTimeout: 10000,
   214→    databaseConnectionAcquireTimeout: 30000,
   215→    databaseConnectionQueueLimit: 1000,
   216→    databaseConnectionLimit: 20,
   217→    queryCacheEnabled: true,
   218→    queryCacheTtl: 5, // minutes
   219→    queryCacheMaxKeys: 1000,
   220→  },
   221→};
   222→
   223→// Services can optionally override runtime config values
   224→export type ServiceConfigValues = Partial<RuntimeConfigValues> & {
   225→  // The port that the service listens on
   226→  port: number | undefined;
   227→
   228→  // Rate limiting configuration
   229→  rateLimiter:
   230→    | {
   231→        // Rate Limiter Example: 100 points / 60 seconds = max 100 requests per minute per IP
   232→        points: number; // Maximum number of requests allowed per duration
   233→        duration: number; // Time window in seconds
   234→      }
   235→    | undefined;
   236→
   237→  // Services may provide mock values for end to end testing
   238→  endToEndTestingMockValues: string | undefined;
   239→};
   240→
   241→export type ServiceName =
   242→  | 'cwc-api'
   243→  | 'cwc-auth'
   244→  | 'cwc-sql'
   245→  | 'cwc-storage'
   246→  | 'cwc-website'
   247→  | 'cwc-dashboard'
   248→  | 'cwc-content'
   249→  | 'cwc-admin-api';
   250→
   251→type ServiceConfigs = Record<ServiceName, ServiceConfigValues>;
   252→
   253→const serviceConfigs: ServiceConfigs = {
   254→  'cwc-api': {
   255→    port: 5040,
   256→    rateLimiter: {
   257→      points: 15,
   258→      duration: 1,
   259→    },
   260→    endToEndTestingMockValues: undefined,
   261→  },
   262→  'cwc-auth': {
   263→    port: 5005,
   264→    rateLimiter: {
   265→      points: 15,
   266→      duration: 1,
   267→    },
   268→    endToEndTestingMockValues: undefined,
   269→  },
   270→  'cwc-sql': {
   271→    port: 5020,
   272→    rateLimiter: undefined,
   273→    endToEndTestingMockValues: undefined,
   274→  },
   275→  'cwc-storage': {
   276→    port: 5030,
   277→    rateLimiter: {
   278→      points: 15,
   279→      duration: 1,
   280→    },
   281→    endToEndTestingMockValues: undefined,
   282→  },
   283→  'cwc-website': {
   284→    port: undefined,
   285→    rateLimiter: undefined,
   286→    endToEndTestingMockValues: undefined,
   287→  },
   288→  'cwc-dashboard': {
   289→    port: undefined,
   290→    rateLimiter: undefined,
   291→    endToEndTestingMockValues: undefined,
   292→  },
   293→  'cwc-content': {
   294→    port: 5008,
   295→    rateLimiter: {
   296→      points: 15,
   297→      duration: 1,
   298→    },
   299→    endToEndTestingMockValues: undefined,
   300→  },
   301→  'cwc-admin-api': {
   302→    port: 5004,
   303→    rateLimiter: {
   304→      points: 15,
   305→      duration: 1,
   306→    },
   307→    endToEndTestingMockValues: undefined,
   308→  },
   309→};
   310→
   311→/**
   312→ * Gets the merged configuration for a service in a specific runtime environment.
   313→ * Service-specific values override runtime defaults.
   314→ */
   315→export const getConfig = (
   316→  runtimeEnv: RuntimeEnvironment,
   317→  serviceName: ServiceName
   318→): ServiceConfigValues => {
   319→  const runtimeValues = runtimeConfigs[runtimeEnv];
   320→  const serviceValues = serviceConfigs[serviceName];
   321→
   322→  // Allow serviceValues to override runtimeValues
   323→  return {
   324→    ...runtimeValues,
   325→    ...serviceValues,
   326→  };
   327→};
   328→
   329→/**
   330→ * Checks if a package name is a known service
   331→ */
   332→export const isKnownService = (packageName: string): packageName is ServiceName => {
   333→  return packageName in serviceConfigs;
   334→};
   335→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

I found the root cause. The getValueFromCentralConfig function in envGenerator.ts has a hardcoded directMappings object that only includes a subset of properties. The new properties you added to RuntimeConfigValues in configuration.ts are not mapped.

Current directMappings (lines 203-215):

const directMappings: Record<string, unknown> = {
  servicePort: config.port,
  corsOrigin: config.corsOrigin,
  dataUri: config.dataUri,
  storageUri: config.storageUri,
  authUri: config.authUri,
  appUrl: config.appUrl,
  debugMode: config.debugMode,
  logErrorsToDatabase: config.logErrorsToDatabase,
  userJwtExpiresIn: config.userJwtExpiresIn,
  userJwtExpiresInKulo: config.userJwtExpiresInKulo,
  tempJwtExpiresIn: config.tempJwtExpiresIn,
};

Missing mappings:

devCorsOrigin
endToEndMockValues
databaseServer
databaseName
databaseConnectTimeout
databaseConnectionAcquireTimeout
databaseConnectionQueueLimit
databaseConnectionLimit
queryCacheEnabled
queryCacheTtl
queryCacheMaxKeys

Would you like me to update envGenerator.ts to add these mappings? I can either:

Add the missing properties to directMappings - straightforward fix
Refactor to be more dynamic - check if property exists on config directly, reducing future maintenance

Which approach would you prefer?

jeff

Claude

I'll refactor getValueFromCentralConfig to dynamically look up properties on the config object, with special handling for renamed properties and nested objects.

Edit

{
  "file_path": "/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper/src/envGenerator.ts",
  "old_string": "/**\n * Maps a property name to its value from centralized config\n */\nfunction getValueFromCentralConfig(\n  propName: string,\n  config: ServiceConfigValues\n): string | undefined {\n  // Direct property mappings\n  const directMappings: Record<string, unknown> = {\n    servicePort: config.port,\n    corsOrigin: config.corsOrigin,\n    dataUri: config.dataUri,\n    storageUri: config.storageUri,\n    authUri: config.authUri,\n    appUrl: config.appUrl,\n    debugMode: config.debugMode,\n    logErrorsToDatabase: config.logErrorsToDatabase,\n    userJwtExpiresIn: config.userJwtExpiresIn,\n    userJwtExpiresInKulo: config.userJwtExpiresInKulo,\n    tempJwtExpiresIn: config.tempJwtExpiresIn,\n  };\n\n  // Rate limiter mappings\n  if (propName === 'rateLimiterPoints' && config.rateLimiter) {\n    return String(config.rateLimiter.points);\n  }\n  if (propName === 'rateLimiterDuration' && config.rateLimiter) {\n    return String(config.rateLimiter.duration);\n  }\n\n  // SMTP mappings (flatten nested smtp object)\n  if (config.smtp) {\n    const smtpMappings: Record<string, unknown> = {\n      smtpUseSandbox: config.smtp.useSandbox,\n      smtpSandboxAddress: config.smtp.sandboxAddress,\n      smtpServiceName: config.smtp.serviceName,\n      smtpAuthType: config.smtp.authType,\n      smtpSenderAddress: config.smtp.senderAddress,\n      smtpSenderName: config.smtp.senderName,\n    };\n    if (propName in smtpMappings) {\n      const value = smtpMappings[propName];\n      if (typeof value === 'boolean') {\n        return value ? 'ON' : 'OFF';\n      }\n      return value !== undefined ? String(value) : undefined;\n    }\n  }\n\n  // Check direct mappings\n  if (propName in directMappings) {\n    const value = directMappings[propName];\n    if (value === undefined) return undefined;\n\n    // Convert booleans to ON/OFF\n    if (typeof value === 'boolean') {\n      return value ? 'ON' : 'OFF';\n    }\n\n    return String(value);\n  }\n\n  return undefined;\n}",
  "new_string": "/**\n * Maps a property name to its value from centralized config\n *\n * Uses dynamic lookup with special handling for:\n * - Renamed properties (servicePort → port)\n * - Nested objects (rateLimiter, smtp)\n * - Boolean to ON/OFF conversion\n * - Record/object to JSON string conversion\n */\nfunction getValueFromCentralConfig(\n  propName: string,\n  config: ServiceConfigValues\n): string | undefined {\n  // Special case: servicePort maps to config.port\n  if (propName === 'servicePort') {\n    return config.port !== undefined ? String(config.port) : undefined;\n  }\n\n  // Rate limiter mappings (nested object)\n  if (propName === 'rateLimiterPoints' && config.rateLimiter) {\n    return String(config.rateLimiter.points);\n  }\n  if (propName === 'rateLimiterDuration' && config.rateLimiter) {\n    return String(config.rateLimiter.duration);\n  }\n\n  // SMTP mappings (flatten nested smtp object)\n  if (propName.startsWith('smtp') && config.smtp) {\n    const smtpFieldMap: Record<string, keyof NonNullable<typeof config.smtp>> = {\n      smtpUseSandbox: 'useSandbox',\n      smtpSandboxAddress: 'sandboxAddress',\n      smtpServiceName: 'serviceName',\n      smtpAuthType: 'authType',\n      smtpSenderAddress: 'senderAddress',\n      smtpSenderName: 'senderName',\n    };\n    const smtpField = smtpFieldMap[propName];\n    if (smtpField) {\n      const value = config.smtp[smtpField];\n      return formatValue(value);\n    }\n  }\n\n  // Dynamic lookup: check if property exists directly on config\n  const configRecord = config as Record<string, unknown>;\n  if (propName in configRecord) {\n    const value = configRecord[propName];\n    return formatValue(value);\n  }\n\n  return undefined;\n}\n\n/**\n * Formats a value for .env file output\n * - undefined → undefined (not found)\n * - boolean → 'ON' | 'OFF'\n * - object/array → JSON string\n * - other → String()\n */\nfunction formatValue(value: unknown): string | undefined {\n  if (value === undefined) {\n    return undefined;\n  }\n\n  if (typeof value === 'boolean') {\n    return value ? 'ON' : 'OFF';\n  }\n\n  if (typeof value === 'object' && value !== null) {\n    return JSON.stringify(value);\n  }\n\n  return String(value);\n}"
}

Tool Result

The file /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper/src/envGenerator.ts has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
   191→
   192→  return 'Other';
   193→}
   194→
   195→/**
   196→ * Maps a property name to its value from centralized config
   197→ *
   198→ * Uses dynamic lookup with special handling for:
   199→ * - Renamed properties (servicePort → port)
   200→ * - Nested objects (rateLimiter, smtp)
   201→ * - Boolean to ON/OFF conversion
   202→ * - Record/object to JSON string conversion
   203→ */
   204→function getValueFromCentralConfig(
   205→  propName: string,
   206→  config: ServiceConfigValues
   207→): string | undefined {
   208→  // Special case: servicePort maps to config.port
   209→  if (propName === 'servicePort') {
   210→    return config.port !== undefined ? String(config.port) : undefined;
   211→  }
   212→
   213→  // Rate limiter mappings (nested object)
   214→  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
   215→    return String(config.rateLimiter.points);
   216→  }
   217→  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
   218→    return String(config.rateLimiter.duration);
   219→  }
   220→
   221→  // SMTP mappings (flatten nested smtp object)
   222→  if (propName.startsWith('smtp') && config.smtp) {
   223→    const smtpFieldMap: Record<string, keyof NonNullable<typeof config.smtp>> = {
   224→      smtpUseSandbox: 'useSandbox',
   225→      smtpSandboxAddress: 'sandboxAddress',
   226→      smtpServiceName: 'serviceName',
   227→      smtpAuthType: 'authType',
   228→      smtpSenderAddress: 'senderAddress',
   229→      smtpSenderName: 'senderName',
   230→    };
   231→    const smtpField = smtpFieldMap[propName];
   232→    if (smtpField) {
   233→      const value = config.smtp[smtpField];
   234→      return formatValue(value);
   235→    }
   236→  }
   237→
   238→  // Dynamic lookup: check if property exists directly on config
   239→  const configRecord = config as Record<string, unknown>;
   240→  if (propName in configRecord) {
   241→    const value = configRecord[propName];
   242→    return formatValue(value);
   243→  }
   244→
   245→  return undefined;
   246→}
   247→
   248→/**
   249→ * Formats a value for .env file output
   250→ * - undefined → undefined (not found)
   251→ * - boolean → 'ON' | 'OFF'
   252→ * - object/array → JSON string
   253→ * - other → String()
   254→ */
   255→function formatValue(value: unknown): string | undefined {
   256→  if (value === undefined) {
   257→    return undefined;
   258→  }
   259→
   260→  if (typeof value === 'boolean') {
   261→    return value ? 'ON' : 'OFF';
   262→  }
   263→
   264→  if (typeof value === 'object' && value !== null) {
   265→    return JSON.stringify(value);
   266→  }
   267→
   268→  return String(value);
   269→}
   270→
   271→/**
   272→ * Gets default value for a property based on type, environment, and centralized config
   273→ * Returns ValueResult with the value and optional missing info if using a placeholder

Now let me run the test command again to see if the values are being picked up correctly.

Tool Result

> coding-with-claude-application@1.0.0 config-helper /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application
> pnpm --filter cwc-configuration-helper "generate" "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"


> cwc-configuration-helper@1.0.0 generate /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper
> tsc && node ./dist/index.js generate "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"


=== cwc-configuration-helper: generate ===

Monorepo root: /Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application
Loading secrets from: /Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json
✓ Secrets loaded
Found 3 package(s) with configuration:

Processing cwc-auth...
  Config type: CwcAuthConfig
  Properties: 19
  Secrets: 2
***********************************************************
{
  prop: {
    propertyName: 'servicePort',
    envVarName: 'SERVICE_PORT',
    tsType: 'number',
    isOptional: false,
    isSecret: false,
    comment: undefined
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5005,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: { value: '5005' }
}
***********************************************************
{
  prop: {
    propertyName: 'corsOrigin',
    envVarName: 'CORS_ORIGIN',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: 'Security'
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',

Tool Result

***********************************************************
{
  prop: {
    propertyName: 'logPath',
    envVarName: 'LOG_PATH',
    tsType: 'string',
    isOptional: false,
    isSecret: false,
    comment: undefined
  },
  environment: 'unit',
  centralConfig: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude'
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5,
    queryCacheMaxKeys: 1000,
    port: 5030,
    rateLimiter: { points: 15, duration: 1 },
    endToEndTestingMockValues: undefined
  },
  result: {
    value: '<PATH>',
    missing: {
      envVarName: 'LOG_PATH',
      propertyName: 'logPath',
      type: 'regular',
      tsType: 'string',
      reason: 'no path value configured'
    }
  }
}
  ✓ Generated: env-files/unit.cwc-storage.env
  ⚠ 3 missing value(s)

=== Error: Missing configuration values detected ===

Package: cwc-auth
  - END_TO_END_MOCK_VALUES (Record | undefined): no value configured

Package: cwc-sql
  - END_TO_END_MOCK_VALUES (Record): no value configured

Package: cwc-storage
  - STORAGE_VOLUME_PATH (string): no path value configured
  - LOG_PATH (string): no path value configured
  - STORAGE_API_KEY (secret): not found in secrets file

Total: 5 missing value(s) across 3 package(s)

Please update your secrets file: /Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json

/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-configuration-helper:
 ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL  cwc-configuration-helper@1.0.0 generate: `tsc && node ./dist/index.js generate "-e" "unit" "-s" "/Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json" "-o" "./env-files" "--overwrite"`
Exit status 1
 ELIFECYCLE  Command failed with exit code 1.

System

Claude

Looking at the conversation summary, the refactoring to getValueFromCentralConfig was successful - missing values were reduced from 15 to 5. The remaining 5 missing values are expected:

END_TO_END_MOCK_VALUES (2 packages): Set to undefined in unit config (line 177 of configuration.ts)
STORAGE_VOLUME_PATH and LOG_PATH: Storage-specific paths not in central config
STORAGE_API_KEY: A secret that needs to be in the secrets file

Let me clean up the debug console.log statements from envGenerator.ts now that testing is complete.

Now let me check if there's another debug console.log statement that was mentioned:

Now let me verify the typecheck still passes:

Let me rebuild the package to ensure everything compiles correctly:

The debug console.log statements have been removed and the package builds successfully.

Summary of cwc-configuration-helper Fix

The refactoring to getValueFromCentralConfig in envGenerator.ts:204-246 was successful:

Changes made:

Replaced hardcoded directMappings with dynamic property lookup
Added formatValue helper for boolean→ON/OFF and object→JSON conversion
Special handling preserved for:
- servicePort → config.port
- rateLimiterPoints/Duration → config.rateLimiter.points/duration
- smtp* properties → flattened from config.smtp object
Removed debug console.log statements

Results:

Missing values reduced from 15 to 5
All new configuration values (devCorsOrigin, smtp settings, database settings, cache settings) now populate correctly

Remaining 5 missing values are expected:

Variable	Reason
`END_TO_END_MOCK_VALUES` (×2)	Set to `undefined` in unit config (line 177)
`STORAGE_VOLUME_PATH`	Storage-specific path, not in central config
`LOG_PATH`	Storage-specific path, not in central config
`STORAGE_API_KEY`	Secret - needs to be in secrets file

These are legitimate missing values that require either environment-specific configuration or entries in the secrets file.

jeff

I see END_TO_END_MOCK_VALUES=<VALUE> in the .env files, I feel like this should be empty when there are no values provided.

Claude

You're right. When endToEndMockValues is explicitly set to undefined in the configuration, it should output an empty value, not a <VALUE> placeholder. The issue is that getValueFromCentralConfig returns undefined for both "property not found" and "property is undefined", which causes it to fall through to the default placeholder logic.

Let me fix this:

Done. Now the logic distinguishes between:

Scenario	Returns	.env Output
Property not in config	`undefined`	`<VALUE>` placeholder
Property exists with `undefined` value	`''`	Empty value (intentionally not set)
Property exists with actual value	Formatted value	The value

So END_TO_END_MOCK_VALUES= will now be empty for the unit environment where endToEndMockValues: undefined is explicitly configured.

jeff

The following instructional message is misleading Please update your secrets file: /Users/jeffbazinet/coding-with-claude/private/cwc-secrets/configuration-helper/unit-secrets.json because the values that are missing are not secrets. In this case shouldn't the instruction tell the developer to update the configuration.ts file?

Claude

You're right. Let me find where that message is generated and fix it to give appropriate guidance based on whether the missing values are secrets or regular configuration.

Now I can update the message logic to provide appropriate guidance based on the type of missing values:

Done. Now the error output will provide appropriate guidance based on what's missing:

Example output with only missing config values:

Total: 2 missing value(s) across 1 package(s)

2 missing configuration value(s) - update configuration.ts

Example output with only missing secrets:

Total: 1 missing value(s) across 1 package(s)

1 missing secret(s) - update secrets file: /path/to/secrets.json

Example output with both:

Total: 3 missing value(s) across 2 package(s)

2 missing configuration value(s) - update configuration.ts

1 missing secret(s) - update secrets file: /path/to/secrets.json

jeff

I have added STORAGE_API_KEY to the {cwcSecretsPath}/*-secrets.json files. I used secretKey = crypto.randomBytes(32).toString("hex"); to generate the api keys - is that the correct approach?
I have added this to cwc-configuration-helper's configuration.ts:
storageVolumePath: string; // cwc-storage service
storageLogPath: string; // cwc-storage service
Instead of logPath/LOG_PATH, let's use storageLogPath/STORAGE_LOG_PATH since this value only gets used by the cwc-storage package.

Claude

Yes, crypto.randomBytes(32).toString("hex") is the correct approach - it generates 256 bits of cryptographically secure randomness encoded as a 64-character hex string, which is ideal for API keys.

Now let me update cwc-storage to use storageLogPath/STORAGE_LOG_PATH instead of logPath/LOG_PATH:

I'll update the config type and loadConfig, then update the places where Logger is instantiated to map storageLogPath to the Logger's expected logPath:

Now let me update the Logger instantiation points to map storageLogPath to logPath:

Now let me update the CLAUDE.md documentation:

Now let me verify everything compiles:

Let me also rebuild cwc-configuration-helper to ensure it works with the new property names:

Done. Updated cwc-storage to use storageLogPath/STORAGE_LOG_PATH:

Files changed:

File	Change
`config.types.ts`	`logPath` → `storageLogPath`
`loadConfig.ts`	`LOG_PATH` → `STORAGE_LOG_PATH`
`StorageApiV1/index.ts`	`config.logPath` → `config.storageLogPath`
`StorageHandler.ts`	`config.logPath` → `config.storageLogPath`
`CLAUDE.md`	Updated env var documentation

The Logger class keeps its internal logPath property name (implementation detail), but receives the value from config.storageLogPath.

jeff

Please take a look at SQL_CLIENT_API_KEY in packages/cwc-configuration-helper/env-files/unit.cwc-sql.env
It looks like we need to replace the line-feeds with \n and quote the value.

Claude

I can't read the env-files directory, but I understand the issue. When a secret contains newlines (like a PEM public key), we need to:

Replace actual newlines with \n escape sequences
Quote the value

Let me update the getSecretValue function in envGenerator.ts:

Now let me add the formatEnvValue helper function:

Done. Now when a secret value contains newlines (like a PEM public key), it will be formatted correctly:

Before:

SQL_CLIENT_API_KEY=-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...
-----END PUBLIC KEY-----

After:

SQL_CLIENT_API_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...\n-----END PUBLIC KEY-----"

The formatEnvValue function escapes newlines as \n and wraps the value in double quotes.

jeff

Perfect, thank you for a great coding session! Can you review our conversation for any discovery, rules, patterns, etc. that should either be included in the CLAUDE.md file or the README.md file and make those update please?

Claude

Let me review the conversation and update the relevant documentation files.

Now let me check the root CLAUDE.md for patterns that should be added:

Now let me check if the cwc-backend-utils CLAUDE.md needs updates about the CORS simplification:

The cwc-backend-utils CLAUDE.md already has accurate documentation for the CORS behavior. Let me run a final typecheck to make sure everything is in order:

All packages typecheck successfully. Here's a summary of the documentation updates:

Documentation Updates

cwc-configuration-helper/CLAUDE.md

Added new sections:

Centralized Configuration (configuration.ts) - Documents RuntimeConfigValues, ServiceConfigValues, and dynamic property lookup pattern
Value Handling - Explains undefined vs missing values, and multiline secret formatting
Error Messages - Documents categorized guidance (secrets vs config values)
Updated architecture to include configuration.ts

Root CLAUDE.md

Added under "Naming Conventions for Configuration Values":

Package-specific prefixes - Guidance to prefix config values with package context when only used by one package (e.g., storageLogPath vs logPath)
Secret and API Key Generation - Documents crypto.randomBytes(32).toString('hex') pattern for generating cryptographically secure secrets

Session Summary

Key changes made during this session:

Refactored getValueFromCentralConfig to use dynamic property lookup
Fixed undefined value handling (empty string vs placeholder)
Added proper error messages distinguishing secrets vs config values
Added multiline secret formatting (escape newlines, quote)
Renamed logPath/LOG_PATH → storageLogPath/STORAGE_LOG_PATH in cwc-storage
Removed debug console.log statements

Session 18: resume config helper

37 files modified

CLAUDE.md

3 versions

Version 1

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

Claude Code's role on this project is to serve as a "highly experienced senior software engineer and application architect" with "in-depth understanding of the CWC codebase, conventions, and rules."

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

This is not optional. The developer should not have to repeatedly point out missed conventions or overlooked existing code. Professional engineers build on institutional knowledge rather than reinventing or contradicting established patterns.

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities

Project Overview

What is codingwithclaude?

A multi-tenant developer publishing platform: a dynamic, real-time publishing platform that serves as both a public feed for developer content and a private dashboard for external developers (users of the app) to manage and publish their own technical blog posts, organized by "Projects."

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

As Claude Code works with the developer, it is EXPECTED to proactively capture all learnings, patterns, critical instructions, and feedback in this CLAUDE.md file WITHOUT being reminded. This is a professional partnership where:

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Planning sessions are especially critical: The analysis, feedback, and corrections that happen during planning contain the most valuable learnings. Update CLAUDE.md with these insights BEFORE starting implementation, not after.

Professional expectation: The developer should not need to repeatedly point out the same oversights or remind Claude Code to document learnings. Like professional teammates, we learn from each interaction and build institutional knowledge.

Format: When updating this file, maintain clear structure, provide code examples where helpful, and organize related concepts together. Focus exclusively on information that helps Claude Code operate effectively during AI-assisted coding sessions.

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure (future plan)

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-website: public frontend end web application
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-sql: the only backend service that interacts directly with the database server, uses schema to dynamically generate sql statements
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

Note: Previously used "moduleResolution": "NodeNext" which required .js extensions per ES modules spec (e.g., import './types.js'). Switched to bundler in session 007 for cleaner imports across all packages.

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation:
- Create packages/{package-name}/CLAUDE.md for package-specific patterns and conventions
- Document architecture decisions, design patterns, and critical implementation details
- Keep package docs focused on information needed for AI-assisted coding
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Rule: When naming configuration values, prefer verbose, descriptive names over short, ambiguous ones. When a developer returns to the code after weeks or months, the name should immediately convey the purpose without requiring investigation.

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

Session 010 Learning: This pattern was established after Claude Code incorrectly presented all 14 review points at once despite clear request for step-by-step discussion. This made it difficult for the developer to engage in focused discussion on individual points.

never log config.secrets, these values are always REDACTED

Version 2

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities

Project Overview

What is codingwithclaude?

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure (future plan)

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-website: public frontend end web application
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-sql: the only backend service that interacts directly with the database server, uses schema to dynamically generate sql statements
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation:
- Create packages/{package-name}/CLAUDE.md for package-specific patterns and conventions
- Document architecture decisions, design patterns, and critical implementation details
- Keep package docs focused on information needed for AI-assisted coding
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Path Construction (Searchability)

Use concatenated path strings in path.join() for better searchability:

// ✅ GOOD - searchable for "deployment/servers.json"
path.join(secretsPath, 'deployment/servers.json')

// ❌ AVOID - searching for "deployment/servers.json" won't find this
path.join(secretsPath, 'deployment', 'servers.json')

Exception: Directory navigation with .. should remain segmented:

// This is fine - navigating up directories
path.join(__dirname, '..', '..', 'templates')

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

never log config.secrets, these values are always REDACTED

Version 3 (latest)

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities

Project Overview

What is codingwithclaude?

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure (future plan)

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-website: public frontend end web application
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-sql: the only backend service that interacts directly with the database server, uses schema to dynamically generate sql statements
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation:
- Create packages/{package-name}/CLAUDE.md for package-specific patterns and conventions
- Document architecture decisions, design patterns, and critical implementation details
- Keep package docs focused on information needed for AI-assisted coding
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Path Construction (Searchability)

Use concatenated path strings in path.join() for better searchability:

// ✅ GOOD - searchable for "deployment/servers.json"
path.join(secretsPath, 'deployment/servers.json')

// ❌ AVOID - searching for "deployment/servers.json" won't find this
path.join(secretsPath, 'deployment', 'servers.json')

Exception: Directory navigation with .. should remain segmented:

// This is fine - navigating up directories
path.join(__dirname, '..', '..', 'templates')

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Package-specific prefixes: When a configuration value is only used by one package, prefix it with the package context to avoid ambiguity:

storageLogPath / STORAGE_LOG_PATH - Clear: log path for cwc-storage
logPath / LOG_PATH - Unclear: which service uses this?

Secret and API Key Generation

Use crypto.randomBytes() for generating secrets and API keys:

import crypto from 'crypto';

// Generate a 256-bit (32-byte) cryptographically secure random key
const apiKey = crypto.randomBytes(32).toString('hex'); // 64-character hex string

This produces cryptographically secure random values suitable for:

API keys (e.g., STORAGE_API_KEY)
JWT secrets (e.g., USER_JWT_SECRET)
Any symmetric secret requiring high entropy

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

never log config.secrets, these values are always REDACTED

packages/cwc-auth/CLAUDE.md

2 versions

Version 1

cwc-auth Package

Authentication microservice for CWC application. Provides user authentication via JWT tokens with HS256 symmetric signing.

Architecture

Database-Connected Microservice:

Uses SqlClient from cwc-backend-utils to communicate with cwc-sql
Uses database-backed Logger for error logging
Authenticates users via username/password
Issues HS256-signed JWTs stored in userJwt table

Authentication Model:

User credentials validated against user table
JWT session tracked in userJwt table (userJwtId UUID)
Session invalidation via hard delete of userJwt record
KULO (keep-user-logged-on) extends JWT expiry from 15m to 30d

API Routes

LogonApiV1 (`/auth/v1`)

Route	Method	Auth Required	Description
`/auth/v1/logon`	POST	No	Authenticate user, issue JWT
`/auth/v1/logoff`	POST	Yes (JWT)	Invalidate session

ServiceApiV1 (`/auth/v1`)

Route	Method	Auth Required	Description
`/auth/v1/renew-session`	POST	Yes (JWT)	Renew JWT with fresh claims

JWT Payload Structure

import type { CwcLoginClaims } from 'cwc-types';

type UserJwtPayload = {
  // Standard JWT claims
  jti: string; // userJwtId (UUID) - references userJwt table
  sub: number; // userPkId
  iat: number; // Issued at
  exp: number; // Expiration

  // Custom claims
  login: CwcLoginClaims;
};

// CwcLoginClaims from cwc-types:
type CwcLoginClaims = {
  username: string;
  deviceId: string;
  userJwtId: string;      // Same as jti, for convenience
  loginType: CwcLoginType; // 'cwc' | 'facebook' | 'google'
  kulo: boolean;          // Keep-user-logged-on flag
  ownedProjects: string[]; // Array of projectId (natural keys)
  isGuestUser: boolean;   // Always false for authenticated users
};

Design Notes:

CwcLoginClaims is defined in cwc-types for sharing across packages
userJwtId is duplicated in both jti and login.userJwtId for convenience when accessing login without the outer payload
isGuestUser is always false in JWTs (only true for client-side guest login objects)

Response Pattern

All auth endpoints return AuthRouteHandlerResponse:

type AuthRouteHandlerResponse = {
  statusCode: 200 | 401;
  data: {
    success: boolean;
    loggedOff?: boolean;
    jwtType: 'user' | 'temp' | undefined;
    // Dev-only error details
    errorCode?: string;
    errorDetail?: string;
  };
  jwt: string | undefined;
};

Configuration Pattern

Follows cwc-storage pattern:

Config in src/config/ folder with 3 files
Uses shared helpers from cwc-backend-utils
Adapter function converts to BackendUtilsConfig for Express service

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5005
DATA_URI=http://localhost:5001/data/v1
APP_URL=http://localhost:3000
CORS_ORIGIN=http://localhost:3000
USER_JWT_SECRET=...
USER_JWT_EXPIRES_IN=15m
USER_JWT_EXPIRES_IN_KULO=30d
TEMP_JWT_SECRET=...
TEMP_JWT_EXPIRES_IN=5m
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
LOG_ERRORS_TO_DATABASE=ON
SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.1

Error Handling

Production Mode:

Generic error responses for all auth failures
Never reveal whether username exists

Development Mode:

Detailed error codes: USER_NOT_FOUND, INVALID_PASSWORD, JWT_EXPIRED, etc.
Human-readable error descriptions for debugging

Security Patterns

Password Verification:

Uses bcrypt for timing-safe password comparison
Same error response for invalid user vs invalid password

JWT Security:

HS256 symmetric signing (same secret for signing and verification)
Short-lived tokens (15m default) with optional KULO (30d)
Session stored in database for revocation capability

Service API Protection:

IP whitelist for /renew-session endpoint
Only internal services (cwc-api) can renew sessions

Session Renewal Flow

When cwc-api creates/deletes a project:

cwc-api performs the database operation
cwc-api calls /auth/v1/renew-session with user's current JWT
cwc-auth re-queries projectOwner table for fresh ownedProjects
cwc-auth issues new JWT with updated claims
cwc-api returns new JWT to client

SqlClient Usage Notes

Never provide createdDate or modifiedDate - handled by cwc-sql/database automatically.

Related Packages

Depends On:

cwc-backend-utils (workspace) - SqlClient, Logger, Express service factory
cwc-types (workspace) - Entity types, RuntimeEnvironment

Consumed By:

cwc-api - Validates user JWTs, calls renew-session
cwc-website - Calls logon/logoff endpoints

Version 2 (latest)

cwc-auth Package

Authentication microservice for CWC application. Provides user authentication via JWT tokens with HS256 symmetric signing.

Architecture

Database-Connected Microservice:

Uses SqlClient from cwc-backend-utils to communicate with cwc-sql
Uses database-backed Logger for error logging
Authenticates users via username/password
Issues HS256-signed JWTs stored in userJwt table

Authentication Model:

User credentials validated against user table
JWT session tracked in userJwt table (userJwtId UUID)
Session invalidation via hard delete of userJwt record
KULO (keep-user-logged-on) extends JWT expiry from 15m to 30d

API Routes

LogonApiV1 (`/auth/v1`)

Route	Method	Auth Required	Description
`/auth/v1/logon`	POST	No	Authenticate user, issue JWT
`/auth/v1/logoff`	POST	Yes (JWT)	Invalidate session

ServiceApiV1 (`/auth/v1`)

Route	Method	Auth Required	Description
`/auth/v1/renew-session`	POST	Yes (JWT)	Renew JWT with fresh claims

JWT Payload Structure

import type { CwcLoginClaims } from 'cwc-types';

type UserJwtPayload = {
  // Standard JWT claims
  jti: string; // userJwtId (UUID) - references userJwt table
  sub: number; // userPkId
  iat: number; // Issued at
  exp: number; // Expiration

  // Custom claims
  login: CwcLoginClaims;
};

// CwcLoginClaims from cwc-types:
type CwcLoginClaims = {
  username: string;
  deviceId: string;
  userJwtId: string;      // Same as jti, for convenience
  loginType: CwcLoginType; // 'cwc' | 'facebook' | 'google'
  kulo: boolean;          // Keep-user-logged-on flag
  ownedProjects: string[]; // Array of projectId (natural keys)
  isGuestUser: boolean;   // Always false for authenticated users
};

Design Notes:

CwcLoginClaims is defined in cwc-types for sharing across packages
userJwtId is duplicated in both jti and login.userJwtId for convenience when accessing login without the outer payload
isGuestUser is always false in JWTs (only true for client-side guest login objects)

Response Pattern

All auth endpoints return AuthRouteHandlerResponse:

type AuthRouteHandlerResponse = {
  statusCode: 200 | 401;
  data: {
    success: boolean;
    loggedOff?: boolean;
    jwtType: 'user' | 'temp' | undefined;
    // Dev-only error details
    errorCode?: string;
    errorDetail?: string;
  };
  jwt: string | undefined;
};

Configuration Pattern

Follows cwc-storage pattern:

Config in src/config/ folder with 3 files
Uses shared helpers from cwc-backend-utils
Adapter function converts to BackendUtilsConfig for Express service

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5005
DATA_URI=http://localhost:5001/data/v1
APP_URL=http://localhost:3000
CORS_ORIGIN=http://localhost:3000
USER_JWT_SECRET=...
USER_JWT_EXPIRES_IN=15m
USER_JWT_EXPIRES_IN_KULO=30d
TEMP_JWT_SECRET=...
TEMP_JWT_EXPIRES_IN=5m
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
LOG_ERRORS_TO_DATABASE=ON

Error Handling

Production Mode:

Generic error responses for all auth failures
Never reveal whether username exists

Development Mode:

Detailed error codes: USER_NOT_FOUND, INVALID_PASSWORD, JWT_EXPIRED, etc.
Human-readable error descriptions for debugging

Security Patterns

Password Verification:

Uses bcrypt for timing-safe password comparison
Same error response for invalid user vs invalid password

JWT Security:

HS256 symmetric signing (same secret for signing and verification)
Short-lived tokens (15m default) with optional KULO (30d)
Session stored in database for revocation capability

Service API Protection:

Docker network isolation ensures only internal services can reach ServiceApiV1
JWT validation required for all service API calls
Only internal services (cwc-api) can renew sessions

Session Renewal Flow

When cwc-api creates/deletes a project:

cwc-api performs the database operation
cwc-api calls /auth/v1/renew-session with user's current JWT
cwc-auth re-queries projectOwner table for fresh ownedProjects
cwc-auth issues new JWT with updated claims
cwc-api returns new JWT to client

SqlClient Usage Notes

Never provide createdDate or modifiedDate - handled by cwc-sql/database automatically.

Related Packages

Depends On:

cwc-backend-utils (workspace) - SqlClient, Logger, Express service factory
cwc-types (workspace) - Entity types, RuntimeEnvironment

Consumed By:

cwc-api - Validates user JWTs, calls renew-session
cwc-website - Calls logon/logoff endpoints

packages/cwc-auth/src/__tests__/config.test.ts

3 versions

Version 1

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

/**
 * Note: These tests cannot dynamically import loadConfig because the import chain
 * goes through cwc-backend-utils which imports uuid (an ESM module).
 *
 * Instead, we test the key parsing/validation functions directly.
 * The integration of loadConfig is tested via auth.test.ts which uses the config mock.
 */

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number | null) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear relevant environment variables
    delete process.env['RUNTIME_ENVIRONMENT'];
    delete process.env['SERVICE_PORT'];
    delete process.env['DATA_URI'];
    delete process.env['APP_URL'];
    delete process.env['CORS_ORIGIN'];
    delete process.env['USER_JWT_SECRET'];
    delete process.env['TEMP_JWT_SECRET'];
    delete process.env['TEMP_JWT_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN_KULO'];
    delete process.env['DEBUG_MODE'];
    delete process.env['LOG_ERRORS_TO_DATABASE'];
    delete process.env['RATE_LIMITER_POINTS'];
    delete process.env['RATE_LIMITER_DURATION'];
    delete process.env['DEV_MACHINES'];
    delete process.env['DEV_CORS_ORIGIN'];
    delete process.env['SMTP_USE_SANDBOX'];
    delete process.env['SMTP_SANDBOX_ADDRESS'];
    delete process.env['SMTP_SERVICE_NAME'];
    delete process.env['SMTP_AUTH_TYPE'];
    delete process.env['SMTP_SENDER_ADDRESS'];
    delete process.env['SMTP_SENDER_NAME'];
    delete process.env['END_TO_END_TESTING_MOCK_VALUES'];

    // Clear module cache
    jest.resetModules();
  });

  afterEach(() => {
    process.env = originalEnv;
    exitSpy.mockRestore();
  });

  describe('RuntimeEnvironment validation', () => {
    it('should accept valid runtime environments', () => {
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of validEnvs) {
        expect(validEnvs.includes(env)).toBe(true);
      }
    });

    it('should reject invalid runtime environments', () => {
      const invalidEnvs = ['development', 'production', 'invalid', ''];
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of invalidEnvs) {
        expect(validEnvs.includes(env)).toBe(false);
      }
    });
  });

  describe('Secret validation', () => {
    it('should require non-empty secrets', () => {
      const validSecret = 'my-secret-key-for-jwt-signing';
      const invalidSecrets = ['', undefined, null];

      expect(validSecret.length).toBeGreaterThan(0);
      for (const secret of invalidSecrets) {
        expect(!secret || (typeof secret === 'string' && secret.length === 0)).toBe(true);
      }
    });
  });

  describe('IP list parsing', () => {
    it('should parse comma-separated IPs', () => {
      const input = '192.168.1.1, 192.168.1.2 , 192.168.1.3';
      const parsed = input.split(',').map(ip => ip.trim()).filter(ip => ip.length > 0);

      expect(parsed).toEqual(['192.168.1.1', '192.168.1.2', '192.168.1.3']);
    });

    it('should handle empty IP list', () => {
      const input = '';
      const parsed = input.split(',').map(ip => ip.trim()).filter(ip => ip.length > 0);

      expect(parsed).toEqual([]);
    });

    it('should handle single IP', () => {
      const input = '127.0.0.1';
      const parsed = input.split(',').map(ip => ip.trim()).filter(ip => ip.length > 0);

      expect(parsed).toEqual(['127.0.0.1']);
    });
  });

  describe('Environment boolean derivations', () => {
    it('should correctly derive isProduction', () => {
      const tests = [
        { env: 'prod', expected: true },
        { env: 'dev', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isProduction = test.env === 'prod';
        expect(isProduction).toBe(test.expected);
      }
    });

    it('should correctly derive isDevelopment', () => {
      const tests = [
        { env: 'dev', expected: true },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isDevelopment = test.env === 'dev';
        expect(isDevelopment).toBe(test.expected);
      }
    });

    it('should correctly derive isUnitTest', () => {
      const tests = [
        { env: 'unit', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isUnitTest = test.env === 'unit';
        expect(isUnitTest).toBe(test.expected);
      }
    });

    it('should correctly derive isEndToEnd', () => {
      const tests = [
        { env: 'e2e', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
      ];

      for (const test of tests) {
        const isEndToEnd = test.env === 'e2e';
        expect(isEndToEnd).toBe(test.expected);
      }
    });
  });

  describe('Port validation', () => {
    it('should accept valid port numbers', () => {
      const validPorts = [1, 80, 443, 3000, 5002, 65535];

      for (const port of validPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(true);
      }
    });

    it('should reject invalid port numbers', () => {
      const invalidPorts = [0, -1, 65536, 99999];

      for (const port of invalidPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(false);
      }
    });
  });

  describe('URL validation', () => {
    it('should accept valid HTTP URLs', () => {
      const validUrls = [
        'http://localhost:3000',
        'http://localhost:5001/data/v1',
        'https://api.example.com',
      ];

      for (const url of validUrls) {
        expect(url.startsWith('http')).toBe(true);
      }
    });

    it('should reject invalid URLs', () => {
      const invalidUrls = ['not-a-url', 'ftp://files.com', '', 'localhost:3000'];

      for (const url of invalidUrls) {
        expect(url.startsWith('http')).toBe(false);
      }
    });
  });

  describe('Default values', () => {
    it('should have correct default JWT expiration values', () => {
      const defaultJwtExpiresIn = '15m';
      const defaultJwtExpiresInKulo = '30d';

      expect(defaultJwtExpiresIn).toBe('15m');
      expect(defaultJwtExpiresInKulo).toBe('30d');
    });

    it('should have correct default rate limiter values', () => {
      const defaultRateLimiterPoints = 15;
      const defaultRateLimiterDuration = 1;

      expect(defaultRateLimiterPoints).toBe(15);
      expect(defaultRateLimiterDuration).toBe(1);
    });
  });
});

Version 2

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

/**
 * Note: These tests cannot dynamically import loadConfig because the import chain
 * goes through cwc-backend-utils which imports uuid (an ESM module).
 *
 * Instead, we test the key parsing/validation functions directly.
 * The integration of loadConfig is tested via auth.test.ts which uses the config mock.
 */

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number | null) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear relevant environment variables
    delete process.env['RUNTIME_ENVIRONMENT'];
    delete process.env['SERVICE_PORT'];
    delete process.env['DATA_URI'];
    delete process.env['APP_URL'];
    delete process.env['CORS_ORIGIN'];
    delete process.env['USER_JWT_SECRET'];
    delete process.env['TEMP_JWT_SECRET'];
    delete process.env['TEMP_JWT_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN_KULO'];
    delete process.env['DEBUG_MODE'];
    delete process.env['LOG_ERRORS_TO_DATABASE'];
    delete process.env['RATE_LIMITER_POINTS'];
    delete process.env['RATE_LIMITER_DURATION'];
    delete process.env['DEV_MACHINES'];
    delete process.env['DEV_CORS_ORIGIN'];
    delete process.env['SMTP_USE_SANDBOX'];
    delete process.env['SMTP_SANDBOX_ADDRESS'];
    delete process.env['SMTP_SERVICE_NAME'];
    delete process.env['SMTP_AUTH_TYPE'];
    delete process.env['SMTP_SENDER_ADDRESS'];
    delete process.env['SMTP_SENDER_NAME'];
    delete process.env['END_TO_END_TESTING_MOCK_VALUES'];

    // Clear module cache
    jest.resetModules();
  });

  afterEach(() => {
    process.env = originalEnv;
    exitSpy.mockRestore();
  });

  describe('RuntimeEnvironment validation', () => {
    it('should accept valid runtime environments', () => {
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of validEnvs) {
        expect(validEnvs.includes(env)).toBe(true);
      }
    });

    it('should reject invalid runtime environments', () => {
      const invalidEnvs = ['development', 'production', 'invalid', ''];
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of invalidEnvs) {
        expect(validEnvs.includes(env)).toBe(false);
      }
    });
  });

  describe('Secret validation', () => {
    it('should require non-empty secrets', () => {
      const validSecret = 'my-secret-key-for-jwt-signing';
      const invalidSecrets = ['', undefined, null];

      expect(validSecret.length).toBeGreaterThan(0);
      for (const secret of invalidSecrets) {
        expect(!secret || (typeof secret === 'string' && secret.length === 0)).toBe(true);
      }
    });
  });

  describe('Environment boolean derivations', () => {
    it('should correctly derive isProduction', () => {
      const tests = [
        { env: 'prod', expected: true },
        { env: 'dev', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isProduction = test.env === 'prod';
        expect(isProduction).toBe(test.expected);
      }
    });

    it('should correctly derive isDevelopment', () => {
      const tests = [
        { env: 'dev', expected: true },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isDevelopment = test.env === 'dev';
        expect(isDevelopment).toBe(test.expected);
      }
    });

    it('should correctly derive isUnitTest', () => {
      const tests = [
        { env: 'unit', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isUnitTest = test.env === 'unit';
        expect(isUnitTest).toBe(test.expected);
      }
    });

    it('should correctly derive isEndToEnd', () => {
      const tests = [
        { env: 'e2e', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
      ];

      for (const test of tests) {
        const isEndToEnd = test.env === 'e2e';
        expect(isEndToEnd).toBe(test.expected);
      }
    });
  });

  describe('Port validation', () => {
    it('should accept valid port numbers', () => {
      const validPorts = [1, 80, 443, 3000, 5002, 65535];

      for (const port of validPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(true);
      }
    });

    it('should reject invalid port numbers', () => {
      const invalidPorts = [0, -1, 65536, 99999];

      for (const port of invalidPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(false);
      }
    });
  });

  describe('URL validation', () => {
    it('should accept valid HTTP URLs', () => {
      const validUrls = [
        'http://localhost:3000',
        'http://localhost:5001/data/v1',
        'https://api.example.com',
      ];

      for (const url of validUrls) {
        expect(url.startsWith('http')).toBe(true);
      }
    });

    it('should reject invalid URLs', () => {
      const invalidUrls = ['not-a-url', 'ftp://files.com', '', 'localhost:3000'];

      for (const url of invalidUrls) {
        expect(url.startsWith('http')).toBe(false);
      }
    });
  });

  describe('Default values', () => {
    it('should have correct default JWT expiration values', () => {
      const defaultJwtExpiresIn = '15m';
      const defaultJwtExpiresInKulo = '30d';

      expect(defaultJwtExpiresIn).toBe('15m');
      expect(defaultJwtExpiresInKulo).toBe('30d');
    });

    it('should have correct default rate limiter values', () => {
      const defaultRateLimiterPoints = 15;
      const defaultRateLimiterDuration = 1;

      expect(defaultRateLimiterPoints).toBe(15);
      expect(defaultRateLimiterDuration).toBe(1);
    });
  });
});

Version 3 (latest)

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

/**
 * Note: These tests cannot dynamically import loadConfig because the import chain
 * goes through cwc-backend-utils which imports uuid (an ESM module).
 *
 * Instead, we test the key parsing/validation functions directly.
 * The integration of loadConfig is tested via auth.test.ts which uses the config mock.
 */

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number | null) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear relevant environment variables
    delete process.env['RUNTIME_ENVIRONMENT'];
    delete process.env['SERVICE_PORT'];
    delete process.env['DATA_URI'];
    delete process.env['APP_URL'];
    delete process.env['CORS_ORIGIN'];
    delete process.env['USER_JWT_SECRET'];
    delete process.env['TEMP_JWT_SECRET'];
    delete process.env['TEMP_JWT_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN'];
    delete process.env['JWT_USER_EXPIRES_IN_KULO'];
    delete process.env['DEBUG_MODE'];
    delete process.env['LOG_ERRORS_TO_DATABASE'];
    delete process.env['RATE_LIMITER_POINTS'];
    delete process.env['RATE_LIMITER_DURATION'];
    delete process.env['DEV_CORS_ORIGIN'];
    delete process.env['SMTP_USE_SANDBOX'];
    delete process.env['SMTP_SANDBOX_ADDRESS'];
    delete process.env['SMTP_SERVICE_NAME'];
    delete process.env['SMTP_AUTH_TYPE'];
    delete process.env['SMTP_SENDER_ADDRESS'];
    delete process.env['SMTP_SENDER_NAME'];
    delete process.env['END_TO_END_TESTING_MOCK_VALUES'];

    // Clear module cache
    jest.resetModules();
  });

  afterEach(() => {
    process.env = originalEnv;
    exitSpy.mockRestore();
  });

  describe('RuntimeEnvironment validation', () => {
    it('should accept valid runtime environments', () => {
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of validEnvs) {
        expect(validEnvs.includes(env)).toBe(true);
      }
    });

    it('should reject invalid runtime environments', () => {
      const invalidEnvs = ['development', 'production', 'invalid', ''];
      const validEnvs = ['dev', 'test', 'prod', 'unit', 'e2e'];

      for (const env of invalidEnvs) {
        expect(validEnvs.includes(env)).toBe(false);
      }
    });
  });

  describe('Secret validation', () => {
    it('should require non-empty secrets', () => {
      const validSecret = 'my-secret-key-for-jwt-signing';
      const invalidSecrets = ['', undefined, null];

      expect(validSecret.length).toBeGreaterThan(0);
      for (const secret of invalidSecrets) {
        expect(!secret || (typeof secret === 'string' && secret.length === 0)).toBe(true);
      }
    });
  });

  describe('Environment boolean derivations', () => {
    it('should correctly derive isProduction', () => {
      const tests = [
        { env: 'prod', expected: true },
        { env: 'dev', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isProduction = test.env === 'prod';
        expect(isProduction).toBe(test.expected);
      }
    });

    it('should correctly derive isDevelopment', () => {
      const tests = [
        { env: 'dev', expected: true },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isDevelopment = test.env === 'dev';
        expect(isDevelopment).toBe(test.expected);
      }
    });

    it('should correctly derive isUnitTest', () => {
      const tests = [
        { env: 'unit', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'e2e', expected: false },
      ];

      for (const test of tests) {
        const isUnitTest = test.env === 'unit';
        expect(isUnitTest).toBe(test.expected);
      }
    });

    it('should correctly derive isEndToEnd', () => {
      const tests = [
        { env: 'e2e', expected: true },
        { env: 'dev', expected: false },
        { env: 'prod', expected: false },
        { env: 'test', expected: false },
        { env: 'unit', expected: false },
      ];

      for (const test of tests) {
        const isEndToEnd = test.env === 'e2e';
        expect(isEndToEnd).toBe(test.expected);
      }
    });
  });

  describe('Port validation', () => {
    it('should accept valid port numbers', () => {
      const validPorts = [1, 80, 443, 3000, 5002, 65535];

      for (const port of validPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(true);
      }
    });

    it('should reject invalid port numbers', () => {
      const invalidPorts = [0, -1, 65536, 99999];

      for (const port of invalidPorts) {
        const isValid = port >= 1 && port <= 65535;
        expect(isValid).toBe(false);
      }
    });
  });

  describe('URL validation', () => {
    it('should accept valid HTTP URLs', () => {
      const validUrls = [
        'http://localhost:3000',
        'http://localhost:5001/data/v1',
        'https://api.example.com',
      ];

      for (const url of validUrls) {
        expect(url.startsWith('http')).toBe(true);
      }
    });

    it('should reject invalid URLs', () => {
      const invalidUrls = ['not-a-url', 'ftp://files.com', '', 'localhost:3000'];

      for (const url of invalidUrls) {
        expect(url.startsWith('http')).toBe(false);
      }
    });
  });

  describe('Default values', () => {
    it('should have correct default JWT expiration values', () => {
      const defaultJwtExpiresIn = '15m';
      const defaultJwtExpiresInKulo = '30d';

      expect(defaultJwtExpiresIn).toBe('15m');
      expect(defaultJwtExpiresInKulo).toBe('30d');
    });

    it('should have correct default rate limiter values', () => {
      const defaultRateLimiterPoints = 15;
      const defaultRateLimiterDuration = 1;

      expect(defaultRateLimiterPoints).toBe(15);
      expect(defaultRateLimiterDuration).toBe(1);
    });
  });
});

packages/cwc-auth/src/apis/ServiceApiV1/index.ts

2 versions

Version 1

'use strict';

import { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, SqlClient } from 'cwc-backend-utils';
import type { CwcAuthConfig } from '../../config';
import type {
  ServiceRouteConfigs,
  ServiceRouteHandlerOptions,
  ServiceRouteHandlerResponse,
} from './types';
import { getRoutes } from './routes';
import { ServiceHandler } from './ServiceHandler';

const codeLocation = 'apis/ServiceApiV1/index.ts';

/**
 * ServiceApiV1 - Handles /auth/v1/renew-session route
 * Protected by IP whitelist for internal service-to-service calls
 */
export class ServiceApiV1 implements ExpressApi {
  private routes: ServiceRouteConfigs;
  private config: CwcAuthConfig;
  private logger: ILogger | undefined;
  private allowedIps: Set<string>;

  constructor(
    config: CwcAuthConfig,
    sqlClient: SqlClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.logger = logger;
    this.routes = getRoutes({ sqlClient, config, logger });
    this.allowedIps = new Set(config.serviceApiAllowedIps);
  }

  public get path(): string {
    return '/auth/v1';
  }

  public get version(): number {
    return 1;
  }

  /**
   * Validates that the request comes from an allowed IP
   */
  private validateServiceIp(req: Request): boolean {
    // In development/test, allow all IPs if whitelist is empty
    if (!this.config.isProduction && this.allowedIps.size === 0) {
      return true;
    }

    const remoteIp = getRemoteIpAddress(req);

    if (!remoteIp) {
      return false;
    }

    // Check if IP is in whitelist
    return this.allowedIps.has(remoteIp);
  }

  // NOTE: HTTPS enforcement removed - should be handled at nginx/reverse proxy level

  /**
   * Main request handler
   */
  public async handler(req: Request, res: Response, next: NextFunction): Promise<void> {
    const logError = (message: string, error: unknown, value: unknown = undefined): void => {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message,
        error,
        value,
      });
    };

    try {
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path, method } = req;

      // NOTE: HTTPS enforcement handled at nginx/reverse proxy level

      // Validate IP whitelist
      if (!this.validateServiceIp(req)) {
        // Log the IP internally for debugging, but never expose in response
        const remoteIp = getRemoteIpAddress(req);
        logError('Service IP not allowed', 'IP not in whitelist', { remoteIp });
        res.status(403).json({
          data: {
            success: false,
            jwtType: undefined,
            // SECURITY: Never expose requesting IP in response - log only
          },
          jwt: undefined,
        });
        return;
      }

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          data: { success: false, jwtType: undefined },
          jwt: undefined,
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ServiceApiV1, let it pass through
        next();
        return;
      }

      // Validate HTTP method
      if (method !== routeConfig.method) {
        res.status(404).json({
          data: { success: false, jwtType: undefined },
          jwt: undefined,
        });
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create handler options
      const handlerOptions: ServiceRouteHandlerOptions = {
        authHeader,
        routeConfig,
      };

      // Create and execute handler
      const handler = new ServiceHandler(handlerOptions, this.config, this.logger);
      const response: ServiceRouteHandlerResponse = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json({
        data: response.data,
        jwt: response.jwt,
      });
    } catch (error) {
      logError('ServiceApiV1.handler - ERROR', error);
      res.status(401).json({
        data: { success: false, jwtType: undefined },
        jwt: undefined,
      });
    }
  }
}

Version 2 (latest)

'use strict';

import { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, SqlClient } from 'cwc-backend-utils';
import type { CwcAuthConfig } from '../../config';
import type {
  ServiceRouteConfigs,
  ServiceRouteHandlerOptions,
  ServiceRouteHandlerResponse,
} from './types';
import { getRoutes } from './routes';
import { ServiceHandler } from './ServiceHandler';

const codeLocation = 'apis/ServiceApiV1/index.ts';

/**
 * ServiceApiV1 - Handles /auth/v1/renew-session route
 * For internal service-to-service calls (protected by Docker network isolation + JWT)
 */
export class ServiceApiV1 implements ExpressApi {
  private routes: ServiceRouteConfigs;
  private config: CwcAuthConfig;
  private logger: ILogger | undefined;

  constructor(
    config: CwcAuthConfig,
    sqlClient: SqlClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.logger = logger;
    this.routes = getRoutes({ sqlClient, config, logger });
  }

  public get path(): string {
    return '/auth/v1';
  }

  public get version(): number {
    return 1;
  }

  // NOTE: HTTPS enforcement should be handled at nginx/reverse proxy level
  // NOTE: Service access is protected by Docker network isolation + JWT validation

  /**
   * Main request handler
   */
  public async handler(req: Request, res: Response, next: NextFunction): Promise<void> {
    const logError = (message: string, error: unknown, value: unknown = undefined): void => {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message,
        error,
        value,
      });
    };

    try {
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path, method } = req;

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          data: { success: false, jwtType: undefined },
          jwt: undefined,
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ServiceApiV1, let it pass through
        next();
        return;
      }

      // Validate HTTP method
      if (method !== routeConfig.method) {
        res.status(404).json({
          data: { success: false, jwtType: undefined },
          jwt: undefined,
        });
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create handler options
      const handlerOptions: ServiceRouteHandlerOptions = {
        authHeader,
        routeConfig,
      };

      // Create and execute handler
      const handler = new ServiceHandler(handlerOptions, this.config, this.logger);
      const response: ServiceRouteHandlerResponse = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json({
        data: response.data,
        jwt: response.jwt,
      });
    } catch (error) {
      logError('ServiceApiV1.handler - ERROR', error);
      res.status(401).json({
        data: { success: false, jwtType: undefined },
        jwt: undefined,
      });
    }
  }
}

packages/cwc-auth/src/config/config.types.ts

2 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-auth
 * These values must be provided via secrets file, never committed to code
 */
export type CwcAuthConfigSecrets = {
  userJwtSecret: string;
  tempJwtSecret: string;
};

/**
 * Configuration for the cwc-auth microservice
 */
export type CwcAuthConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  name: string;
  servicePort: number;
  dataUri: string;
  appUrl: string;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Development settings
  devMachines: { name: string; ip: string }[];
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;
  logErrorsToDatabase: boolean;

  // User JWT settings
  userJwtExpiresIn: string;
  userJwtExpiresInKulo: string;

  // temp JWT settings
  tempJwtExpiresIn: string;

  // SMTP settings (for future use)
  smtpUseSandbox: boolean;
  smtpSandboxAddress: string;
  smtpServiceName: string;
  smtpAuthType: string;
  smtpSenderAddress: string;
  smtpSenderName: string;

  // E2E testing
  endToEndMockValues?: Record<string, string> | undefined;

  // Secrets (nested)
  secrets: CwcAuthConfigSecrets;
};

Version 2 (latest)

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-auth
 * These values must be provided via secrets file, never committed to code
 */
export type CwcAuthConfigSecrets = {
  userJwtSecret: string;
  tempJwtSecret: string;
};

/**
 * Configuration for the cwc-auth microservice
 */
export type CwcAuthConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  name: string;
  servicePort: number;
  dataUri: string;
  appUrl: string;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Development settings
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;
  logErrorsToDatabase: boolean;

  // User JWT settings
  userJwtExpiresIn: string;
  userJwtExpiresInKulo: string;

  // temp JWT settings
  tempJwtExpiresIn: string;

  // SMTP settings (for future use)
  smtpUseSandbox: boolean;
  smtpSandboxAddress: string;
  smtpServiceName: string;
  smtpAuthType: string;
  smtpSenderAddress: string;
  smtpSenderName: string;

  // E2E testing
  endToEndMockValues?: Record<string, string> | undefined;

  // Secrets (nested)
  secrets: CwcAuthConfigSecrets;
};

packages/cwc-auth/src/config/loadConfig.ts

4 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';
import {
  requireEnv,
  optionalEnv,
  parseNumber,
  parseBoolean,
  parseJson,
} from 'cwc-backend-utils';
import type { CwcAuthConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcAuthConfig | undefined;

export function loadConfig(): CwcAuthConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcAuthConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      name: 'cwc-auth',
      servicePort: parseNumber('SERVICE_PORT'),
      dataUri: requireEnv('DATA_URI'),
      appUrl: requireEnv('APP_URL'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devMachines: parseJson<{ name: string; ip: string }[]>('DEV_MACHINES', []),
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', ''),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', true),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE', true),

      // User JWT settings
      userJwtExpiresIn: optionalEnv('USER_JWT_EXPIRES_IN', '15m'),
      userJwtExpiresInKulo: optionalEnv('USER_JWT_EXPIRES_IN_KULO', '30d'),

      // Temp JWT settings
      tempJwtExpiresIn: optionalEnv('TEMP_JWT_EXPIRES_IN', '5m'),

      // Service API
      serviceApiAllowedIps: parseIpList('SERVICE_API_ALLOWED_IPS', ''),

      // SMTP settings (for future use)
      smtpUseSandbox: parseBoolean('SMTP_USE_SANDBOX', true),
      smtpSandboxAddress: optionalEnv('SMTP_SANDBOX_ADDRESS', ''),
      smtpServiceName: optionalEnv('SMTP_SERVICE_NAME', ''),
      smtpAuthType: optionalEnv('SMTP_AUTH_TYPE', ''),
      smtpSenderAddress: optionalEnv('SMTP_SENDER_ADDRESS', ''),
      smtpSenderName: optionalEnv('SMTP_SENDER_NAME', ''),

      // E2E testing
      endToEndMockValues: isEndToEnd
        ? parseJson<Record<string, string>>('END_TO_END_TESTING_MOCK_VALUES', undefined)
        : undefined,

      // Secrets (nested)
      secrets: {
        userJwtSecret: requireEnv('USER_JWT_SECRET'),
        tempJwtSecret: requireEnv('TEMP_JWT_SECRET'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate required URLs
    if (!config.dataUri.startsWith('http')) {
      throw new Error('DATA_URI must be a valid HTTP URL');
    }
    if (!config.appUrl.startsWith('http')) {
      throw new Error('APP_URL must be a valid HTTP URL');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-auth] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Data URI: ${config.dataUri}`);
      console.log(`  App URL: ${config.appUrl}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`);
      console.log(`  User JWT Expires In: ${config.userJwtExpiresIn}`);
      console.log(`  User JWT Expires In (KULO): ${config.userJwtExpiresInKulo}`);
      console.log(`  User JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Expires In: ${config.tempJwtExpiresIn}`);
      console.log(`  Allowed Service IPs: ${config.serviceApiAllowedIps.join(', ') || '(none)'}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-auth] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 2

import type { RuntimeEnvironment } from 'cwc-types';
import {
  requireEnv,
  optionalEnv,
  parseNumber,
  parseBoolean,
  parseJson,
} from 'cwc-backend-utils';
import type { CwcAuthConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcAuthConfig | undefined;

export function loadConfig(): CwcAuthConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcAuthConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      name: 'cwc-auth',
      servicePort: parseNumber('SERVICE_PORT'),
      dataUri: requireEnv('DATA_URI'),
      appUrl: requireEnv('APP_URL'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devMachines: parseJson<{ name: string; ip: string }[]>('DEV_MACHINES', []),
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', ''),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', true),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE', true),

      // User JWT settings
      userJwtExpiresIn: optionalEnv('USER_JWT_EXPIRES_IN', '15m'),
      userJwtExpiresInKulo: optionalEnv('USER_JWT_EXPIRES_IN_KULO', '30d'),

      // Temp JWT settings
      tempJwtExpiresIn: optionalEnv('TEMP_JWT_EXPIRES_IN', '5m'),

      // SMTP settings (for future use)
      smtpUseSandbox: parseBoolean('SMTP_USE_SANDBOX', true),
      smtpSandboxAddress: optionalEnv('SMTP_SANDBOX_ADDRESS', ''),
      smtpServiceName: optionalEnv('SMTP_SERVICE_NAME', ''),
      smtpAuthType: optionalEnv('SMTP_AUTH_TYPE', ''),
      smtpSenderAddress: optionalEnv('SMTP_SENDER_ADDRESS', ''),
      smtpSenderName: optionalEnv('SMTP_SENDER_NAME', ''),

      // E2E testing
      endToEndMockValues: isEndToEnd
        ? parseJson<Record<string, string>>('END_TO_END_TESTING_MOCK_VALUES', undefined)
        : undefined,

      // Secrets (nested)
      secrets: {
        userJwtSecret: requireEnv('USER_JWT_SECRET'),
        tempJwtSecret: requireEnv('TEMP_JWT_SECRET'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate required URLs
    if (!config.dataUri.startsWith('http')) {
      throw new Error('DATA_URI must be a valid HTTP URL');
    }
    if (!config.appUrl.startsWith('http')) {
      throw new Error('APP_URL must be a valid HTTP URL');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-auth] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Data URI: ${config.dataUri}`);
      console.log(`  App URL: ${config.appUrl}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`);
      console.log(`  User JWT Expires In: ${config.userJwtExpiresIn}`);
      console.log(`  User JWT Expires In (KULO): ${config.userJwtExpiresInKulo}`);
      console.log(`  User JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Expires In: ${config.tempJwtExpiresIn}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-auth] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 3

import type { RuntimeEnvironment } from 'cwc-types';
import {
  requireEnv,
  optionalEnv,
  parseNumber,
  parseBoolean,
  parseJson,
} from 'cwc-backend-utils';
import type { CwcAuthConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcAuthConfig | undefined;

export function loadConfig(): CwcAuthConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcAuthConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      name: 'cwc-auth',
      servicePort: parseNumber('SERVICE_PORT'),
      dataUri: requireEnv('DATA_URI'),
      appUrl: requireEnv('APP_URL'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', ''),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', true),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE', true),

      // User JWT settings
      userJwtExpiresIn: optionalEnv('USER_JWT_EXPIRES_IN', '15m'),
      userJwtExpiresInKulo: optionalEnv('USER_JWT_EXPIRES_IN_KULO', '30d'),

      // Temp JWT settings
      tempJwtExpiresIn: optionalEnv('TEMP_JWT_EXPIRES_IN', '5m'),

      // SMTP settings (for future use)
      smtpUseSandbox: parseBoolean('SMTP_USE_SANDBOX', true),
      smtpSandboxAddress: optionalEnv('SMTP_SANDBOX_ADDRESS', ''),
      smtpServiceName: optionalEnv('SMTP_SERVICE_NAME', ''),
      smtpAuthType: optionalEnv('SMTP_AUTH_TYPE', ''),
      smtpSenderAddress: optionalEnv('SMTP_SENDER_ADDRESS', ''),
      smtpSenderName: optionalEnv('SMTP_SENDER_NAME', ''),

      // E2E testing
      endToEndMockValues: isEndToEnd
        ? parseJson<Record<string, string>>('END_TO_END_TESTING_MOCK_VALUES', undefined)
        : undefined,

      // Secrets (nested)
      secrets: {
        userJwtSecret: requireEnv('USER_JWT_SECRET'),
        tempJwtSecret: requireEnv('TEMP_JWT_SECRET'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate required URLs
    if (!config.dataUri.startsWith('http')) {
      throw new Error('DATA_URI must be a valid HTTP URL');
    }
    if (!config.appUrl.startsWith('http')) {
      throw new Error('APP_URL must be a valid HTTP URL');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-auth] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Data URI: ${config.dataUri}`);
      console.log(`  App URL: ${config.appUrl}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`);
      console.log(`  User JWT Expires In: ${config.userJwtExpiresIn}`);
      console.log(`  User JWT Expires In (KULO): ${config.userJwtExpiresInKulo}`);
      console.log(`  User JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Expires In: ${config.tempJwtExpiresIn}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-auth] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 4 (latest)

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean, parseJson } from 'cwc-backend-utils';
import type { CwcAuthConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcAuthConfig | undefined;

export function loadConfig(): CwcAuthConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcAuthConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      name: 'cwc-auth',
      servicePort: parseNumber('SERVICE_PORT'),
      dataUri: requireEnv('DATA_URI'),
      appUrl: requireEnv('APP_URL'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', 'http://localhost:3000'),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE', true),

      // User JWT settings
      userJwtExpiresIn: optionalEnv('USER_JWT_EXPIRES_IN', '15m'),
      userJwtExpiresInKulo: optionalEnv('USER_JWT_EXPIRES_IN_KULO', '30d'),

      // Temp JWT settings
      tempJwtExpiresIn: optionalEnv('TEMP_JWT_EXPIRES_IN', '5m'),

      // SMTP settings (for future use)
      smtpUseSandbox: parseBoolean('SMTP_USE_SANDBOX', true),
      smtpSandboxAddress: optionalEnv('SMTP_SANDBOX_ADDRESS', ''),
      smtpServiceName: optionalEnv('SMTP_SERVICE_NAME', ''),
      smtpAuthType: optionalEnv('SMTP_AUTH_TYPE', ''),
      smtpSenderAddress: optionalEnv('SMTP_SENDER_ADDRESS', ''),
      smtpSenderName: optionalEnv('SMTP_SENDER_NAME', ''),

      // E2E testing
      endToEndMockValues: isEndToEnd
        ? parseJson<Record<string, string>>('END_TO_END_TESTING_MOCK_VALUES', undefined)
        : undefined,

      // Secrets (nested)
      secrets: {
        userJwtSecret: requireEnv('USER_JWT_SECRET'),
        tempJwtSecret: requireEnv('TEMP_JWT_SECRET'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate required URLs
    if (!config.dataUri.startsWith('http')) {
      throw new Error('DATA_URI must be a valid HTTP URL');
    }
    if (!config.appUrl.startsWith('http')) {
      throw new Error('APP_URL must be a valid HTTP URL');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-auth] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Data URI: ${config.dataUri}`);
      console.log(`  App URL: ${config.appUrl}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(
        `  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`
      );
      console.log(`  User JWT Expires In: ${config.userJwtExpiresIn}`);
      console.log(`  User JWT Expires In (KULO): ${config.userJwtExpiresInKulo}`);
      console.log(`  User JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Secret: [REDACTED]`);
      console.log(`  Temp JWT Expires In: ${config.tempJwtExpiresIn}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-auth] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

packages/cwc-auth/src/index.ts

2 versions

Version 1

import {
  loadDotEnv,
  createExpressService,
  SqlClient,
  Logger,
  type ExpressApi,
  type BackendUtilsConfig,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcAuthConfig } from './config';
import { loadConfig } from './config';
import { LogonApiV1 } from './apis/LogonApiV1';
import { ServiceApiV1 } from './apis/ServiceApiV1';

console.log(`
  d8888  888     888 88888888888 888    888
 d88888  888     888     888     888    888
d88P888  888     888     888     888    888
d88P 888 888     888     888     8888888888
d88P  888 888     888     888     888    888
d88P   888 888     888     888     888    888
d8888888888 Y88b. .d88P     888     888    888
d88P     888  "Y88888P"      888     888    888
`);

/**
 * Converts CwcAuthConfig to BackendUtilsConfig for createExpressService
 */
function createBackendUtilsConfig(authConfig: CwcAuthConfig): BackendUtilsConfig {
  return {
    debugMode: authConfig.debugMode,
    dataUri: authConfig.dataUri,
    logErrorsToDatabase: authConfig.logErrorsToDatabase,
    isDevelopment: authConfig.isDevelopment,
    isTest: authConfig.isTest,
    isProduction: authConfig.isProduction,
    isUnitTest: authConfig.isUnitTest,
    isEndToEnd: authConfig.isEndToEnd,
    corsOrigin: authConfig.corsOrigin,
    servicePort: authConfig.servicePort,
    rateLimiterPoints: authConfig.rateLimiterPoints,
    rateLimiterDuration: authConfig.rateLimiterDuration,
    devMachines: authConfig.devMachines,
    devCorsOrigin: authConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-auth microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-auth] Starting cwc-auth microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-auth',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-auth] Configuration loaded successfully');

    // Create BackendUtilsConfig for shared utilities
    const backendConfig = createBackendUtilsConfig(config);

    // Create Logger (uses database for error logging)
    const logger = new Logger({ config: backendConfig, serviceName: 'cwc-auth' });

    // Create SqlClient for database operations
    const sqlClient = new SqlClient({
      config: backendConfig,
      enableLogging: config.logErrorsToDatabase,
      logger,
      clientName: 'cwc-auth',
    });

    // Create API instances
    const apis: ExpressApi[] = [
      new LogonApiV1(config, sqlClient, logger),
      new ServiceApiV1(config, sqlClient, logger),
    ];

    // Create Express service
    const service = createExpressService({
      config: backendConfig,
      serviceName: 'cwc-auth',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: undefined,
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-auth] Service started successfully`);
    console.log(`[cwc-auth] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-auth] Port: ${config.servicePort}`);
    console.log(`[cwc-auth] Data URI: ${config.dataUri}`);
    console.log(`[cwc-auth] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-auth] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-auth] HTTP server closed');
        console.log('[cwc-auth] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-auth] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', async (reason, promise) => {
      console.error('[cwc-auth] Unhandled Rejection at:', promise, 'reason:', reason);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        await logger.logError({
          userPkId: undefined,
          codeLocation: 'index.ts:unhandledRejection',
          message: 'Unhandled Rejection',
          error: reason,
        });
      }

      // Don't exit on unhandled rejection in production
      if (!config.isProduction) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', async (error) => {
      console.error('[cwc-auth] Uncaught Exception:', error);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        await logger.logError({
          userPkId: undefined,
          codeLocation: 'index.ts:uncaughtException',
          message: 'Uncaught Exception',
          error,
        });
      }

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-auth] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

Version 2 (latest)

import {
  loadDotEnv,
  createExpressService,
  SqlClient,
  Logger,
  type ExpressApi,
  type BackendUtilsConfig,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcAuthConfig } from './config';
import { loadConfig } from './config';
import { LogonApiV1 } from './apis/LogonApiV1';
import { ServiceApiV1 } from './apis/ServiceApiV1';

console.log(`
  d8888  888     888 88888888888 888    888
 d88888  888     888     888     888    888
d88P888  888     888     888     888    888
d88P 888 888     888     888     8888888888
d88P  888 888     888     888     888    888
d88P   888 888     888     888     888    888
d8888888888 Y88b. .d88P     888     888    888
d88P     888  "Y88888P"      888     888    888
`);

/**
 * Converts CwcAuthConfig to BackendUtilsConfig for createExpressService
 */
function createBackendUtilsConfig(authConfig: CwcAuthConfig): BackendUtilsConfig {
  return {
    debugMode: authConfig.debugMode,
    dataUri: authConfig.dataUri,
    logErrorsToDatabase: authConfig.logErrorsToDatabase,
    isDevelopment: authConfig.isDevelopment,
    isTest: authConfig.isTest,
    isProduction: authConfig.isProduction,
    isUnitTest: authConfig.isUnitTest,
    isEndToEnd: authConfig.isEndToEnd,
    corsOrigin: authConfig.corsOrigin,
    servicePort: authConfig.servicePort,
    rateLimiterPoints: authConfig.rateLimiterPoints,
    rateLimiterDuration: authConfig.rateLimiterDuration,
    devCorsOrigin: authConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-auth microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-auth] Starting cwc-auth microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-auth',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-auth] Configuration loaded successfully');

    // Create BackendUtilsConfig for shared utilities
    const backendConfig = createBackendUtilsConfig(config);

    // Create Logger (uses database for error logging)
    const logger = new Logger({ config: backendConfig, serviceName: 'cwc-auth' });

    // Create SqlClient for database operations
    const sqlClient = new SqlClient({
      config: backendConfig,
      enableLogging: config.logErrorsToDatabase,
      logger,
      clientName: 'cwc-auth',
    });

    // Create API instances
    const apis: ExpressApi[] = [
      new LogonApiV1(config, sqlClient, logger),
      new ServiceApiV1(config, sqlClient, logger),
    ];

    // Create Express service
    const service = createExpressService({
      config: backendConfig,
      serviceName: 'cwc-auth',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: undefined,
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-auth] Service started successfully`);
    console.log(`[cwc-auth] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-auth] Port: ${config.servicePort}`);
    console.log(`[cwc-auth] Data URI: ${config.dataUri}`);
    console.log(`[cwc-auth] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-auth] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-auth] HTTP server closed');
        console.log('[cwc-auth] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-auth] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', async (reason, promise) => {
      console.error('[cwc-auth] Unhandled Rejection at:', promise, 'reason:', reason);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        await logger.logError({
          userPkId: undefined,
          codeLocation: 'index.ts:unhandledRejection',
          message: 'Unhandled Rejection',
          error: reason,
        });
      }

      // Don't exit on unhandled rejection in production
      if (!config.isProduction) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', async (error) => {
      console.error('[cwc-auth] Uncaught Exception:', error);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        await logger.logError({
          userPkId: undefined,
          codeLocation: 'index.ts:uncaughtException',
          message: 'Uncaught Exception',
          error,
        });
      }

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-auth] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

packages/cwc-backend-utils/CLAUDE.md

2 versions

Version 1

cwc-backend-utils Package

Backend utilities for CWC microservices. Node.js-specific utilities only.

Critical Architecture Rule

Only cwc-sql Talks to Database:

✅ All backend services MUST use SqlClient HTTP client
✅ All database operations flow through cwc-sql service via POST /data/v1/command
❌ NEVER import MariaDB or execute SQL from other packages

JWT Authentication - CRITICAL Security Rules

Token Specifications:

Algorithm: RS256 (RSA public/private key pairs)
Expiration: 30 seconds (short-lived by design)
Auto-refresh: Generate new token when <5s remain before expiry
Payload: { dataJwtId, clientName, exp, iat }

Key File Locations:

Local development: ../../../cwc-secrets/sql-client-api-keys/
Server deployment: ./sql-client-api-keys/

CORS Configuration - Environment-Specific Behavior

Development (isDevelopment: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows Docker network IPs (192.1.1.x)
Allows devMachines IPs with devCorsOrigin
Falls back to corsOrigin for other requests

Production (isProduction: true):

Strict corsOrigin only
No dynamic origins

Rate Limiting Configuration

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded
Memory-based rate limiting per IP

Environment Loading - Data Path Resolution

loadDotEnv Path Resolution:

Local development (dev/unit/e2e):

Path: ../../../../private/cwc-secrets/env/{environment}.{serviceName}.env
Example: ../../../../private/cwc-secrets/env/dev.cwc-api.env

Server deployment (test/prod):

Path: ../../.env.{environment}
Example: ../../.env.test

CRITICAL: Data path pattern MUST include service name to prevent conflicts:

Pattern: {deploymentName}-{serviceName}/data
Example: test-cwc-database/data vs test-mariadb/data

Logger Error Handling

Direct Database Write:

Logger uses SqlClient internally to write to errorLog table
Automatically truncates fields to DB limits (error: 2000 chars, stack: 2000 chars)
Extracts message and stack from Error objects
JSON serializes objects automatically
Tags all logs with serviceName
Debug mode only: logInformation and logDebug output

Express Service Factory - Built-in Middleware

Automatically applies (in order):

Rate Limiter - Memory-based per IP
Helmet - Security headers
CORS - Environment-specific origins
Invalid Routes - Blocks non-registered paths
Error Handling - Captures and logs errors

Invalid Routes Protection:

Rejects HTTP methods not in allowGet/allowPost/allowOptions
Rejects paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Request Utilities

getRemoteIpAddress(req) resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Critical Bugs to Avoid

Environment Variables:

Use process.env['VAR_NAME'] bracket notation (not dot notation)
Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core

Configuration Types

BackendUtilsConfig: Complete config with SqlClient/database features

Includes: dataUri, logErrorsToDatabase

BackendUtilsConfigBasic: Simplified config without SqlClient

Omits: dataUri, logErrorsToDatabase
Use for services that don't need database access

Node.js Compatibility

Node.js-only package:

✅ CAN use Node.js APIs (fs, path, crypto, os, http, etc.)
✅ CAN use Node.js-specific packages
❌ NOT browser-compatible
Target: Node.js 22+

Adding New Utilities

Utilities that belong here:

File system operations
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql

Related Packages

Consumed By:

cwc-api, cwc-auth, cwc-admin-api, cwc-sql - All backend microservices

Depends On:

cwc-types (workspace) - Shared TypeScript types

Version 2 (latest)

cwc-backend-utils Package

Backend utilities for CWC microservices. Node.js-specific utilities only.

Critical Architecture Rule

Only cwc-sql Talks to Database:

✅ All backend services MUST use SqlClient HTTP client
✅ All database operations flow through cwc-sql service via POST /data/v1/command
❌ NEVER import MariaDB or execute SQL from other packages

JWT Authentication - CRITICAL Security Rules

Token Specifications:

Algorithm: RS256 (RSA public/private key pairs)
Expiration: 30 seconds (short-lived by design)
Auto-refresh: Generate new token when <5s remain before expiry
Payload: { dataJwtId, clientName, exp, iat }

Key File Locations:

Local development: ../../../cwc-secrets/sql-client-api-keys/
Server deployment: ./sql-client-api-keys/

CORS Configuration - Environment-Specific Behavior

Development (isDevelopment: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows devCorsOrigin for localhost development against test services
Falls back to corsOrigin for other requests
Browser security enforces origin headers (cannot be forged)

Production (isProduction: true):

Strict corsOrigin only
No dynamic origins

Rate Limiting Configuration

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded
Memory-based rate limiting per IP

Environment Loading - Data Path Resolution

loadDotEnv Path Resolution:

Local development (dev/unit/e2e):

Path: ../../../../private/cwc-secrets/env/{environment}.{serviceName}.env
Example: ../../../../private/cwc-secrets/env/dev.cwc-api.env

Server deployment (test/prod):

Path: ../../.env.{environment}
Example: ../../.env.test

CRITICAL: Data path pattern MUST include service name to prevent conflicts:

Pattern: {deploymentName}-{serviceName}/data
Example: test-cwc-database/data vs test-mariadb/data

Logger Error Handling

Direct Database Write:

Logger uses SqlClient internally to write to errorLog table
Automatically truncates fields to DB limits (error: 2000 chars, stack: 2000 chars)
Extracts message and stack from Error objects
JSON serializes objects automatically
Tags all logs with serviceName
Debug mode only: logInformation and logDebug output

Express Service Factory - Built-in Middleware

Automatically applies (in order):

Rate Limiter - Memory-based per IP
Helmet - Security headers
CORS - Environment-specific origins
Invalid Routes - Blocks non-registered paths
Error Handling - Captures and logs errors

Invalid Routes Protection:

Rejects HTTP methods not in allowGet/allowPost/allowOptions
Rejects paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Request Utilities

getRemoteIpAddress(req) resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Critical Bugs to Avoid

Environment Variables:

Use process.env['VAR_NAME'] bracket notation (not dot notation)
Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core

Configuration Types

BackendUtilsConfig: Complete config with SqlClient/database features

Includes: dataUri, logErrorsToDatabase

BackendUtilsConfigBasic: Simplified config without SqlClient

Omits: dataUri, logErrorsToDatabase
Use for services that don't need database access

Node.js Compatibility

Node.js-only package:

✅ CAN use Node.js APIs (fs, path, crypto, os, http, etc.)
✅ CAN use Node.js-specific packages
❌ NOT browser-compatible
Target: Node.js 22+

Adding New Utilities

Utilities that belong here:

File system operations
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql

Related Packages

Consumed By:

cwc-api, cwc-auth, cwc-admin-api, cwc-sql - All backend microservices

Depends On:

cwc-types (workspace) - Shared TypeScript types

packages/cwc-backend-utils/README.md

3 versions

Version 1

cwc-backend-utils

Backend utilities for the Coding with Claude (CWC) platform. Provides shared Node.js-specific utilities for all CWC microservices.

Overview

cwc-backend-utils provides the foundational building blocks for CWC backend services:

SqlClient - HTTP client for communicating with cwc-sql service
Logger - Centralized error logging to database
Express Service Factory - Complete Express server setup with security built-in
Environment Loading - Smart .env file resolution
JWT Token Management - Auto-refreshing service-to-service authentication
Request Utilities - IP address extraction and request helpers

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Key Principles

Only cwc-sql talks to database - All other services use SqlClient client
JWT authentication - SqlClient uses RS256 signed JWTs for service-to-service auth
Request-scoped operations - All operations include userPkId for security/auditing
Centralized error logging - Logger writes errors to database via SqlClient

SqlClient

HTTP client for communicating with the cwc-sql service. All backend services use SqlClient instead of direct database access.

Core Methods

query(options) - Execute SELECT operations

const sqlClient = new SqlClient({ config, enableLogging: true, logger, clientName: 'cwc-api' });

const command = sqlClient.selectCommand({
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email'],
});

const response = await sqlClient.query({ userPkId, command });
const user = sqlClient.getFirstResult<CwcUser>(response);

mutate(options) - Execute INSERT, UPDATE, DELETE operations

// INSERT
const command = sqlClient.insertCommand({
  table: 'user',
  values: { username: 'johndoe', email: 'john@example.com' },
});

const response = await sqlClient.mutate({ userPkId, command });
const insertId = sqlClient.getInsertResultId(response);

// UPDATE
const updateCommand = sqlClient.updateCommand({
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' },
});

await sqlClient.mutate({ userPkId, command: updateCommand });

// DELETE
const deleteCommand = sqlClient.deleteCommand({
  table: 'user',
  filters: { userPkId: 123 },
});

await sqlClient.mutate({ userPkId, command: deleteCommand });

Command Builders

emptyCommand(transaction) - Create empty command for batch operations

const command = sqlClient.emptyCommand(true); // transaction = true
sqlClient.addOperation({
  command,
  table: 'user',
  operationType: 'insert',
  operationDetails: { values: { username: 'user1' } },
});
sqlClient.addOperation({
  command,
  table: 'project',
  operationType: 'insert',
  operationDetails: { values: { projectId: 'my-project' } },
});

const response = await sqlClient.mutate({ userPkId, command });

Advanced Queries

// With sorting and limiting
const command = sqlClient.selectCommand({
  table: 'project',
  filters: { userPkId: 123 },
  fields: ['projectPkId', 'projectId', 'title'],
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 10, startIndex: 0 },
});

// Custom SQL
const command = sqlClient.selectCommand({
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user'],
  },
});

Helper Methods

Result extraction for queries:

getFirstResult<T>(response) - Get first result from operation-0
getSecondResult<T>(response) - Get first result from operation-1
getResult<T>(response, name, index) - Get specific result
getFirstResults<T>(response) - Get all results from operation-0
getSecondResults<T>(response) - Get all results from operation-1
getResults<T>(response, name) - Get all results from named operation

Result extraction for mutations:

getInsertResult(response, operationName?) - Returns true if 1 row inserted
getInsertResultId(response, operationName?) - Returns insertId
getUpdateResult(response, operationName?) - Returns true if 1+ rows updated
getDeleteResult(response, operationName?) - Returns true if 1+ rows deleted

Logger

Centralized error logging to database. Logs errors, information, and debug messages.

Usage

import { Logger } from 'cwc-backend-utils';

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Log errors
await logger.logError({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:45',
  message: 'Failed to create user',
  error: err, // Error object or string
  value: { username, email }, // Additional context
  request: JSON.stringify(req.body), // Request data
});

// Log informational messages (debug mode only)
logger.logInformation({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:30',
  message: 'User creation started',
  value: { username, email },
});

// Log debug messages (debug mode only)
logger.logDebug({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:35',
  message: 'Validating user input',
  value: { username },
});

Features

Database logging: Writes to errorLog table via SqlClient
Automatic truncation: Limits field lengths (error: 2000 chars, stack: 2000 chars, etc.)
Error parsing: Extracts message and stack from Error objects
JSON serialization: Automatically stringifies objects
Debug mode: logInformation and logDebug only output in debug mode
Service identification: Tags all logs with serviceName

Configuration

Requires BackendUtilsConfig with:

logErrorsToDatabase: true - Enable database logging
debugMode: true - Enable console output for logInformation/logDebug
dataUri - cwc-sql service URL

Express Service Factory

Create fully-configured Express servers with security, CORS, rate limiting, and error handling built-in.

Usage

import { createExpressService, ExpressApi } from 'cwc-backend-utils';

// Define your API endpoints
const apis: ExpressApi[] = [
  { version: 1, path: '/api/v1/users', handler: usersHandler },
  { version: 1, path: '/api/v1/auth', handler: authHandler },
];

// Create service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: '10mb', // Optional, default is Express default
});

// Start server
service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`Server running on port ${config.servicePort}`);
});

Built-in Middleware (Applied Automatically)

Rate Limiter - Memory-based rate limiting per IP
Helmet - Security headers
CORS - Configurable CORS with environment-specific origins
Invalid Routes - Blocks requests to non-registered paths
Error Handling - Captures and logs request/response errors
Logger Integration - Auto-creates Logger if config has dataUri

CORS Configuration

CORS behavior varies by environment:

Development (isDevelopment: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows requests from Docker network IPs (192.1.1.x)
Allows devMachines IPs with devCorsOrigin
Falls back to corsOrigin for other requests

Production (isProduction: true):

Strict corsOrigin only
No dynamic origins

Rate Limiter

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded

Invalid Routes Protection

Automatically rejects:

HTTP methods not in allowGet/allowPost/allowOptions
Paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Environment Loading

Load environment-specific .env files based on runtime environment and service name.

Usage

import { loadDotEnv } from 'cwc-backend-utils';

loadDotEnv({
  serviceName: 'cwc-api',
  environment: 'dev', // 'dev' | 'test' | 'prod' | 'unit' | 'e2e'
  debug: true, // Optional: log path resolution
});

// Now process.env is populated
const dbHost = process.env.DB_HOST;

Path Resolution

Local development (dev/unit/e2e):

Looks for: ../../../../private/cwc-secrets/env/{environment}.{serviceName}.env
Example: ../../../../private/cwc-secrets/env/dev.cwc-api.env

Server deployment (test/prod):

Looks for: ../../.env.{environment}
Example: ../../.env.test

Debug Mode

When debug: true, logs:

Environment detection (runningOnServer, runningLocally)
Resolved file name
Resolved absolute path
Loaded ENVIRONMENT variable

Configuration Types

BackendUtilsConfig

Complete configuration for services using SqlClient and database features:

type BackendUtilsConfig = {
  // Environment flags
  debugMode: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isProduction: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service URLs
  dataUri: string; // cwc-sql service URL
  servicePort: number; // Port for this service

  // Features
  logErrorsToDatabase: boolean;

  // CORS
  corsOrigin: string; // Production origin
  devCorsOrigin: string; // Development origin

  // Rate limiting
  rateLimiterPoints: number; // Max requests per duration
  rateLimiterDuration: number; // Duration in seconds

  // Development
  devMachines?: { name: string; ip: string }[];

  // Service API (optional)
  serviceApi?: { allowedIps: string };

  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string>;
};

BackendUtilsConfigBasic

Simplified config for services that don't use SqlClient:

type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

Use this for services that don't need database access.

SqlClientKeysUtil

Manages JWT tokens for SqlClient authentication. Internal utility used by SqlClient class.

Features

Automatic refresh: Generates new tokens when <5s remain before expiry
RS256 signing: Uses RSA public/private key pairs
30-second expiration: Tokens valid for 30 seconds (auto-refresh ensures continuity)
Key loading: Reads keys from sql-client-api-keys/ directory

Key File Locations

Local development:

../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-private.pem
../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-public.pem

Server deployment:

./sql-client-api-keys/sql-client-api-key-private.pem
./sql-client-api-keys/sql-client-api-key-public.pem

Token Payload

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000', // UUID v4
  clientName: 'cwc-api', // Backend service name
  exp: 1234567890, // Expiration timestamp
  iat: 1234567860  // Issued at timestamp
}

Request Utilities

getRemoteIpAddress(req)

Extract the real client IP address from Express request, handling proxy headers and IPv6 formatting.

import { getRemoteIpAddress } from 'cwc-backend-utils';

app.use((req, res, next) => {
  const clientIp = getRemoteIpAddress(req);
  console.log('Client IP:', clientIp);
  next();
});

Resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Complete Service Example

Typical backend service setup using cwc-backend-utils:

// src/index.ts
import {
  loadDotEnv,
  createExpressService,
  SqlClient,
  Logger,
  BackendUtilsConfig,
  ExpressApi,
} from 'cwc-backend-utils';
import { RequestHandler } from 'express';

// Load environment variables
loadDotEnv({
  serviceName: 'cwc-api',
  environment: process.env.NODE_ENV as RuntimeEnvironment,
});

// Build configuration
const config: BackendUtilsConfig = {
  debugMode: process.env.DEBUG_MODE === 'true',
  isDevelopment: process.env.NODE_ENV === 'dev',
  isTest: process.env.NODE_ENV === 'test',
  isProduction: process.env.NODE_ENV === 'prod',
  isUnitTest: process.env.NODE_ENV === 'unit',
  isEndToEnd: process.env.NODE_ENV === 'e2e',
  dataUri: process.env.DATA_URI!,
  servicePort: parseInt(process.env.SERVICE_PORT!, 10),
  logErrorsToDatabase: true,
  corsOrigin: process.env.CORS_ORIGIN!,
  devCorsOrigin: process.env.DEV_CORS_ORIGIN!,
  rateLimiterPoints: 100,
  rateLimiterDuration: 60,
  devMachines: JSON.parse(process.env.DEV_MACHINES || '[]'),
};

// Initialize shared services
const sqlClient = new SqlClient({
  config,
  enableLogging: true,
  logger: undefined, // Will be created by Logger if needed
  clientName: 'cwc-api',
});

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Define API handlers
const usersHandler: RequestHandler = async (req, res) => {
  try {
    const { userPkId } = req.user; // From auth middleware

    const command = sqlClient.selectCommand({
      table: 'user',
      filters: { userPkId },
    });

    const response = await sqlClient.query({ userPkId, command });
    const user = sqlClient.getFirstResult(response);

    res.json({ success: true, user });
  } catch (error) {
    await logger.logError({
      userPkId: req.user?.userPkId,
      codeLocation: 'handlers/users.ts:25',
      message: 'Failed to fetch user',
      error,
      request: JSON.stringify(req.body),
    });
    res.status(500).json({ success: false, error: 'Internal server error' });
  }
};

// Define APIs
const apis: ExpressApi[] = [{ version: 1, path: '/api/v1/users', handler: usersHandler }];

// Create and start service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: undefined,
});

service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`cwc-api listening on port ${config.servicePort}`);
});

Dependencies

Runtime dependencies:

express (^5.1.0) - Web framework
axios (^1.13.2) - HTTP client for SqlClient
helmet (^8.1.0) - Security headers
rate-limiter-flexible (^8.2.1) - Rate limiting
jsonwebtoken (^9.0.2) - JWT signing/verification
uuid (^13.0.0) - UUID generation
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types

Dev dependencies:

@types/express - Express type definitions
@types/jsonwebtoken - JWT type definitions
typescript - TypeScript compiler

Node.js Compatibility

cwc-backend-utils is designed ONLY for Node.js environments:

✅ Can use Node.js APIs (fs, path, crypto, os, http, etc.) ✅ Can use Node.js-specific packages ✅ ES modules output ✅ Tree-shakeable ❌ NOT browser-compatible

Target Environment:

Node.js 22+
Backend microservices (cwc-api, cwc-auth, cwc-admin-api, cwc-sql)

Adding New Utilities

When adding utilities to this package:

Node.js-specific utilities only:
- File system operations
- Path manipulation
- Environment variable parsing
- Crypto/hashing utilities
- Process management helpers
- Server-side validation
Keep dependencies minimal:
- Prefer zero dependencies
- Use built-in Node.js modules when possible
- Document any dependencies clearly
Maintain tree-shakeability:
- Export utilities as named exports
- Avoid side effects in module loading
- Keep utilities independent where possible
Follow existing patterns:
- TypeScript with strict mode
- Comprehensive JSDoc comments
- Include usage examples
- Export from src/index.ts
Update documentation:
- Add section to this README
- Update CLAUDE.md if AI-critical patterns
- Include usage examples

Guidelines for Backend Utilities

Utilities that belong in cwc-backend-utils:

File system utilities
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql
UI components → Not applicable (backend-only)

Related Packages

Consumed By:

cwc-api - Main API backend
cwc-auth - Authentication service
cwc-admin-api - Admin API backend
cwc-sql - Database service (uses Logger, Express service)
Any backend microservice

Depends On:

cwc-types (workspace) - Shared TypeScript types and entity definitions

Related:

cwc-utils - Cross-platform utilities (browser + Node.js)
cwc-schema - Schema definitions and validation
cwc-database - Database schema and migrations

License

UNLICENSED - Private project

Version 2

cwc-backend-utils

Backend utilities for the Coding with Claude (CWC) platform. Provides shared Node.js-specific utilities for all CWC microservices.

Overview

cwc-backend-utils provides the foundational building blocks for CWC backend services:

SqlClient - HTTP client for communicating with cwc-sql service
Logger - Centralized error logging to database
Express Service Factory - Complete Express server setup with security built-in
Environment Loading - Smart .env file resolution
JWT Token Management - Auto-refreshing service-to-service authentication
Request Utilities - IP address extraction and request helpers

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Key Principles

Only cwc-sql talks to database - All other services use SqlClient client
JWT authentication - SqlClient uses RS256 signed JWTs for service-to-service auth
Request-scoped operations - All operations include userPkId for security/auditing
Centralized error logging - Logger writes errors to database via SqlClient

SqlClient

HTTP client for communicating with the cwc-sql service. All backend services use SqlClient instead of direct database access.

Core Methods

query(options) - Execute SELECT operations

const sqlClient = new SqlClient({ config, enableLogging: true, logger, clientName: 'cwc-api' });

const command = sqlClient.selectCommand({
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email'],
});

const response = await sqlClient.query({ userPkId, command });
const user = sqlClient.getFirstResult<CwcUser>(response);

mutate(options) - Execute INSERT, UPDATE, DELETE operations

// INSERT
const command = sqlClient.insertCommand({
  table: 'user',
  values: { username: 'johndoe', email: 'john@example.com' },
});

const response = await sqlClient.mutate({ userPkId, command });
const insertId = sqlClient.getInsertResultId(response);

// UPDATE
const updateCommand = sqlClient.updateCommand({
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' },
});

await sqlClient.mutate({ userPkId, command: updateCommand });

// DELETE
const deleteCommand = sqlClient.deleteCommand({
  table: 'user',
  filters: { userPkId: 123 },
});

await sqlClient.mutate({ userPkId, command: deleteCommand });

Command Builders

emptyCommand(transaction) - Create empty command for batch operations

const command = sqlClient.emptyCommand(true); // transaction = true
sqlClient.addOperation({
  command,
  table: 'user',
  operationType: 'insert',
  operationDetails: { values: { username: 'user1' } },
});
sqlClient.addOperation({
  command,
  table: 'project',
  operationType: 'insert',
  operationDetails: { values: { projectId: 'my-project' } },
});

const response = await sqlClient.mutate({ userPkId, command });

Advanced Queries

// With sorting and limiting
const command = sqlClient.selectCommand({
  table: 'project',
  filters: { userPkId: 123 },
  fields: ['projectPkId', 'projectId', 'title'],
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 10, startIndex: 0 },
});

// Custom SQL
const command = sqlClient.selectCommand({
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user'],
  },
});

Helper Methods

Result extraction for queries:

getFirstResult<T>(response) - Get first result from operation-0
getSecondResult<T>(response) - Get first result from operation-1
getResult<T>(response, name, index) - Get specific result
getFirstResults<T>(response) - Get all results from operation-0
getSecondResults<T>(response) - Get all results from operation-1
getResults<T>(response, name) - Get all results from named operation

Result extraction for mutations:

getInsertResult(response, operationName?) - Returns true if 1 row inserted
getInsertResultId(response, operationName?) - Returns insertId
getUpdateResult(response, operationName?) - Returns true if 1+ rows updated
getDeleteResult(response, operationName?) - Returns true if 1+ rows deleted

Logger

Centralized error logging to database. Logs errors, information, and debug messages.

Usage

import { Logger } from 'cwc-backend-utils';

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Log errors
await logger.logError({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:45',
  message: 'Failed to create user',
  error: err, // Error object or string
  value: { username, email }, // Additional context
  request: JSON.stringify(req.body), // Request data
});

// Log informational messages (debug mode only)
logger.logInformation({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:30',
  message: 'User creation started',
  value: { username, email },
});

// Log debug messages (debug mode only)
logger.logDebug({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:35',
  message: 'Validating user input',
  value: { username },
});

Features

Database logging: Writes to errorLog table via SqlClient
Automatic truncation: Limits field lengths (error: 2000 chars, stack: 2000 chars, etc.)
Error parsing: Extracts message and stack from Error objects
JSON serialization: Automatically stringifies objects
Debug mode: logInformation and logDebug only output in debug mode
Service identification: Tags all logs with serviceName

Configuration

Requires BackendUtilsConfig with:

logErrorsToDatabase: true - Enable database logging
debugMode: true - Enable console output for logInformation/logDebug
dataUri - cwc-sql service URL

Express Service Factory

Create fully-configured Express servers with security, CORS, rate limiting, and error handling built-in.

Usage

import { createExpressService, ExpressApi } from 'cwc-backend-utils';

// Define your API endpoints
const apis: ExpressApi[] = [
  { version: 1, path: '/api/v1/users', handler: usersHandler },
  { version: 1, path: '/api/v1/auth', handler: authHandler },
];

// Create service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: '10mb', // Optional, default is Express default
});

// Start server
service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`Server running on port ${config.servicePort}`);
});

Built-in Middleware (Applied Automatically)

Rate Limiter - Memory-based rate limiting per IP
Helmet - Security headers
CORS - Configurable CORS with environment-specific origins
Invalid Routes - Blocks requests to non-registered paths
Error Handling - Captures and logs request/response errors
Logger Integration - Auto-creates Logger if config has dataUri

CORS Configuration

CORS behavior varies by environment:

Development (isDevelopment: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows requests from Docker network IPs (192.1.1.x)
Allows devMachines IPs with devCorsOrigin
Falls back to corsOrigin for other requests

Production (isProduction: true):

Strict corsOrigin only
No dynamic origins

Rate Limiter

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded

Invalid Routes Protection

Automatically rejects:

HTTP methods not in allowGet/allowPost/allowOptions
Paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Environment Loading

Load environment-specific .env files based on runtime environment and service name.

Usage

import { loadDotEnv } from 'cwc-backend-utils';

loadDotEnv({
  serviceName: 'cwc-api',
  environment: 'dev', // 'dev' | 'test' | 'prod' | 'unit' | 'e2e'
  debug: true, // Optional: log path resolution
});

// Now process.env is populated
const dbHost = process.env.DB_HOST;

Path Resolution

Local development (dev/unit/e2e):

Looks for: ../../../../private/cwc-secrets/env/{environment}.{serviceName}.env
Example: ../../../../private/cwc-secrets/env/dev.cwc-api.env

Server deployment (test/prod):

Looks for: ../../.env.{environment}
Example: ../../.env.test

Debug Mode

When debug: true, logs:

Environment detection (runningOnServer, runningLocally)
Resolved file name
Resolved absolute path
Loaded ENVIRONMENT variable

Configuration Types

BackendUtilsConfig

Complete configuration for services using SqlClient and database features:

type BackendUtilsConfig = {
  // Environment flags
  debugMode: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isProduction: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service URLs
  dataUri: string; // cwc-sql service URL
  servicePort: number; // Port for this service

  // Features
  logErrorsToDatabase: boolean;

  // CORS
  corsOrigin: string; // Production origin
  devCorsOrigin: string; // Development origin

  // Rate limiting
  rateLimiterPoints: number; // Max requests per duration
  rateLimiterDuration: number; // Duration in seconds

  // Development
  devMachines?: { name: string; ip: string }[];

  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string>;
};

BackendUtilsConfigBasic

Simplified config for services that don't use SqlClient:

type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

Use this for services that don't need database access.

SqlClientKeysUtil

Manages JWT tokens for SqlClient authentication. Internal utility used by SqlClient class.

Features

Automatic refresh: Generates new tokens when <5s remain before expiry
RS256 signing: Uses RSA public/private key pairs
30-second expiration: Tokens valid for 30 seconds (auto-refresh ensures continuity)
Key loading: Reads keys from sql-client-api-keys/ directory

Key File Locations

Local development:

../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-private.pem
../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-public.pem

Server deployment:

./sql-client-api-keys/sql-client-api-key-private.pem
./sql-client-api-keys/sql-client-api-key-public.pem

Token Payload

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000', // UUID v4
  clientName: 'cwc-api', // Backend service name
  exp: 1234567890, // Expiration timestamp
  iat: 1234567860  // Issued at timestamp
}

Request Utilities

getRemoteIpAddress(req)

Extract the real client IP address from Express request, handling proxy headers and IPv6 formatting.

import { getRemoteIpAddress } from 'cwc-backend-utils';

app.use((req, res, next) => {
  const clientIp = getRemoteIpAddress(req);
  console.log('Client IP:', clientIp);
  next();
});

Resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Complete Service Example

Typical backend service setup using cwc-backend-utils:

// src/index.ts
import {
  loadDotEnv,
  createExpressService,
  SqlClient,
  Logger,
  BackendUtilsConfig,
  ExpressApi,
} from 'cwc-backend-utils';
import { RequestHandler } from 'express';

// Load environment variables
loadDotEnv({
  serviceName: 'cwc-api',
  environment: process.env.NODE_ENV as RuntimeEnvironment,
});

// Build configuration
const config: BackendUtilsConfig = {
  debugMode: process.env.DEBUG_MODE === 'true',
  isDevelopment: process.env.NODE_ENV === 'dev',
  isTest: process.env.NODE_ENV === 'test',
  isProduction: process.env.NODE_ENV === 'prod',
  isUnitTest: process.env.NODE_ENV === 'unit',
  isEndToEnd: process.env.NODE_ENV === 'e2e',
  dataUri: process.env.DATA_URI!,
  servicePort: parseInt(process.env.SERVICE_PORT!, 10),
  logErrorsToDatabase: true,
  corsOrigin: process.env.CORS_ORIGIN!,
  devCorsOrigin: process.env.DEV_CORS_ORIGIN!,
  rateLimiterPoints: 100,
  rateLimiterDuration: 60,
  devMachines: JSON.parse(process.env.DEV_MACHINES || '[]'),
};

// Initialize shared services
const sqlClient = new SqlClient({
  config,
  enableLogging: true,
  logger: undefined, // Will be created by Logger if needed
  clientName: 'cwc-api',
});

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Define API handlers
const usersHandler: RequestHandler = async (req, res) => {
  try {
    const { userPkId } = req.user; // From auth middleware

    const command = sqlClient.selectCommand({
      table: 'user',
      filters: { userPkId },
    });

    const response = await sqlClient.query({ userPkId, command });
    const user = sqlClient.getFirstResult(response);

    res.json({ success: true, user });
  } catch (error) {
    await logger.logError({
      userPkId: req.user?.userPkId,
      codeLocation: 'handlers/users.ts:25',
      message: 'Failed to fetch user',
      error,
      request: JSON.stringify(req.body),
    });
    res.status(500).json({ success: false, error: 'Internal server error' });
  }
};

// Define APIs
const apis: ExpressApi[] = [{ version: 1, path: '/api/v1/users', handler: usersHandler }];

// Create and start service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: undefined,
});

service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`cwc-api listening on port ${config.servicePort}`);
});

Dependencies

Runtime dependencies:

express (^5.1.0) - Web framework
axios (^1.13.2) - HTTP client for SqlClient
helmet (^8.1.0) - Security headers
rate-limiter-flexible (^8.2.1) - Rate limiting
jsonwebtoken (^9.0.2) - JWT signing/verification
uuid (^13.0.0) - UUID generation
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types

Dev dependencies:

@types/express - Express type definitions
@types/jsonwebtoken - JWT type definitions
typescript - TypeScript compiler

Node.js Compatibility

cwc-backend-utils is designed ONLY for Node.js environments:

✅ Can use Node.js APIs (fs, path, crypto, os, http, etc.) ✅ Can use Node.js-specific packages ✅ ES modules output ✅ Tree-shakeable ❌ NOT browser-compatible

Target Environment:

Node.js 22+
Backend microservices (cwc-api, cwc-auth, cwc-admin-api, cwc-sql)

Adding New Utilities

When adding utilities to this package:

Node.js-specific utilities only:
- File system operations
- Path manipulation
- Environment variable parsing
- Crypto/hashing utilities
- Process management helpers
- Server-side validation
Keep dependencies minimal:
- Prefer zero dependencies
- Use built-in Node.js modules when possible
- Document any dependencies clearly
Maintain tree-shakeability:
- Export utilities as named exports
- Avoid side effects in module loading
- Keep utilities independent where possible
Follow existing patterns:
- TypeScript with strict mode
- Comprehensive JSDoc comments
- Include usage examples
- Export from src/index.ts
Update documentation:
- Add section to this README
- Update CLAUDE.md if AI-critical patterns
- Include usage examples

Guidelines for Backend Utilities

Utilities that belong in cwc-backend-utils:

File system utilities
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql
UI components → Not applicable (backend-only)

Related Packages

Consumed By:

cwc-api - Main API backend
cwc-auth - Authentication service
cwc-admin-api - Admin API backend
cwc-sql - Database service (uses Logger, Express service)
Any backend microservice

Depends On:

cwc-types (workspace) - Shared TypeScript types and entity definitions

Related:

cwc-utils - Cross-platform utilities (browser + Node.js)
cwc-schema - Schema definitions and validation
cwc-database - Database schema and migrations

License

UNLICENSED - Private project

Version 3 (latest)

cwc-backend-utils

Backend utilities for the Coding with Claude (CWC) platform. Provides shared Node.js-specific utilities for all CWC microservices.

Overview

cwc-backend-utils provides the foundational building blocks for CWC backend services:

SqlClient - HTTP client for communicating with cwc-sql service
Logger - Centralized error logging to database
Express Service Factory - Complete Express server setup with security built-in
Environment Loading - Smart .env file resolution
JWT Token Management - Auto-refreshing service-to-service authentication
Request Utilities - IP address extraction and request helpers

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Key Principles

Only cwc-sql talks to database - All other services use SqlClient client
JWT authentication - SqlClient uses RS256 signed JWTs for service-to-service auth
Request-scoped operations - All operations include userPkId for security/auditing
Centralized error logging - Logger writes errors to database via SqlClient

SqlClient

HTTP client for communicating with the cwc-sql service. All backend services use SqlClient instead of direct database access.

Core Methods

query(options) - Execute SELECT operations

const sqlClient = new SqlClient({ config, enableLogging: true, logger, clientName: 'cwc-api' });

const command = sqlClient.selectCommand({
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email'],
});

const response = await sqlClient.query({ userPkId, command });
const user = sqlClient.getFirstResult<CwcUser>(response);

mutate(options) - Execute INSERT, UPDATE, DELETE operations

// INSERT
const command = sqlClient.insertCommand({
  table: 'user',
  values: { username: 'johndoe', email: 'john@example.com' },
});

const response = await sqlClient.mutate({ userPkId, command });
const insertId = sqlClient.getInsertResultId(response);

// UPDATE
const updateCommand = sqlClient.updateCommand({
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' },
});

await sqlClient.mutate({ userPkId, command: updateCommand });

// DELETE
const deleteCommand = sqlClient.deleteCommand({
  table: 'user',
  filters: { userPkId: 123 },
});

await sqlClient.mutate({ userPkId, command: deleteCommand });

Command Builders

emptyCommand(transaction) - Create empty command for batch operations

const command = sqlClient.emptyCommand(true); // transaction = true
sqlClient.addOperation({
  command,
  table: 'user',
  operationType: 'insert',
  operationDetails: { values: { username: 'user1' } },
});
sqlClient.addOperation({
  command,
  table: 'project',
  operationType: 'insert',
  operationDetails: { values: { projectId: 'my-project' } },
});

const response = await sqlClient.mutate({ userPkId, command });

Advanced Queries

// With sorting and limiting
const command = sqlClient.selectCommand({
  table: 'project',
  filters: { userPkId: 123 },
  fields: ['projectPkId', 'projectId', 'title'],
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 10, startIndex: 0 },
});

// Custom SQL
const command = sqlClient.selectCommand({
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user'],
  },
});

Helper Methods

Result extraction for queries:

getFirstResult<T>(response) - Get first result from operation-0
getSecondResult<T>(response) - Get first result from operation-1
getResult<T>(response, name, index) - Get specific result
getFirstResults<T>(response) - Get all results from operation-0
getSecondResults<T>(response) - Get all results from operation-1
getResults<T>(response, name) - Get all results from named operation

Result extraction for mutations:

getInsertResult(response, operationName?) - Returns true if 1 row inserted
getInsertResultId(response, operationName?) - Returns insertId
getUpdateResult(response, operationName?) - Returns true if 1+ rows updated
getDeleteResult(response, operationName?) - Returns true if 1+ rows deleted

Logger

Centralized error logging to database. Logs errors, information, and debug messages.

Usage

import { Logger } from 'cwc-backend-utils';

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Log errors
await logger.logError({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:45',
  message: 'Failed to create user',
  error: err, // Error object or string
  value: { username, email }, // Additional context
  request: JSON.stringify(req.body), // Request data
});

// Log informational messages (debug mode only)
logger.logInformation({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:30',
  message: 'User creation started',
  value: { username, email },
});

// Log debug messages (debug mode only)
logger.logDebug({
  userPkId: 123,
  codeLocation: 'api/handlers/users.ts:35',
  message: 'Validating user input',
  value: { username },
});

Features

Database logging: Writes to errorLog table via SqlClient
Automatic truncation: Limits field lengths (error: 2000 chars, stack: 2000 chars, etc.)
Error parsing: Extracts message and stack from Error objects
JSON serialization: Automatically stringifies objects
Debug mode: logInformation and logDebug only output in debug mode
Service identification: Tags all logs with serviceName

Configuration

Requires BackendUtilsConfig with:

logErrorsToDatabase: true - Enable database logging
debugMode: true - Enable console output for logInformation/logDebug
dataUri - cwc-sql service URL

Express Service Factory

Create fully-configured Express servers with security, CORS, rate limiting, and error handling built-in.

Usage

import { createExpressService, ExpressApi } from 'cwc-backend-utils';

// Define your API endpoints
const apis: ExpressApi[] = [
  { version: 1, path: '/api/v1/users', handler: usersHandler },
  { version: 1, path: '/api/v1/auth', handler: authHandler },
];

// Create service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: '10mb', // Optional, default is Express default
});

// Start server
service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`Server running on port ${config.servicePort}`);
});

Built-in Middleware (Applied Automatically)

Rate Limiter - Memory-based rate limiting per IP
Helmet - Security headers
CORS - Configurable CORS with environment-specific origins
Invalid Routes - Blocks requests to non-registered paths
Error Handling - Captures and logs request/response errors
Logger Integration - Auto-creates Logger if config has dataUri

CORS Configuration

CORS behavior varies by environment:

Development (isDevelopment: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows devCorsOrigin for localhost development against test services
Falls back to corsOrigin for other requests
Browser security enforces origin headers (cannot be forged)

Production (isProduction: true):

Strict corsOrigin only
No dynamic origins

Rate Limiter

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded

Invalid Routes Protection

Automatically rejects:

HTTP methods not in allowGet/allowPost/allowOptions
Paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Environment Loading

Load environment-specific .env files based on runtime environment and service name.

Usage

import { loadDotEnv } from 'cwc-backend-utils';

loadDotEnv({
  serviceName: 'cwc-api',
  environment: 'dev', // 'dev' | 'test' | 'prod' | 'unit' | 'e2e'
  debug: true, // Optional: log path resolution
});

// Now process.env is populated
const dbHost = process.env.DB_HOST;

Path Resolution

Local development (dev/unit/e2e):

Looks for: ../../../../private/cwc-secrets/env/{environment}.{serviceName}.env
Example: ../../../../private/cwc-secrets/env/dev.cwc-api.env

Server deployment (test/prod):

Looks for: ../../.env.{environment}
Example: ../../.env.test

Debug Mode

When debug: true, logs:

Environment detection (runningOnServer, runningLocally)
Resolved file name
Resolved absolute path
Loaded ENVIRONMENT variable

Configuration Types

BackendUtilsConfig

Complete configuration for services using SqlClient and database features:

type BackendUtilsConfig = {
  // Environment flags
  debugMode: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isProduction: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service URLs
  dataUri: string; // cwc-sql service URL
  servicePort: number; // Port for this service

  // Features
  logErrorsToDatabase: boolean;

  // CORS
  corsOrigin: string; // Production origin
  devCorsOrigin: string; // Development origin

  // Rate limiting
  rateLimiterPoints: number; // Max requests per duration
  rateLimiterDuration: number; // Duration in seconds

  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string>;
};

BackendUtilsConfigBasic

Simplified config for services that don't use SqlClient:

type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

Use this for services that don't need database access.

SqlClientKeysUtil

Manages JWT tokens for SqlClient authentication. Internal utility used by SqlClient class.

Features

Automatic refresh: Generates new tokens when <5s remain before expiry
RS256 signing: Uses RSA public/private key pairs
30-second expiration: Tokens valid for 30 seconds (auto-refresh ensures continuity)
Key loading: Reads keys from sql-client-api-keys/ directory

Key File Locations

Local development:

../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-private.pem
../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-public.pem

Server deployment:

./sql-client-api-keys/sql-client-api-key-private.pem
./sql-client-api-keys/sql-client-api-key-public.pem

Token Payload

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000', // UUID v4
  clientName: 'cwc-api', // Backend service name
  exp: 1234567890, // Expiration timestamp
  iat: 1234567860  // Issued at timestamp
}

Request Utilities

getRemoteIpAddress(req)

Extract the real client IP address from Express request, handling proxy headers and IPv6 formatting.

import { getRemoteIpAddress } from 'cwc-backend-utils';

app.use((req, res, next) => {
  const clientIp = getRemoteIpAddress(req);
  console.log('Client IP:', clientIp);
  next();
});

Resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Complete Service Example

Typical backend service setup using cwc-backend-utils:

// src/index.ts
import {
  loadDotEnv,
  createExpressService,
  SqlClient,
  Logger,
  BackendUtilsConfig,
  ExpressApi,
} from 'cwc-backend-utils';
import { RequestHandler } from 'express';

// Load environment variables
loadDotEnv({
  serviceName: 'cwc-api',
  environment: process.env.NODE_ENV as RuntimeEnvironment,
});

// Build configuration
const config: BackendUtilsConfig = {
  debugMode: process.env.DEBUG_MODE === 'true',
  isDevelopment: process.env.NODE_ENV === 'dev',
  isTest: process.env.NODE_ENV === 'test',
  isProduction: process.env.NODE_ENV === 'prod',
  isUnitTest: process.env.NODE_ENV === 'unit',
  isEndToEnd: process.env.NODE_ENV === 'e2e',
  dataUri: process.env.DATA_URI!,
  servicePort: parseInt(process.env.SERVICE_PORT!, 10),
  logErrorsToDatabase: true,
  corsOrigin: process.env.CORS_ORIGIN!,
  devCorsOrigin: process.env.DEV_CORS_ORIGIN!,
  rateLimiterPoints: 100,
  rateLimiterDuration: 60,
};

// Initialize shared services
const sqlClient = new SqlClient({
  config,
  enableLogging: true,
  logger: undefined, // Will be created by Logger if needed
  clientName: 'cwc-api',
});

const logger = new Logger({ config, serviceName: 'cwc-api' });

// Define API handlers
const usersHandler: RequestHandler = async (req, res) => {
  try {
    const { userPkId } = req.user; // From auth middleware

    const command = sqlClient.selectCommand({
      table: 'user',
      filters: { userPkId },
    });

    const response = await sqlClient.query({ userPkId, command });
    const user = sqlClient.getFirstResult(response);

    res.json({ success: true, user });
  } catch (error) {
    await logger.logError({
      userPkId: req.user?.userPkId,
      codeLocation: 'handlers/users.ts:25',
      message: 'Failed to fetch user',
      error,
      request: JSON.stringify(req.body),
    });
    res.status(500).json({ success: false, error: 'Internal server error' });
  }
};

// Define APIs
const apis: ExpressApi[] = [{ version: 1, path: '/api/v1/users', handler: usersHandler }];

// Create and start service
const service = createExpressService({
  config,
  serviceName: 'cwc-api',
  apis,
  allowGet: true,
  allowPost: true,
  allowOptions: true,
  payloadLimit: undefined,
});

service.start(apis);
service.httpServer.listen(config.servicePort, () => {
  console.log(`cwc-api listening on port ${config.servicePort}`);
});

Dependencies

Runtime dependencies:

express (^5.1.0) - Web framework
axios (^1.13.2) - HTTP client for SqlClient
helmet (^8.1.0) - Security headers
rate-limiter-flexible (^8.2.1) - Rate limiting
jsonwebtoken (^9.0.2) - JWT signing/verification
uuid (^13.0.0) - UUID generation
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types

Dev dependencies:

@types/express - Express type definitions
@types/jsonwebtoken - JWT type definitions
typescript - TypeScript compiler

Node.js Compatibility

cwc-backend-utils is designed ONLY for Node.js environments:

✅ Can use Node.js APIs (fs, path, crypto, os, http, etc.) ✅ Can use Node.js-specific packages ✅ ES modules output ✅ Tree-shakeable ❌ NOT browser-compatible

Target Environment:

Node.js 22+
Backend microservices (cwc-api, cwc-auth, cwc-admin-api, cwc-sql)

Adding New Utilities

When adding utilities to this package:

Node.js-specific utilities only:
- File system operations
- Path manipulation
- Environment variable parsing
- Crypto/hashing utilities
- Process management helpers
- Server-side validation
Keep dependencies minimal:
- Prefer zero dependencies
- Use built-in Node.js modules when possible
- Document any dependencies clearly
Maintain tree-shakeability:
- Export utilities as named exports
- Avoid side effects in module loading
- Keep utilities independent where possible
Follow existing patterns:
- TypeScript with strict mode
- Comprehensive JSDoc comments
- Include usage examples
- Export from src/index.ts
Update documentation:
- Add section to this README
- Update CLAUDE.md if AI-critical patterns
- Include usage examples

Guidelines for Backend Utilities

Utilities that belong in cwc-backend-utils:

File system utilities
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql
UI components → Not applicable (backend-only)

Related Packages

Consumed By:

cwc-api - Main API backend
cwc-auth - Authentication service
cwc-admin-api - Admin API backend
cwc-sql - Database service (uses Logger, Express service)
Any backend microservice

Depends On:

cwc-types (workspace) - Shared TypeScript types and entity definitions

Related:

cwc-utils - Cross-platform utilities (browser + Node.js)
cwc-schema - Schema definitions and validation
cwc-database - Database schema and migrations

License

UNLICENSED - Private project

packages/cwc-backend-utils/src/backendUtils.types.ts

2 versions

Version 1

import http from 'node:http';
import { RequestHandler } from 'express';
import express from 'express';

export type BackendServiceName = 'cwc-admin-api' | 'cwc-api' | 'cwc-auth' | 'cwc-sql' | 'cwc-storage';

export type BackendUtilsConfig = {
  debugMode: boolean;
  dataUri: string;
  logErrorsToDatabase: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isProduction: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;
  corsOrigin: string;
  servicePort: number;
  rateLimiterPoints: number;
  rateLimiterDuration: number;
  // development settings
  devMachines:
    | undefined
    | {
        name: string;
        ip: string;
      }[];
  devCorsOrigin: string;
  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string> | undefined;
};

// Simplified config for services that don't use SqlClient or database logging
export type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

// *********************************
// SqlClient
// *********************************

export type SqlClientToken = string;

export type SqlClientOperationType = 'delete' | 'insert' | 'select' | 'update';

export type SqlClientOperationName = string;
export type SqlClientOperationTable = string;

export type SqlClientOperationFilters = {
  [key: string]: string | number | boolean | number[];
};

export type SqlClientOperationFields = string[] | undefined;

export type SqlClientOperationValues = {
  [key: string]: string | number | boolean | undefined | unknown | unknown[];
};

export type SqlClientOperationSortItem = {
  fieldName: string;
  direction?: string;
};

export type SqlClientOperationSort = SqlClientOperationSortItem[];

export type SqlClientOperationLimit = {
  recordCount: number;
  startIndex: number;
};

export type SqlClientOperationCustomSql = string;

export type SqlClientOperationCustomParam = string | number | boolean;

export type SqlClientOperationCustomParams = {
  [key: string]: SqlClientOperationCustomParam;
};

// **********************************
// sort example:
// **********************************
// const sort = [ {fieldName: 'username', direction: 'ASC' }, {fieldName: 'groupName', direction: 'DESC' }];

export type SqlClientOperationCustom = {
  customSql: SqlClientOperationCustomSql;
  customParams: SqlClientOperationCustomParams;
  customTables: SqlClientOperationTable[];
};

export type SqlClientOperation = {
  operationType: SqlClientOperationType;
  name?: SqlClientOperationName | undefined;
  table: SqlClientOperationTable | undefined;
  fields?: SqlClientOperationFields | undefined;
  filters?: SqlClientOperationFilters | undefined;
  values?: SqlClientOperationValues | undefined;
  sort?: SqlClientOperationSort | undefined;
  limit?: SqlClientOperationLimit | undefined;
  custom?: SqlClientOperationCustom | undefined;
  filterCount?: boolean | undefined; // return a count of records matching filters
};

export type SqlClientSchemaOptions = {
  userPkId: number | undefined;
};

export type Schema = {
  [key: string]: object;
};

export type SqlClientSchemaResponse = {
  data: Schema;
};

export type SqlClientCommand = {
  transaction: boolean;
  operations: SqlClientOperation[];
  filterCount: boolean; // return filtered record count with results
};

export type SqlClientExecuteOptions = {
  userPkId: number | undefined;
  command: SqlClientCommand;
};

export interface SqlClientQueryResponse {
  [key: string]: unknown[] | undefined;
}

export type SqlClientMutationResult = {
  affectedRows?: number;
  insertId?: number;
  changedRows?: number;
};

export interface SqlClientMutationResponse {
  [key: string]: SqlClientMutationResult;
}

export type SqlClientExecuteQuery = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientQueryResponse | undefined>;

export type SqlClientExecuteMutation = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientMutationResponse | undefined>;

export type VerifySqlClientCredentialsOptions = {
  userPkId: number | undefined;
  authToken: string | undefined;
  invokedBy: string;
};

export type DeleteCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'values' | 'sort' | 'limit' | 'custom'
>;

export type InsertCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'filters' | 'sort' | 'limit' | 'custom'
>;

export type SelectCommandOptions = Omit<SqlClientOperation, 'operationType' | 'values'>;

export type UpdateCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'sort' | 'limit' | 'custom'
>;

export type OperationDetails = Omit<SqlClientOperation, 'table' | 'operationType'>;

export type AddOperationOptions = {
  command: SqlClientCommand;
  table: string | undefined;
  operationType: SqlClientOperationType;
  operationDetails: OperationDetails;
};

export type SqlClientType = {
  query: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientQueryResponse | undefined>;
  mutate: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientMutationResponse | undefined>;

  getFirstResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getSecondResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getResult: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string,
    index: number
  ) => ResultType | undefined;

  getFirstResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getSecondResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getResults: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string
  ) => ResultType[];

  getInsertResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getInsertResultId: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => number | undefined;

  getUpdateResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getDeleteResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  emptyCommand: (transaction: boolean) => SqlClientCommand;

  deleteCommand: ({ name, table, filters }: DeleteCommandOptions) => SqlClientCommand;

  insertCommand: ({ name, table, values }: InsertCommandOptions) => SqlClientCommand;

  selectCommand: ({
    name,
    table,
    filters,
    fields,
    sort,
    limit,
    custom,
    filterCount,
  }: SelectCommandOptions) => SqlClientCommand;

  updateCommand: ({ name, table, filters, values }: UpdateCommandOptions) => SqlClientCommand;

  addOperation: ({
    command,
    table,
    operationType,
    operationDetails,
  }: AddOperationOptions) => SqlClientOperation | undefined;
};

// *********************************
// Logger
// *********************************

export interface ILogger {
  logDebug: ({ codeLocation, message, value }: LogDebugOptions) => void;
  logError: ({ codeLocation, message, error, value, request }: LogErrorOptions) => Promise<void>;
  logInformation: ({ codeLocation, message, value }: LogInformationOptions) => void;
}

export type LogErrorOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  error?: unknown | Error | object | string;
  value?: object | string | unknown;
  request?: string | unknown;
};

export type LogInformationOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

export type LogDebugOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

// *********************************
// express
// *********************************

export interface ExpressApi {
  version: number;
  handler: RequestHandler;
  path: string;
}

export type ExpressCorsOptions = {
  config: BackendUtilsConfig;
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressInvalidRoutesOptions = {
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressRateLimiterOptions = {
  config: BackendUtilsConfig;
};

export type ExpressServiceOptions = {
  config: BackendUtilsConfig | BackendUtilsConfigBasic;
  serviceName: BackendServiceName;
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
  payloadLimit: string | undefined; // eg: 2mb
};

export type ExpressService = {
  expressApp: express.Express;
  httpServer: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>;
  start(apis: ExpressApi[]): void;
};

Version 2 (latest)

import http from 'node:http';
import { RequestHandler } from 'express';
import express from 'express';

export type BackendServiceName = 'cwc-admin-api' | 'cwc-api' | 'cwc-auth' | 'cwc-sql' | 'cwc-storage';

export type BackendUtilsConfig = {
  debugMode: boolean;
  dataUri: string;
  logErrorsToDatabase: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isProduction: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;
  corsOrigin: string;
  servicePort: number;
  rateLimiterPoints: number;
  rateLimiterDuration: number;
  // development settings
  devCorsOrigin: string;
  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string> | undefined;
};

// Simplified config for services that don't use SqlClient or database logging
export type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

// *********************************
// SqlClient
// *********************************

export type SqlClientToken = string;

export type SqlClientOperationType = 'delete' | 'insert' | 'select' | 'update';

export type SqlClientOperationName = string;
export type SqlClientOperationTable = string;

export type SqlClientOperationFilters = {
  [key: string]: string | number | boolean | number[];
};

export type SqlClientOperationFields = string[] | undefined;

export type SqlClientOperationValues = {
  [key: string]: string | number | boolean | undefined | unknown | unknown[];
};

export type SqlClientOperationSortItem = {
  fieldName: string;
  direction?: string;
};

export type SqlClientOperationSort = SqlClientOperationSortItem[];

export type SqlClientOperationLimit = {
  recordCount: number;
  startIndex: number;
};

export type SqlClientOperationCustomSql = string;

export type SqlClientOperationCustomParam = string | number | boolean;

export type SqlClientOperationCustomParams = {
  [key: string]: SqlClientOperationCustomParam;
};

// **********************************
// sort example:
// **********************************
// const sort = [ {fieldName: 'username', direction: 'ASC' }, {fieldName: 'groupName', direction: 'DESC' }];

export type SqlClientOperationCustom = {
  customSql: SqlClientOperationCustomSql;
  customParams: SqlClientOperationCustomParams;
  customTables: SqlClientOperationTable[];
};

export type SqlClientOperation = {
  operationType: SqlClientOperationType;
  name?: SqlClientOperationName | undefined;
  table: SqlClientOperationTable | undefined;
  fields?: SqlClientOperationFields | undefined;
  filters?: SqlClientOperationFilters | undefined;
  values?: SqlClientOperationValues | undefined;
  sort?: SqlClientOperationSort | undefined;
  limit?: SqlClientOperationLimit | undefined;
  custom?: SqlClientOperationCustom | undefined;
  filterCount?: boolean | undefined; // return a count of records matching filters
};

export type SqlClientSchemaOptions = {
  userPkId: number | undefined;
};

export type Schema = {
  [key: string]: object;
};

export type SqlClientSchemaResponse = {
  data: Schema;
};

export type SqlClientCommand = {
  transaction: boolean;
  operations: SqlClientOperation[];
  filterCount: boolean; // return filtered record count with results
};

export type SqlClientExecuteOptions = {
  userPkId: number | undefined;
  command: SqlClientCommand;
};

export interface SqlClientQueryResponse {
  [key: string]: unknown[] | undefined;
}

export type SqlClientMutationResult = {
  affectedRows?: number;
  insertId?: number;
  changedRows?: number;
};

export interface SqlClientMutationResponse {
  [key: string]: SqlClientMutationResult;
}

export type SqlClientExecuteQuery = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientQueryResponse | undefined>;

export type SqlClientExecuteMutation = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientMutationResponse | undefined>;

export type VerifySqlClientCredentialsOptions = {
  userPkId: number | undefined;
  authToken: string | undefined;
  invokedBy: string;
};

export type DeleteCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'values' | 'sort' | 'limit' | 'custom'
>;

export type InsertCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'filters' | 'sort' | 'limit' | 'custom'
>;

export type SelectCommandOptions = Omit<SqlClientOperation, 'operationType' | 'values'>;

export type UpdateCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'sort' | 'limit' | 'custom'
>;

export type OperationDetails = Omit<SqlClientOperation, 'table' | 'operationType'>;

export type AddOperationOptions = {
  command: SqlClientCommand;
  table: string | undefined;
  operationType: SqlClientOperationType;
  operationDetails: OperationDetails;
};

export type SqlClientType = {
  query: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientQueryResponse | undefined>;
  mutate: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientMutationResponse | undefined>;

  getFirstResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getSecondResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getResult: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string,
    index: number
  ) => ResultType | undefined;

  getFirstResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getSecondResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getResults: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string
  ) => ResultType[];

  getInsertResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getInsertResultId: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => number | undefined;

  getUpdateResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getDeleteResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  emptyCommand: (transaction: boolean) => SqlClientCommand;

  deleteCommand: ({ name, table, filters }: DeleteCommandOptions) => SqlClientCommand;

  insertCommand: ({ name, table, values }: InsertCommandOptions) => SqlClientCommand;

  selectCommand: ({
    name,
    table,
    filters,
    fields,
    sort,
    limit,
    custom,
    filterCount,
  }: SelectCommandOptions) => SqlClientCommand;

  updateCommand: ({ name, table, filters, values }: UpdateCommandOptions) => SqlClientCommand;

  addOperation: ({
    command,
    table,
    operationType,
    operationDetails,
  }: AddOperationOptions) => SqlClientOperation | undefined;
};

// *********************************
// Logger
// *********************************

export interface ILogger {
  logDebug: ({ codeLocation, message, value }: LogDebugOptions) => void;
  logError: ({ codeLocation, message, error, value, request }: LogErrorOptions) => Promise<void>;
  logInformation: ({ codeLocation, message, value }: LogInformationOptions) => void;
}

export type LogErrorOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  error?: unknown | Error | object | string;
  value?: object | string | unknown;
  request?: string | unknown;
};

export type LogInformationOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

export type LogDebugOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

// *********************************
// express
// *********************************

export interface ExpressApi {
  version: number;
  handler: RequestHandler;
  path: string;
}

export type ExpressCorsOptions = {
  config: BackendUtilsConfig;
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressInvalidRoutesOptions = {
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressRateLimiterOptions = {
  config: BackendUtilsConfig;
};

export type ExpressServiceOptions = {
  config: BackendUtilsConfig | BackendUtilsConfigBasic;
  serviceName: BackendServiceName;
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
  payloadLimit: string | undefined; // eg: 2mb
};

export type ExpressService = {
  expressApp: express.Express;
  httpServer: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>;
  start(apis: ExpressApi[]): void;
};

packages/cwc-backend-utils/src/express/cors.ts

2 versions

Version 1

'use strict';
import { NextFunction, Request, Response } from 'express';
import { ExpressCorsOptions } from '../backendUtils.types';

// Enable CORS for all methods
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

export const cors = ({ config, allowGet, allowOptions, allowPost }: ExpressCorsOptions) => {
  return (req: Request, res: Response, next: NextFunction) => {
    // *****************************************************************************************
    // having cors problems?
    // 1. nginx server.conf - make sure you have updated the nginx server.conf file and DEPLOYED it to the server
    // 2. have you added the api in ./src/index.ts ?
    //   const apis: AuthApi[] = [new LogonApiV1()];
    // 2. is the uri/url correct? if a route can't be found it will not return OK for OPTIONS
    //   route: /auth/v1/logon
    //   request path: /auth/auth/v1/logon  <-- will fail
    // *****************************************************************************************

    if (config.isDevelopment || config.isEndToEnd) {
      if (req.headers.origin) {
        res.header('Access-Control-Allow-Origin', req.headers.origin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      } else {
        res.header('Access-Control-Allow-Origin', '*');
      }
    }

    if (config.isTest) {
      let requestIp: string = req.ip ?? '';
      if (requestIp?.startsWith('::ffff:')) {
        requestIp = requestIp.substring(7);
      }

      // *************** shouldn't this be using allowedIps instead of hard-coding the ips here? ************
      const isFromCwcApi = requestIp === '192.1.1.4';
      const isFromCwcContent = requestIp === '192.1.1.20';

      let remoteIp: string = req.headers['x-real-ip'] as string;
      if (remoteIp?.startsWith('::ffff:')) {
        remoteIp = remoteIp.substring(7);
      }
      const isFromCwcDevMachine = Boolean(
        config.devMachines?.find((machine) => machine.ip === remoteIp)
      );

      if (
        (isFromCwcDevMachine || isFromCwcApi || isFromCwcContent) &&
        config.devCorsOrigin &&
        req.headers.origin === config.devCorsOrigin
      ) {
        res.header('Access-Control-Allow-Origin', config.devCorsOrigin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      } else {
        res.header('Access-Control-Allow-Origin', config.corsOrigin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      }
    }

    if (config.isProduction) {
      res.header('Access-Control-Allow-Origin', config.corsOrigin);
      res.header('Vary', 'Origin');
      res.header('Access-Control-Allow-Credentials', 'true');
    }

    res.header(
      'Access-Control-Allow-Headers',
      'Authorization, Origin, X-Requested-With, Content-Type, Accept'
    );

    const allowedMethods: string[] = [];
    if (allowGet) {
      allowedMethods.push('GET');
    }
    if (allowOptions) {
      allowedMethods.push('OPTIONS');
    }
    if (allowPost) {
      allowedMethods.push('POST');
    }
    res.header('Access-Control-Allow-Methods', allowedMethods.join());
    res.header('Access-Control-Expose-Headers', 'Authorization');
    next();
  };
};

Version 2 (latest)

'use strict';
import { NextFunction, Request, Response } from 'express';
import { ExpressCorsOptions } from '../backendUtils.types';

// Enable CORS for all methods
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

export const cors = ({ config, allowGet, allowOptions, allowPost }: ExpressCorsOptions) => {
  return (req: Request, res: Response, next: NextFunction) => {
    // *****************************************************************************************
    // having cors problems?
    // 1. nginx server.conf - make sure you have updated the nginx server.conf file and DEPLOYED it to the server
    // 2. have you added the api in ./src/index.ts ?
    //   const apis: AuthApi[] = [new LogonApiV1()];
    // 2. is the uri/url correct? if a route can't be found it will not return OK for OPTIONS
    //   route: /auth/v1/logon
    //   request path: /auth/auth/v1/logon  <-- will fail
    // *****************************************************************************************

    if (config.isDevelopment || config.isEndToEnd) {
      if (req.headers.origin) {
        res.header('Access-Control-Allow-Origin', req.headers.origin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      } else {
        res.header('Access-Control-Allow-Origin', '*');
      }
    }

    if (config.isTest) {
      // Allow devCorsOrigin for localhost development against test services
      // (Browser security enforces origin headers - they cannot be forged)
      if (config.devCorsOrigin && req.headers.origin === config.devCorsOrigin) {
        res.header('Access-Control-Allow-Origin', config.devCorsOrigin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      } else {
        res.header('Access-Control-Allow-Origin', config.corsOrigin);
        res.header('Vary', 'Origin');
        res.header('Access-Control-Allow-Credentials', 'true');
      }
    }

    if (config.isProduction) {
      res.header('Access-Control-Allow-Origin', config.corsOrigin);
      res.header('Vary', 'Origin');
      res.header('Access-Control-Allow-Credentials', 'true');
    }

    res.header(
      'Access-Control-Allow-Headers',
      'Authorization, Origin, X-Requested-With, Content-Type, Accept'
    );

    const allowedMethods: string[] = [];
    if (allowGet) {
      allowedMethods.push('GET');
    }
    if (allowOptions) {
      allowedMethods.push('OPTIONS');
    }
    if (allowPost) {
      allowedMethods.push('POST');
    }
    res.header('Access-Control-Allow-Methods', allowedMethods.join());
    res.header('Access-Control-Expose-Headers', 'Authorization');
    next();
  };
};

packages/cwc-backend-utils/src/SqlClientKeysUtil.ts

'use strict';

import fs from 'node:fs';
import { v4 as uuidv4 } from 'uuid';
import jsonwebtoken, { SignOptions } from 'jsonwebtoken';
import { Logger } from './Logger';
import { BackendServiceName, BackendUtilsConfig } from './backendUtils.types';

const codeLocation = 'src/SqlClientKeysUtil.ts';

type SqlClientKeys = {
  privateKey: Buffer;
  publicKey: Buffer;
};

type GetApiTokenOptions = {
  userPkId: number | undefined;
};

type CreateSqlClientTokenOptions = {
  userPkId: number | undefined;
  expiresIn: string; // '30s'
};

type SqlClientKeysUtilOptions = {
  config: BackendUtilsConfig;
  enableLogging: boolean;
  clientName: BackendServiceName;
};

export class SqlClientKeysUtil {
  private config: BackendUtilsConfig;
  private enableLogging: boolean;
  private sqlClientKeys: SqlClientKeys;
  private apiToken: string | undefined;
  private clientName: BackendServiceName;

  constructor({ config, enableLogging, clientName }: SqlClientKeysUtilOptions) {
    this.config = config;
    this.enableLogging = enableLogging;
    this.clientName = clientName;
    const runningLocally = config.isDevelopment || config.isUnitTest || config.isEndToEnd;
    const keyPath = runningLocally ? `../../../cwc-secrets/sql-client-api-keys` : `./sql-client-api-keys`;
    this.sqlClientKeys = {
      privateKey: fs.readFileSync(`${keyPath}/sql-client-api-key-private.pem`),
      publicKey: fs.readFileSync(`${keyPath}/sql-client-api-key-public.pem`),
    };
  }

  public async getApiToken({ userPkId }: GetApiTokenOptions) {
    const newTokenNeeded = await this.needNewApiToken();
    if (newTokenNeeded) {
      const expiresIn = '30s'; // 30 seconds
      await this.createSqlClientToken({
        userPkId,
        expiresIn,
      });
    }
    return this.apiToken;
  }

  private async needNewApiToken() {
    if (!this.apiToken) {
      return true;
    }
    const decodedPayload = jsonwebtoken.decode(this.apiToken);

    if (!decodedPayload || typeof decodedPayload !== 'object') {
      return true;
    }
    if (!decodedPayload?.exp) {
      return true;
    }

    const exp = decodedPayload.exp;
    const curr = new Date().valueOf() / 1000;
    const remaining = exp - curr;

    if (remaining < 5) {
      return true;
    }

    return false;
  }

  private async createSqlClientToken({ userPkId, expiresIn = '30s' }: CreateSqlClientTokenOptions) {
    // payload is passed to `jsonwebtoken.sign()`
    const payload = {
      dataJwtId: uuidv4(),
      clientName: this.clientName,
    };

    type SignResultType = {
      error?: Error | null;
      encoded?: string;
    };

    const signResult: SignResultType = await new Promise((resolve) => {
      const signOptions: SignOptions = {
        // @ts-expect-error
        expiresIn,
        algorithm: 'RS256',
      };
      const signCallback = (error: Error | null, encoded: string | undefined) => {
        if (error) {
          resolve({ error });
        } else if (encoded) {
          resolve({ encoded });
        }
      };
      jsonwebtoken.sign(payload, this.sqlClientKeys.privateKey, signOptions, signCallback);
    });

    if (signResult.error && this.enableLogging) {
      const logger = new Logger({
        config: this.config,
        serviceName: this.clientName,
      });
      logger.logError({
        userPkId,
        codeLocation,
        message: 'createSqlClientToken',
        error: signResult.error,
      });
      this.apiToken = undefined;
    } else if (signResult?.encoded) {
      this.apiToken = signResult.encoded;
    } else {
      this.apiToken = undefined;
    }
  }

  public get jwtPublicKey() {
    return this.sqlClientKeys.publicKey;
  }
}

packages/cwc-configuration-helper/CLAUDE.md

3 versions

Version 1

cwc-configuration-helper Package

CLI tool that generates, validates, and diffs .env files by dynamically parsing TypeScript config types from backend packages.

Core Design Principle

Zero maintenance through AST parsing: This tool reads config.types.ts files directly using the TypeScript Compiler API. When config types change in any package, the helper automatically reflects those changes without needing to update the tool itself.

How It Works

Package Discovery: Scans packages/cwc-*/src/config/config.types.ts for backend packages with configuration
AST Parsing: Uses TypeScript Compiler API to extract type definitions, property names, and types
Name Conversion: Converts camelCase properties to SCREAMING_SNAKE_CASE env vars
Generation: Creates .env files with proper structure, comments, and placeholders

Config Type Pattern (Required)

For a package to be discovered and parsed, it must follow this exact pattern:

// packages/cwc-{name}/src/config/config.types.ts

export type Cwc{Name}ConfigSecrets = {
  databasePassword: string;
  apiKey: string;
};

export type Cwc{Name}Config = {
  // Environment (derived - skipped in .env)
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Regular properties
  servicePort: number;
  corsOrigin: string;
  debugMode: boolean;

  // Secrets nested under 'secrets' property
  secrets: Cwc{Name}ConfigSecrets;
};

Naming conventions:

Main config type: Cwc{PascalCaseName}Config
Secrets type: Cwc{PascalCaseName}ConfigSecrets
Secrets must be nested under a secrets property

Secrets File Structure

Flat key-value structure - no package namespacing required:

{
  "DATABASE_PASSWORD": "secretpassword",
  "USER_JWT_SECRET": "secret-key-here",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n..."
}

The tool automatically matches env var names from each package's ConfigSecrets type against this flat list. Shared secrets (like DATABASE_PASSWORD) are automatically used by all packages that need them.

Name Conversion Rules

camelCase properties → SCREAMING_SNAKE_CASE:

Property Name	Environment Variable
`servicePort`	`SERVICE_PORT`
`corsOrigin`	`CORS_ORIGIN`
`rateLimiterPoints`	`RATE_LIMITER_POINTS`
`userJwtSecret`	`USER_JWT_SECRET`
`devMachines`	`DEV_MACHINES`
`dataUri`	`DATA_URI`

Properties Automatically Skipped

These derived/computed properties are excluded from .env generation:

isProduction, isDevelopment, isTest, isUnitTest, isEndToEnd
secrets (handled separately via the secrets type)

Architecture

src/
├── index.ts              # CLI entry point (Commander.js)
├── types.ts              # Type definitions
├── nameConverter.ts      # camelCase <-> SCREAMING_SNAKE_CASE
├── packageDiscovery.ts   # Discovers packages with config.types.ts
├── typeParser.ts         # TypeScript AST parsing
├── envGenerator.ts       # .env file generation
└── commands/
    ├── generate.ts       # Generate command
    ├── validate.ts       # Validate command
    ├── diff.ts           # Diff command
    └── index.ts          # Command exports

Version 2

cwc-configuration-helper Package

CLI tool that generates, validates, and diffs .env files by dynamically parsing TypeScript config types from backend packages.

Core Design Principle

How It Works

Package Discovery: Scans packages/cwc-*/src/config/config.types.ts for backend packages with configuration
AST Parsing: Uses TypeScript Compiler API to extract type definitions, property names, and types
Name Conversion: Converts camelCase properties to SCREAMING_SNAKE_CASE env vars
Generation: Creates .env files with proper structure, comments, and placeholders

Config Type Pattern (Required)

For a package to be discovered and parsed, it must follow this exact pattern:

// packages/cwc-{name}/src/config/config.types.ts

export type Cwc{Name}ConfigSecrets = {
  databasePassword: string;
  apiKey: string;
};

export type Cwc{Name}Config = {
  // Environment (derived - skipped in .env)
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Regular properties
  servicePort: number;
  corsOrigin: string;
  debugMode: boolean;

  // Secrets nested under 'secrets' property
  secrets: Cwc{Name}ConfigSecrets;
};

Naming conventions:

Main config type: Cwc{PascalCaseName}Config
Secrets type: Cwc{PascalCaseName}ConfigSecrets
Secrets must be nested under a secrets property

Secrets File Structure

Flat key-value structure - no package namespacing required:

{
  "DATABASE_PASSWORD": "secretpassword",
  "USER_JWT_SECRET": "secret-key-here",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n..."
}

Name Conversion Rules

camelCase properties → SCREAMING_SNAKE_CASE:

Property Name	Environment Variable
`servicePort`	`SERVICE_PORT`
`corsOrigin`	`CORS_ORIGIN`
`rateLimiterPoints`	`RATE_LIMITER_POINTS`
`userJwtSecret`	`USER_JWT_SECRET`
`dataUri`	`DATA_URI`

Properties Automatically Skipped

These derived/computed properties are excluded from .env generation:

isProduction, isDevelopment, isTest, isUnitTest, isEndToEnd
secrets (handled separately via the secrets type)

Architecture

src/
├── index.ts              # CLI entry point (Commander.js)
├── types.ts              # Type definitions
├── nameConverter.ts      # camelCase <-> SCREAMING_SNAKE_CASE
├── packageDiscovery.ts   # Discovers packages with config.types.ts
├── typeParser.ts         # TypeScript AST parsing
├── envGenerator.ts       # .env file generation
└── commands/
    ├── generate.ts       # Generate command
    ├── validate.ts       # Validate command
    ├── diff.ts           # Diff command
    └── index.ts          # Command exports

Version 3 (latest)

cwc-configuration-helper Package

CLI tool that generates, validates, and diffs .env files by dynamically parsing TypeScript config types from backend packages.

Core Design Principle

How It Works

Package Discovery: Scans packages/cwc-*/src/config/config.types.ts for backend packages with configuration
AST Parsing: Uses TypeScript Compiler API to extract type definitions, property names, and types
Name Conversion: Converts camelCase properties to SCREAMING_SNAKE_CASE env vars
Generation: Creates .env files with proper structure, comments, and placeholders

Config Type Pattern (Required)

For a package to be discovered and parsed, it must follow this exact pattern:

// packages/cwc-{name}/src/config/config.types.ts

export type Cwc{Name}ConfigSecrets = {
  databasePassword: string;
  apiKey: string;
};

export type Cwc{Name}Config = {
  // Environment (derived - skipped in .env)
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Regular properties
  servicePort: number;
  corsOrigin: string;
  debugMode: boolean;

  // Secrets nested under 'secrets' property
  secrets: Cwc{Name}ConfigSecrets;
};

Naming conventions:

Main config type: Cwc{PascalCaseName}Config
Secrets type: Cwc{PascalCaseName}ConfigSecrets
Secrets must be nested under a secrets property

Secrets File Structure

Flat key-value structure - no package namespacing required:

{
  "DATABASE_PASSWORD": "secretpassword",
  "USER_JWT_SECRET": "secret-key-here",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n..."
}

Name Conversion Rules

camelCase properties → SCREAMING_SNAKE_CASE:

Property Name	Environment Variable
`servicePort`	`SERVICE_PORT`
`corsOrigin`	`CORS_ORIGIN`
`rateLimiterPoints`	`RATE_LIMITER_POINTS`
`userJwtSecret`	`USER_JWT_SECRET`
`dataUri`	`DATA_URI`

Properties Automatically Skipped

These derived/computed properties are excluded from .env generation:

isProduction, isDevelopment, isTest, isUnitTest, isEndToEnd
secrets (handled separately via the secrets type)

Centralized Configuration (configuration.ts)

The configuration.ts file provides centralized config values that are automatically used during .env generation:

RuntimeConfigValues: Environment-specific values (corsOrigin, dataUri, smtp settings, database settings, etc.)
ServiceConfigValues: Service-specific overrides (port, rateLimiter)

Dynamic Property Lookup: The getValueFromCentralConfig function uses dynamic lookup (propName in configRecord) rather than hardcoded mappings. When adding new properties to RuntimeConfigValues, they are automatically available without modifying envGenerator.ts.

Special Mappings:

servicePort → config.port (renamed property)
rateLimiterPoints/Duration → config.rateLimiter.points/duration (nested object)
smtp* properties → flattened from config.smtp object

Value Handling

Undefined vs Missing:

Property exists in config with undefined value → empty string in .env (intentionally not set)
Property not found in config → placeholder like <VALUE> (needs configuration)

Multiline Secrets: Values containing newlines (like PEM keys) are automatically:

Escaped: \n replaced with \\n
Quoted: wrapped in double quotes

Example: SQL_CLIENT_API_KEY="-----BEGIN PUBLIC KEY-----\n..."

Error Messages

Missing values are categorized by type with appropriate guidance:

Missing secrets → "update secrets file: {path}"
Missing config values → "update configuration.ts"

Architecture

src/
├── index.ts              # CLI entry point (Commander.js)
├── types.ts              # Type definitions
├── configuration.ts      # Centralized runtime and service config values
├── nameConverter.ts      # camelCase <-> SCREAMING_SNAKE_CASE
├── packageDiscovery.ts   # Discovers packages with config.types.ts
├── typeParser.ts         # TypeScript AST parsing
├── envGenerator.ts       # .env file generation
└── commands/
    ├── generate.ts       # Generate command
    ├── validate.ts       # Validate command
    ├── diff.ts           # Diff command
    └── index.ts          # Command exports

packages/cwc-configuration-helper/README.md

cwc-configuration-helper

CLI tool that generates, validates, and diffs .env files by dynamically parsing TypeScript config types from backend packages.

Overview

This tool eliminates manual maintenance of environment configuration by reading your TypeScript config types directly. When you add or change config properties in any backend package, the helper automatically reflects those changes.

How It Works

Scans packages/cwc-*/src/config/config.types.ts for backend packages
Uses TypeScript Compiler API to extract type definitions
Converts camelCase properties to SCREAMING_SNAKE_CASE env vars
Generates .env files with proper structure and placeholders

Installation

The package is part of the CWC monorepo. Build it with:

pnpm --filter cwc-configuration-helper build

CLI Commands

Run from the monorepo root using the shortcut script:

pnpm config-helper <command> -- [options]

generate

Generates .env files from TypeScript config types.

# Generate for all packages
pnpm config-helper generate -- -e dev -o ./env-files

# Generate for specific package
pnpm config-helper generate -- -e prod -p cwc-sql -o ./env-files

# With secrets file
pnpm config-helper generate -- -e dev -s ./secrets.json -o ./env-files --overwrite

Options:

Option	Description	Default
`-e, --environment <env>`	Runtime environment (dev, test, prod, unit, e2e)	Required
`-s, --secrets-file <path>`	Path to JSON secrets file	-
`-p, --package <name>`	Specific package to generate	All packages
`-o, --output-dir <path>`	Output directory for .env files	`./env-files`
`--overwrite`	Overwrite existing files	`false`

validate

Validates existing .env files against TypeScript config types.

pnpm config-helper validate -- -e dev --env-path ./env-files

Options:

Option	Description	Default
`-e, --environment <env>`	Runtime environment	Required
`-p, --package <name>`	Specific package to validate	All packages
`--env-path <path>`	Path to .env file or directory	Required

diff

Shows differences between TypeScript config types and existing .env files.

pnpm config-helper diff -- -e dev --env-path ./env-files

Options:

Option	Description	Default
`-e, --environment <env>`	Runtime environment	Required
`-p, --package <name>`	Specific package to diff	All packages
`--env-path <path>`	Path to .env file or directory	Required

Secrets File Format

The secrets file uses a flat key-value structure. The tool automatically matches env var names from each package's ConfigSecrets type against this list:

{
  "DATABASE_USER": "cwc_app",
  "DATABASE_PASSWORD": "your-secret-password",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n...",
  "USER_JWT_SECRET": "secret-key-here",
  "TEMP_JWT_SECRET": "another-secret"
}

Shared secrets (like DATABASE_PASSWORD) are automatically used by all packages that need them - no need to duplicate values per package.

Output File Naming

Generated files follow the pattern: {environment}.{package-name}.env

Examples:

dev.cwc-sql.env
prod.cwc-auth.env
test.cwc-storage.env

Config Type Requirements

For a package to be discovered, create src/config/config.types.ts following this pattern:

import type { RuntimeEnvironment } from 'cwc-types';

export type CwcMyPackageConfigSecrets = {
  databasePassword: string;
  apiKey: string;
};

export type CwcMyPackageConfig = {
  // Environment (derived - skipped in .env)
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Regular properties
  servicePort: number;
  corsOrigin: string;
  debugMode: boolean;

  // Secrets nested under 'secrets' property
  secrets: CwcMyPackageConfigSecrets;
};

Conventions:

Main config type: Cwc{PascalCaseName}Config
Secrets type: Cwc{PascalCaseName}ConfigSecrets
Secrets must be nested under a secrets property

Name Conversion

camelCase properties are converted to SCREAMING_SNAKE_CASE:

Property Name	Environment Variable
`servicePort`	`SERVICE_PORT`
`corsOrigin`	`CORS_ORIGIN`
`rateLimiterPoints`	`RATE_LIMITER_POINTS`
`userJwtSecret`	`USER_JWT_SECRET`

Adding a New Backend Package

Create src/config/config.types.ts following the pattern above
Create src/config/loadConfig.ts using requireEnv(), optionalEnv(), etc. from cwc-backend-utils
Run cwc-config generate to create .env templates
No changes needed to cwc-configuration-helper itself

Dependencies

commander - CLI framework
chalk - Terminal styling
glob - File pattern matching
typescript - TypeScript Compiler API for AST parsing

Related Packages

Packages discovered by this tool:

cwc-sql - Database proxy service
cwc-auth - Authentication service
cwc-storage - File storage service

Patterns established in:

cwc-backend-utils - Provides requireEnv(), optionalEnv(), parseNumber(), parseBoolean(), parseJson()

packages/cwc-configuration-helper/src/commands/generate.ts

3 versions

Version 1

/**
 * Generate command implementation
 *
 * Generates .env files from TypeScript config types
 */

import chalk from 'chalk';
import type { GenerateOptions, MissingValue, RuntimeEnvironment } from '../types.js';
import { discoverPackages, findMonorepoRoot, findPackage } from '../packageDiscovery.js';
import { parseConfigTypes } from '../typeParser.js';
import {
  generateEnvContent,
  writeEnvFile,
  loadSecretsFile,
  getEnvOutputPath,
} from '../envGenerator.js';

/**
 * Aggregated missing values across all packages
 */
type PackageMissingValues = {
  packageName: string;
  missingValues: MissingValue[];
};

/**
 * Executes the generate command
 */
export async function generateCommand(options: GenerateOptions): Promise<void> {
  console.log(chalk.blue('\n=== cwc-configuration-helper: generate ===\n'));

  const monorepoRoot = findMonorepoRoot();
  console.log(chalk.gray(`Monorepo root: ${monorepoRoot}`));

  // Load secrets if provided
  let secrets = undefined;
  if (options.secretsFile) {
    console.log(chalk.gray(`Loading secrets from: ${options.secretsFile}`));
    secrets = loadSecretsFile(options.secretsFile);
    console.log(chalk.green(`✓ Secrets loaded`));
  }

  // Discover packages
  let packages;
  if (options.package) {
    const pkg = await findPackage(monorepoRoot, options.package);
    if (!pkg) {
      console.error(chalk.red(`Error: Package '${options.package}' not found or has no config.types.ts`));
      process.exit(1);
    }
    packages = [pkg];
  } else {
    packages = await discoverPackages(monorepoRoot);
  }

  console.log(chalk.gray(`Found ${packages.length} package(s) with configuration:\n`));

  // Track all missing values across packages
  const allMissingValues: PackageMissingValues[] = [];

  for (const pkg of packages) {
    console.log(chalk.cyan(`Processing ${pkg.name}...`));

    try {
      // Parse config types
      const config = parseConfigTypes(pkg);
      console.log(chalk.gray(`  Config type: ${config.configTypeName}`));
      console.log(chalk.gray(`  Properties: ${config.properties.length}`));
      console.log(chalk.gray(`  Secrets: ${config.secrets.length}`));

      // Generate .env content
      const result = generateEnvContent(config, {
        environment: options.environment,
        secrets,
      });

      // Track missing values for this package
      if (result.missingValues.length > 0) {
        allMissingValues.push({
          packageName: pkg.name,
          missingValues: result.missingValues,
        });
      }

      // Write file
      const outputPath = getEnvOutputPath(
        pkg.name,
        options.environment,
        options.outputDir
      );

      writeEnvFile(result.content, outputPath, options.overwrite);
      console.log(chalk.green(`  ✓ Generated: ${outputPath}`));

      if (result.missingValues.length > 0) {
        console.log(chalk.yellow(`  ⚠ ${result.missingValues.length} missing value(s)`));
      }
    } catch (error) {
      console.error(chalk.red(`  ✗ Failed: ${error}`));
    }
  }

  // Report missing values and exit with error if any
  if (allMissingValues.length > 0) {
    console.log(chalk.red('\n=== Error: Missing configuration values detected ===\n'));

    let totalMissing = 0;
    for (const pkg of allMissingValues) {
      console.log(chalk.yellow(`Package: ${pkg.packageName}`));
      for (const missing of pkg.missingValues) {
        const typeLabel = missing.type === 'secret' ? chalk.red('secret') : chalk.gray(missing.tsType);
        console.log(`  - ${missing.envVarName} (${typeLabel}): ${missing.reason}`);
        totalMissing++;
      }
      console.log('');
    }

    console.log(chalk.red(`Total: ${totalMissing} missing value(s) across ${allMissingValues.length} package(s)\n`));

    if (options.secretsFile) {
      console.log(chalk.yellow(`Please update your secrets file: ${options.secretsFile}\n`));
    } else {
      console.log(chalk.yellow(`Tip: Provide a secrets file with --secrets to populate secret values\n`));
    }

    process.exit(1);
  }

  console.log(chalk.blue('\n=== Generation complete ===\n'));
}

/**
 * Validates runtime environment string
 */
export function validateEnvironment(env: string): RuntimeEnvironment {
  const valid: RuntimeEnvironment[] = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!valid.includes(env as RuntimeEnvironment)) {
    throw new Error(`Invalid environment '${env}'. Must be one of: ${valid.join(', ')}`);
  }
  return env as RuntimeEnvironment;
}

Version 2

/**
 * Generate command implementation
 *
 * Generates .env files from TypeScript config types
 */

import chalk from 'chalk';
import type { GenerateOptions, MissingValue, RuntimeEnvironment } from '../types.js';
import { discoverPackages, findMonorepoRoot, findPackage } from '../packageDiscovery.js';
import { parseConfigTypes } from '../typeParser.js';
import {
  generateEnvContent,
  writeEnvFile,
  loadSecretsFile,
  getEnvOutputPath,
} from '../envGenerator.js';

/**
 * Aggregated missing values across all packages
 */
type PackageMissingValues = {
  packageName: string;
  missingValues: MissingValue[];
};

/**
 * Executes the generate command
 */
export async function generateCommand(options: GenerateOptions): Promise<void> {
  console.log(chalk.blue('\n=== cwc-configuration-helper: generate ===\n'));

  const monorepoRoot = findMonorepoRoot();
  console.log(chalk.gray(`Monorepo root: ${monorepoRoot}`));

  // Load secrets if provided
  let secrets = undefined;
  if (options.secretsFile) {
    console.log(chalk.gray(`Loading secrets from: ${options.secretsFile}`));
    secrets = loadSecretsFile(options.secretsFile);
    console.log(chalk.green(`✓ Secrets loaded`));
  }

  // Discover packages
  let packages;
  if (options.package) {
    const pkg = await findPackage(monorepoRoot, options.package);
    if (!pkg) {
      console.error(
        chalk.red(`Error: Package '${options.package}' not found or has no config.types.ts`)
      );
      process.exit(1);
    }
    packages = [pkg];
  } else {
    packages = await discoverPackages(monorepoRoot);
  }

  console.log(chalk.gray(`Found ${packages.length} package(s) with configuration:\n`));

  // Track all missing values across packages
  const allMissingValues: PackageMissingValues[] = [];

  for (const pkg of packages) {
    console.log(chalk.cyan(`Processing ${pkg.name}...`));

    try {
      // Parse config types
      const config = parseConfigTypes(pkg);
      console.log(chalk.gray(`  Config type: ${config.configTypeName}`));
      console.log(chalk.gray(`  Properties: ${config.properties.length}`));
      console.log(chalk.gray(`  Secrets: ${config.secrets.length}`));

      // Generate .env content
      const result = generateEnvContent(config, {
        environment: options.environment,
        secrets,
      });

      // Track missing values for this package
      if (result.missingValues.length > 0) {
        allMissingValues.push({
          packageName: pkg.name,
          missingValues: result.missingValues,
        });
      }

      // Write file
      const outputPath = getEnvOutputPath(pkg.name, options.environment, options.outputDir);

      writeEnvFile(result.content, outputPath, options.overwrite);
      console.log(chalk.green(`  ✓ Generated: ${outputPath}`));

      if (result.missingValues.length > 0) {
        console.log(chalk.yellow(`  ⚠ ${result.missingValues.length} missing value(s)`));
      }
    } catch (error) {
      console.error(chalk.red(`  ✗ Failed: ${error}`));
    }
  }

  // Report missing values and exit with error if any
  if (allMissingValues.length > 0) {
    console.log(chalk.red('\n=== Error: Missing configuration values detected ===\n'));

    let totalMissing = 0;
    for (const pkg of allMissingValues) {
      console.log(chalk.yellow(`Package: ${pkg.packageName}`));
      for (const missing of pkg.missingValues) {
        const typeLabel =
          missing.type === 'secret' ? chalk.red('secret') : chalk.gray(missing.tsType);
        console.log(`  - ${missing.envVarName} (${typeLabel}): ${missing.reason}`);
        totalMissing++;
      }
      console.log('');
    }

    console.log(
      chalk.red(
        `Total: ${totalMissing} missing value(s) across ${allMissingValues.length} package(s)\n`
      )
    );

    if (options.secretsFile) {
      console.log(chalk.yellow(`Please update your secrets file: ${options.secretsFile}\n`));
    } else {
      console.log(
        chalk.yellow(`Tip: Provide a secrets file with --secrets to populate secret values\n`)
      );
    }

    process.exit(1);
  }

  console.log(chalk.blue('\n=== Generation complete ===\n'));
}

/**
 * Validates runtime environment string
 */
export function validateEnvironment(env: string): RuntimeEnvironment {
  const valid: RuntimeEnvironment[] = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!valid.includes(env as RuntimeEnvironment)) {
    throw new Error(`Invalid environment '${env}'. Must be one of: ${valid.join(', ')}`);
  }
  return env as RuntimeEnvironment;
}

Version 3 (latest)

/**
 * Generate command implementation
 *
 * Generates .env files from TypeScript config types
 */

import chalk from 'chalk';
import type { GenerateOptions, MissingValue, RuntimeEnvironment } from '../types.js';
import { discoverPackages, findMonorepoRoot, findPackage } from '../packageDiscovery.js';
import { parseConfigTypes } from '../typeParser.js';
import {
  generateEnvContent,
  writeEnvFile,
  loadSecretsFile,
  getEnvOutputPath,
} from '../envGenerator.js';

/**
 * Aggregated missing values across all packages
 */
type PackageMissingValues = {
  packageName: string;
  missingValues: MissingValue[];
};

/**
 * Executes the generate command
 */
export async function generateCommand(options: GenerateOptions): Promise<void> {
  console.log(chalk.blue('\n=== cwc-configuration-helper: generate ===\n'));

  const monorepoRoot = findMonorepoRoot();
  console.log(chalk.gray(`Monorepo root: ${monorepoRoot}`));

  // Load secrets if provided
  let secrets = undefined;
  if (options.secretsFile) {
    console.log(chalk.gray(`Loading secrets from: ${options.secretsFile}`));
    secrets = loadSecretsFile(options.secretsFile);
    console.log(chalk.green(`✓ Secrets loaded`));
  }

  // Discover packages
  let packages;
  if (options.package) {
    const pkg = await findPackage(monorepoRoot, options.package);
    if (!pkg) {
      console.error(
        chalk.red(`Error: Package '${options.package}' not found or has no config.types.ts`)
      );
      process.exit(1);
    }
    packages = [pkg];
  } else {
    packages = await discoverPackages(monorepoRoot);
  }

  console.log(chalk.gray(`Found ${packages.length} package(s) with configuration:\n`));

  // Track all missing values across packages
  const allMissingValues: PackageMissingValues[] = [];

  for (const pkg of packages) {
    console.log(chalk.cyan(`Processing ${pkg.name}...`));

    try {
      // Parse config types
      const config = parseConfigTypes(pkg);
      console.log(chalk.gray(`  Config type: ${config.configTypeName}`));
      console.log(chalk.gray(`  Properties: ${config.properties.length}`));
      console.log(chalk.gray(`  Secrets: ${config.secrets.length}`));

      // Generate .env content
      const result = generateEnvContent(config, {
        environment: options.environment,
        secrets,
      });

      // Track missing values for this package
      if (result.missingValues.length > 0) {
        allMissingValues.push({
          packageName: pkg.name,
          missingValues: result.missingValues,
        });
      }

      // Write file
      const outputPath = getEnvOutputPath(pkg.name, options.environment, options.outputDir);

      writeEnvFile(result.content, outputPath, options.overwrite);
      console.log(chalk.green(`  ✓ Generated: ${outputPath}`));

      if (result.missingValues.length > 0) {
        console.log(chalk.yellow(`  ⚠ ${result.missingValues.length} missing value(s)`));
      }
    } catch (error) {
      console.error(chalk.red(`  ✗ Failed: ${error}`));
    }
  }

  // Report missing values and exit with error if any
  if (allMissingValues.length > 0) {
    console.log(chalk.red('\n=== Error: Missing configuration values detected ===\n'));

    let totalMissing = 0;
    for (const pkg of allMissingValues) {
      console.log(chalk.yellow(`Package: ${pkg.packageName}`));
      for (const missing of pkg.missingValues) {
        const typeLabel =
          missing.type === 'secret' ? chalk.red('secret') : chalk.gray(missing.tsType);
        console.log(`  - ${missing.envVarName} (${typeLabel}): ${missing.reason}`);
        totalMissing++;
      }
      console.log('');
    }

    // Count missing by type
    const missingSecrets = allMissingValues.flatMap((pkg) =>
      pkg.missingValues.filter((v) => v.type === 'secret')
    );
    const missingConfig = allMissingValues.flatMap((pkg) =>
      pkg.missingValues.filter((v) => v.type === 'regular')
    );

    console.log(
      chalk.red(
        `Total: ${totalMissing} missing value(s) across ${allMissingValues.length} package(s)\n`
      )
    );

    // Provide appropriate guidance based on what's missing
    if (missingConfig.length > 0) {
      console.log(
        chalk.yellow(
          `${missingConfig.length} missing configuration value(s) - update configuration.ts\n`
        )
      );
    }

    if (missingSecrets.length > 0) {
      if (options.secretsFile) {
        console.log(
          chalk.yellow(
            `${missingSecrets.length} missing secret(s) - update secrets file: ${options.secretsFile}\n`
          )
        );
      } else {
        console.log(
          chalk.yellow(
            `${missingSecrets.length} missing secret(s) - provide a secrets file with --secrets\n`
          )
        );
      }
    }

    process.exit(1);
  }

  console.log(chalk.blue('\n=== Generation complete ===\n'));
}

/**
 * Validates runtime environment string
 */
export function validateEnvironment(env: string): RuntimeEnvironment {
  const valid: RuntimeEnvironment[] = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!valid.includes(env as RuntimeEnvironment)) {
    throw new Error(`Invalid environment '${env}'. Must be one of: ${valid.join(', ')}`);
  }
  return env as RuntimeEnvironment;
}

packages/cwc-configuration-helper/src/envGenerator.ts

6 versions

Version 1

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns .env file content as string
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): string {
  const lines: string[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const value = getDefaultValue(prop, environment, centralConfig);
      lines.push(`${prop.envVarName}=${value}`);
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const secretValue = getSecretValue(prop.envVarName, secrets);
      lines.push(`${prop.envVarName}=${secretValue}`);
    }
    lines.push('');
  }

  return lines.join('\n');
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(
      `File ${outputPath} already exists. Use --overwrite to replace it.`
    );
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(
  properties: ConfigProperty[]
): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    'Service': [],
    'Security': [],
    'Rate Limiting': [],
    'Database': [],
    'JWT': [],
    'SMTP': [],
    'Development': [],
    'Debugging': [],
    'Storage': [],
    'Logging': [],
    'Other': [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri'))) return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Direct property mappings
  const directMappings: Record<string, unknown> = {
    servicePort: config.port,
    corsOrigin: config.corsOrigin,
    dataUri: config.dataUri,
    storageUri: config.storageUri,
    authUri: config.authUri,
    appUrl: config.appUrl,
    debugMode: config.debugMode,
    logErrorsToDatabase: config.logErrorsToDatabase,
    userJwtExpiresIn: config.userJwtExpiresIn,
    userJwtExpiresInKulo: config.userJwtExpiresInKulo,
    tempJwtExpiresIn: config.tempJwtExpiresIn,
  };

  // Rate limiter mappings
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (config.smtp) {
    const smtpMappings: Record<string, unknown> = {
      smtpUseSandbox: config.smtp.useSandbox,
      smtpSandboxAddress: config.smtp.sandboxAddress,
      smtpServiceName: config.smtp.serviceName,
      smtpAuthType: config.smtp.authType,
      smtpSenderAddress: config.smtp.senderAddress,
      smtpSenderName: config.smtp.senderName,
    };
    if (propName in smtpMappings) {
      const value = smtpMappings[propName];
      if (typeof value === 'boolean') {
        return value ? 'ON' : 'OFF';
      }
      return value !== undefined ? String(value) : undefined;
    }
  }

  // Check direct mappings
  if (propName in directMappings) {
    const value = directMappings[propName];
    if (value === undefined) return undefined;

    // Convert booleans to ON/OFF
    if (typeof value === 'boolean') {
      return value ? 'ON' : 'OFF';
    }

    return String(value);
  }

  return undefined;
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): string {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return prop.defaultValue;
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return configValue;
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return environment === 'dev' ? 'ON' : 'OFF';
    }
    if (name.includes('log')) {
      return environment === 'prod' ? 'ON' : 'OFF';
    }
    return 'OFF';
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('port')) {
      return '<PORT>';
    }
    if (name.includes('points')) {
      return '15';
    }
    if (name.includes('duration')) {
      return '1';
    }
    return '<NUMBER>';
  }

  // Array defaults
  if (prop.tsType.includes('[]')) {
    return '[]';
  }

  // String defaults
  if (prop.tsType === 'string') {
    if (name.includes('origin')) {
      return environment === 'dev' ? '*' : '<CORS_ORIGIN>';
    }
    if (name.includes('path')) {
      return '<PATH>';
    }
    if (name.includes('uri')) {
      return '<URI>';
    }
    if (name.includes('expires')) {
      return '15m';
    }
    return '<VALUE>';
  }

  return '<VALUE>';
}

/**
 * Gets secret value from secrets file or placeholder
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(envVarName: string, secrets?: SecretsFile): string {
  if (secrets && secrets[envVarName]) {
    return secrets[envVarName];
  }

  // Return placeholder that makes it obvious this needs to be filled in
  return `<SECRET:${envVarName}>`;
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

Version 2

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Result of getting a value, including whether it's missing
 */
type ValueResult = {
  value: string;
  missing?: MissingValue | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns GenerationResult with content and any missing values
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): GenerationResult {
  const lines: string[] = [];
  const missingValues: MissingValue[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const result = getDefaultValue(prop, environment, centralConfig);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const result = getSecretValue(prop, secrets);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  return {
    content: lines.join('\n'),
    missingValues,
  };
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(
      `File ${outputPath} already exists. Use --overwrite to replace it.`
    );
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(
  properties: ConfigProperty[]
): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    'Service': [],
    'Security': [],
    'Rate Limiting': [],
    'Database': [],
    'JWT': [],
    'SMTP': [],
    'Development': [],
    'Debugging': [],
    'Storage': [],
    'Logging': [],
    'Other': [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri'))) return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Direct property mappings
  const directMappings: Record<string, unknown> = {
    servicePort: config.port,
    corsOrigin: config.corsOrigin,
    dataUri: config.dataUri,
    storageUri: config.storageUri,
    authUri: config.authUri,
    appUrl: config.appUrl,
    debugMode: config.debugMode,
    logErrorsToDatabase: config.logErrorsToDatabase,
    userJwtExpiresIn: config.userJwtExpiresIn,
    userJwtExpiresInKulo: config.userJwtExpiresInKulo,
    tempJwtExpiresIn: config.tempJwtExpiresIn,
  };

  // Rate limiter mappings
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (config.smtp) {
    const smtpMappings: Record<string, unknown> = {
      smtpUseSandbox: config.smtp.useSandbox,
      smtpSandboxAddress: config.smtp.sandboxAddress,
      smtpServiceName: config.smtp.serviceName,
      smtpAuthType: config.smtp.authType,
      smtpSenderAddress: config.smtp.senderAddress,
      smtpSenderName: config.smtp.senderName,
    };
    if (propName in smtpMappings) {
      const value = smtpMappings[propName];
      if (typeof value === 'boolean') {
        return value ? 'ON' : 'OFF';
      }
      return value !== undefined ? String(value) : undefined;
    }
  }

  // Check direct mappings
  if (propName in directMappings) {
    const value = directMappings[propName];
    if (value === undefined) return undefined;

    // Convert booleans to ON/OFF
    if (typeof value === 'boolean') {
      return value ? 'ON' : 'OFF';
    }

    return String(value);
  }

  return undefined;
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 * Returns ValueResult with the value and optional missing info if using a placeholder
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): ValueResult {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return { value: prop.defaultValue };
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return { value: configValue };
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults - these have sensible defaults, not considered "missing"
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return { value: environment === 'dev' ? 'ON' : 'OFF' };
    }
    if (name.includes('log')) {
      return { value: environment === 'prod' ? 'ON' : 'OFF' };
    }
    return { value: 'OFF' };
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('points')) {
      return { value: '15' };
    }
    if (name.includes('duration')) {
      return { value: '1' };
    }
    // Port and other numbers need to be provided
    if (name.includes('port')) {
      return {
        value: '<PORT>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no port value configured',
        },
      };
    }
    return {
      value: '<NUMBER>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no numeric value configured',
      },
    };
  }

  // Array defaults - empty array is a reasonable default
  if (prop.tsType.includes('[]')) {
    return { value: '[]' };
  }

  // String defaults
  if (prop.tsType === 'string') {
    // Dev environment allows wildcard CORS
    if (name.includes('origin') && environment === 'dev') {
      return { value: '*' };
    }
    // Expires has a sensible default
    if (name.includes('expires')) {
      return { value: '15m' };
    }

    // These need to be provided
    if (name.includes('origin')) {
      return {
        value: '<CORS_ORIGIN>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: `no CORS origin configured for ${environment} environment`,
        },
      };
    }
    if (name.includes('path')) {
      return {
        value: '<PATH>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no path value configured',
        },
      };
    }
    if (name.includes('uri')) {
      return {
        value: '<URI>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no URI value configured',
        },
      };
    }
    return {
      value: '<VALUE>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no value configured',
      },
    };
  }

  return {
    value: '<VALUE>',
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'regular',
      tsType: prop.tsType,
      reason: 'no value configured',
    },
  };
}

/**
 * Gets secret value from secrets file or returns missing info
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
  const secretValue = secrets?.[prop.envVarName];
  if (secretValue !== undefined) {
    return { value: secretValue };
  }

  // Return placeholder and mark as missing
  return {
    value: `<SECRET:${prop.envVarName}>`,
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'secret',
      tsType: prop.tsType,
      reason: 'not found in secrets file',
    },
  };
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

Version 3

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Result of getting a value, including whether it's missing
 */
type ValueResult = {
  value: string;
  missing?: MissingValue | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns GenerationResult with content and any missing values
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): GenerationResult {
  const lines: string[] = [];
  const missingValues: MissingValue[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const result = getDefaultValue(prop, environment, centralConfig);

      console.log('***********************************************************');
      console.log({ prop, environment, centralConfig, result });

      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const result = getSecretValue(prop, secrets);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  return {
    content: lines.join('\n'),
    missingValues,
  };
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(`File ${outputPath} already exists. Use --overwrite to replace it.`);
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(properties: ConfigProperty[]): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    Service: [],
    Security: [],
    'Rate Limiting': [],
    Database: [],
    JWT: [],
    SMTP: [],
    Development: [],
    Debugging: [],
    Storage: [],
    Logging: [],
    Other: [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri')))
    return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Direct property mappings
  const directMappings: Record<string, unknown> = {
    servicePort: config.port,
    corsOrigin: config.corsOrigin,
    dataUri: config.dataUri,
    storageUri: config.storageUri,
    authUri: config.authUri,
    appUrl: config.appUrl,
    debugMode: config.debugMode,
    logErrorsToDatabase: config.logErrorsToDatabase,
    userJwtExpiresIn: config.userJwtExpiresIn,
    userJwtExpiresInKulo: config.userJwtExpiresInKulo,
    tempJwtExpiresIn: config.tempJwtExpiresIn,
  };

  // Rate limiter mappings
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (config.smtp) {
    const smtpMappings: Record<string, unknown> = {
      smtpUseSandbox: config.smtp.useSandbox,
      smtpSandboxAddress: config.smtp.sandboxAddress,
      smtpServiceName: config.smtp.serviceName,
      smtpAuthType: config.smtp.authType,
      smtpSenderAddress: config.smtp.senderAddress,
      smtpSenderName: config.smtp.senderName,
    };
    if (propName in smtpMappings) {
      const value = smtpMappings[propName];
      if (typeof value === 'boolean') {
        return value ? 'ON' : 'OFF';
      }
      return value !== undefined ? String(value) : undefined;
    }
  }

  // Check direct mappings
  if (propName in directMappings) {
    const value = directMappings[propName];
    if (value === undefined) return undefined;

    // Convert booleans to ON/OFF
    if (typeof value === 'boolean') {
      return value ? 'ON' : 'OFF';
    }

    return String(value);
  }

  return undefined;
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 * Returns ValueResult with the value and optional missing info if using a placeholder
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): ValueResult {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return { value: prop.defaultValue };
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return { value: configValue };
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults - these have sensible defaults, not considered "missing"
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return { value: environment === 'dev' ? 'ON' : 'OFF' };
    }
    if (name.includes('log')) {
      return { value: environment === 'prod' ? 'ON' : 'OFF' };
    }
    return { value: 'OFF' };
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('points')) {
      return { value: '15' };
    }
    if (name.includes('duration')) {
      return { value: '1' };
    }
    // Port and other numbers need to be provided
    if (name.includes('port')) {
      return {
        value: '<PORT>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no port value configured',
        },
      };
    }
    return {
      value: '<NUMBER>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no numeric value configured',
      },
    };
  }

  // Array defaults - empty array is a reasonable default
  if (prop.tsType.includes('[]')) {
    return { value: '[]' };
  }

  // String defaults
  if (prop.tsType === 'string') {
    // Dev environment allows wildcard CORS
    if (name.includes('origin') && environment === 'dev') {
      return { value: '*' };
    }
    // Expires has a sensible default
    if (name.includes('expires')) {
      return { value: '15m' };
    }

    // These need to be provided
    if (name.includes('origin')) {
      console.log('getDefaultValue', { name, prop });
      return {
        value: '<CORS_ORIGIN>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: `no CORS origin configured for ${environment} environment`,
        },
      };
    }
    if (name.includes('path')) {
      return {
        value: '<PATH>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no path value configured',
        },
      };
    }
    if (name.includes('uri')) {
      return {
        value: '<URI>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no URI value configured',
        },
      };
    }
    return {
      value: '<VALUE>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no value configured',
      },
    };
  }

  return {
    value: '<VALUE>',
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'regular',
      tsType: prop.tsType,
      reason: 'no value configured',
    },
  };
}

/**
 * Gets secret value from secrets file or returns missing info
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
  const secretValue = secrets?.[prop.envVarName];
  if (secretValue !== undefined) {
    return { value: secretValue };
  }

  // Return placeholder and mark as missing
  return {
    value: `<SECRET:${prop.envVarName}>`,
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'secret',
      tsType: prop.tsType,
      reason: 'not found in secrets file',
    },
  };
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

Version 4

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Result of getting a value, including whether it's missing
 */
type ValueResult = {
  value: string;
  missing?: MissingValue | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns GenerationResult with content and any missing values
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): GenerationResult {
  const lines: string[] = [];
  const missingValues: MissingValue[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const result = getDefaultValue(prop, environment, centralConfig);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const result = getSecretValue(prop, secrets);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  return {
    content: lines.join('\n'),
    missingValues,
  };
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(`File ${outputPath} already exists. Use --overwrite to replace it.`);
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(properties: ConfigProperty[]): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    Service: [],
    Security: [],
    'Rate Limiting': [],
    Database: [],
    JWT: [],
    SMTP: [],
    Development: [],
    Debugging: [],
    Storage: [],
    Logging: [],
    Other: [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri')))
    return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 *
 * Uses dynamic lookup with special handling for:
 * - Renamed properties (servicePort → port)
 * - Nested objects (rateLimiter, smtp)
 * - Boolean to ON/OFF conversion
 * - Record/object to JSON string conversion
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Special case: servicePort maps to config.port
  if (propName === 'servicePort') {
    return config.port !== undefined ? String(config.port) : undefined;
  }

  // Rate limiter mappings (nested object)
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (propName.startsWith('smtp') && config.smtp) {
    const smtpFieldMap: Record<string, keyof NonNullable<typeof config.smtp>> = {
      smtpUseSandbox: 'useSandbox',
      smtpSandboxAddress: 'sandboxAddress',
      smtpServiceName: 'serviceName',
      smtpAuthType: 'authType',
      smtpSenderAddress: 'senderAddress',
      smtpSenderName: 'senderName',
    };
    const smtpField = smtpFieldMap[propName];
    if (smtpField) {
      const value = config.smtp[smtpField];
      return formatValue(value);
    }
  }

  // Dynamic lookup: check if property exists directly on config
  const configRecord = config as Record<string, unknown>;
  if (propName in configRecord) {
    const value = configRecord[propName];
    return formatValue(value);
  }

  return undefined;
}

/**
 * Formats a value for .env file output
 * - undefined → undefined (not found)
 * - boolean → 'ON' | 'OFF'
 * - object/array → JSON string
 * - other → String()
 */
function formatValue(value: unknown): string | undefined {
  if (value === undefined) {
    return undefined;
  }

  if (typeof value === 'boolean') {
    return value ? 'ON' : 'OFF';
  }

  if (typeof value === 'object' && value !== null) {
    return JSON.stringify(value);
  }

  return String(value);
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 * Returns ValueResult with the value and optional missing info if using a placeholder
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): ValueResult {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return { value: prop.defaultValue };
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return { value: configValue };
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults - these have sensible defaults, not considered "missing"
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return { value: environment === 'dev' ? 'ON' : 'OFF' };
    }
    if (name.includes('log')) {
      return { value: environment === 'prod' ? 'ON' : 'OFF' };
    }
    return { value: 'OFF' };
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('points')) {
      return { value: '15' };
    }
    if (name.includes('duration')) {
      return { value: '1' };
    }
    // Port and other numbers need to be provided
    if (name.includes('port')) {
      return {
        value: '<PORT>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no port value configured',
        },
      };
    }
    return {
      value: '<NUMBER>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no numeric value configured',
      },
    };
  }

  // Array defaults - empty array is a reasonable default
  if (prop.tsType.includes('[]')) {
    return { value: '[]' };
  }

  // String defaults
  if (prop.tsType === 'string') {
    // Dev environment allows wildcard CORS
    if (name.includes('origin') && environment === 'dev') {
      return { value: '*' };
    }
    // Expires has a sensible default
    if (name.includes('expires')) {
      return { value: '15m' };
    }

    // These need to be provided
    if (name.includes('origin')) {
      return {
        value: '<CORS_ORIGIN>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: `no CORS origin configured for ${environment} environment`,
        },
      };
    }
    if (name.includes('path')) {
      return {
        value: '<PATH>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no path value configured',
        },
      };
    }
    if (name.includes('uri')) {
      return {
        value: '<URI>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no URI value configured',
        },
      };
    }
    return {
      value: '<VALUE>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no value configured',
      },
    };
  }

  return {
    value: '<VALUE>',
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'regular',
      tsType: prop.tsType,
      reason: 'no value configured',
    },
  };
}

/**
 * Gets secret value from secrets file or returns missing info
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
  const secretValue = secrets?.[prop.envVarName];
  if (secretValue !== undefined) {
    return { value: secretValue };
  }

  // Return placeholder and mark as missing
  return {
    value: `<SECRET:${prop.envVarName}>`,
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'secret',
      tsType: prop.tsType,
      reason: 'not found in secrets file',
    },
  };
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

Version 5

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Result of getting a value, including whether it's missing
 */
type ValueResult = {
  value: string;
  missing?: MissingValue | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns GenerationResult with content and any missing values
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): GenerationResult {
  const lines: string[] = [];
  const missingValues: MissingValue[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const result = getDefaultValue(prop, environment, centralConfig);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const result = getSecretValue(prop, secrets);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  return {
    content: lines.join('\n'),
    missingValues,
  };
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(`File ${outputPath} already exists. Use --overwrite to replace it.`);
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(properties: ConfigProperty[]): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    Service: [],
    Security: [],
    'Rate Limiting': [],
    Database: [],
    JWT: [],
    SMTP: [],
    Development: [],
    Debugging: [],
    Storage: [],
    Logging: [],
    Other: [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri')))
    return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 *
 * Uses dynamic lookup with special handling for:
 * - Renamed properties (servicePort → port)
 * - Nested objects (rateLimiter, smtp)
 * - Boolean to ON/OFF conversion
 * - Record/object to JSON string conversion
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Special case: servicePort maps to config.port
  if (propName === 'servicePort') {
    return config.port !== undefined ? String(config.port) : undefined;
  }

  // Rate limiter mappings (nested object)
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (propName.startsWith('smtp') && config.smtp) {
    const smtpFieldMap: Record<string, keyof NonNullable<typeof config.smtp>> = {
      smtpUseSandbox: 'useSandbox',
      smtpSandboxAddress: 'sandboxAddress',
      smtpServiceName: 'serviceName',
      smtpAuthType: 'authType',
      smtpSenderAddress: 'senderAddress',
      smtpSenderName: 'senderName',
    };
    const smtpField = smtpFieldMap[propName];
    if (smtpField) {
      const value = config.smtp[smtpField];
      return formatValue(value);
    }
  }

  // Dynamic lookup: check if property exists directly on config
  const configRecord = config as Record<string, unknown>;
  if (propName in configRecord) {
    const value = configRecord[propName];
    // Property exists but is explicitly undefined - return empty string (intentionally not set)
    if (value === undefined) {
      return '';
    }
    return formatValue(value);
  }

  return undefined;
}

/**
 * Formats a value for .env file output
 * - undefined → undefined (not found)
 * - boolean → 'ON' | 'OFF'
 * - object/array → JSON string
 * - other → String()
 */
function formatValue(value: unknown): string | undefined {
  if (value === undefined) {
    return undefined;
  }

  if (typeof value === 'boolean') {
    return value ? 'ON' : 'OFF';
  }

  if (typeof value === 'object' && value !== null) {
    return JSON.stringify(value);
  }

  return String(value);
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 * Returns ValueResult with the value and optional missing info if using a placeholder
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): ValueResult {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return { value: prop.defaultValue };
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return { value: configValue };
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults - these have sensible defaults, not considered "missing"
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return { value: environment === 'dev' ? 'ON' : 'OFF' };
    }
    if (name.includes('log')) {
      return { value: environment === 'prod' ? 'ON' : 'OFF' };
    }
    return { value: 'OFF' };
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('points')) {
      return { value: '15' };
    }
    if (name.includes('duration')) {
      return { value: '1' };
    }
    // Port and other numbers need to be provided
    if (name.includes('port')) {
      return {
        value: '<PORT>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no port value configured',
        },
      };
    }
    return {
      value: '<NUMBER>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no numeric value configured',
      },
    };
  }

  // Array defaults - empty array is a reasonable default
  if (prop.tsType.includes('[]')) {
    return { value: '[]' };
  }

  // String defaults
  if (prop.tsType === 'string') {
    // Dev environment allows wildcard CORS
    if (name.includes('origin') && environment === 'dev') {
      return { value: '*' };
    }
    // Expires has a sensible default
    if (name.includes('expires')) {
      return { value: '15m' };
    }

    // These need to be provided
    if (name.includes('origin')) {
      return {
        value: '<CORS_ORIGIN>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: `no CORS origin configured for ${environment} environment`,
        },
      };
    }
    if (name.includes('path')) {
      return {
        value: '<PATH>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no path value configured',
        },
      };
    }
    if (name.includes('uri')) {
      return {
        value: '<URI>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no URI value configured',
        },
      };
    }
    return {
      value: '<VALUE>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no value configured',
      },
    };
  }

  return {
    value: '<VALUE>',
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'regular',
      tsType: prop.tsType,
      reason: 'no value configured',
    },
  };
}

/**
 * Gets secret value from secrets file or returns missing info
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
  const secretValue = secrets?.[prop.envVarName];
  if (secretValue !== undefined) {
    return { value: secretValue };
  }

  // Return placeholder and mark as missing
  return {
    value: `<SECRET:${prop.envVarName}>`,
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'secret',
      tsType: prop.tsType,
      reason: 'not found in secrets file',
    },
  };
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

Version 6 (latest)

/**
 * Environment file generator
 *
 * Generates .env files from parsed configuration types
 */

import fs from 'fs';
import path from 'path';
import type {
  ConfigProperty,
  GenerationResult,
  MissingValue,
  PackageConfig,
  RuntimeEnvironment,
  SecretsFile,
} from './types.js';
import { getConfig, isKnownService, type ServiceConfigValues } from './configuration.js';

/**
 * Options for generating .env content
 */
export type EnvGeneratorOptions = {
  /** Runtime environment */
  environment: RuntimeEnvironment;
  /** Secrets data loaded from secrets file */
  secrets?: SecretsFile | undefined;
};

/**
 * Result of getting a value, including whether it's missing
 */
type ValueResult = {
  value: string;
  missing?: MissingValue | undefined;
};

/**
 * Generates .env file content for a package
 *
 * @param config Parsed package configuration
 * @param options Generator options
 * @returns GenerationResult with content and any missing values
 */
export function generateEnvContent(
  config: PackageConfig,
  options: EnvGeneratorOptions
): GenerationResult {
  const lines: string[] = [];
  const missingValues: MissingValue[] = [];
  const { environment, secrets } = options;

  // Get centralized config if this is a known service
  const centralConfig = isKnownService(config.packageName)
    ? getConfig(environment, config.packageName)
    : undefined;

  // Runtime environment (always first)
  lines.push('# Runtime Environment');
  lines.push(`RUNTIME_ENVIRONMENT=${environment}`);
  lines.push('');

  // Group non-secret properties by category (based on naming patterns)
  const categorized = categorizeProperties(config.properties);

  for (const [category, props] of Object.entries(categorized)) {
    if (props.length === 0) continue;

    lines.push(`# ${category}`);
    for (const prop of props) {
      const result = getDefaultValue(prop, environment, centralConfig);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  // Secrets section
  if (config.secrets.length > 0) {
    lines.push('# Secrets');
    for (const prop of config.secrets) {
      const result = getSecretValue(prop, secrets);
      lines.push(`${prop.envVarName}=${result.value}`);
      if (result.missing) {
        missingValues.push(result.missing);
      }
    }
    lines.push('');
  }

  return {
    content: lines.join('\n'),
    missingValues,
  };
}

/**
 * Writes .env file to disk
 *
 * @param content .env file content
 * @param outputPath Output file path
 * @param overwrite Whether to overwrite existing file
 */
export function writeEnvFile(content: string, outputPath: string, overwrite: boolean): void {
  const dir = path.dirname(outputPath);

  // Create directory if it doesn't exist
  if (!fs.existsSync(dir)) {
    fs.mkdirSync(dir, { recursive: true });
  }

  // Check if file exists and overwrite flag
  if (fs.existsSync(outputPath) && !overwrite) {
    throw new Error(`File ${outputPath} already exists. Use --overwrite to replace it.`);
  }

  fs.writeFileSync(outputPath, content, 'utf-8');
}

/**
 * Loads secrets from a JSON file
 *
 * @param secretsPath Path to secrets JSON file
 * @returns Parsed secrets file
 */
export function loadSecretsFile(secretsPath: string): SecretsFile {
  if (!fs.existsSync(secretsPath)) {
    throw new Error(`Secrets file not found: ${secretsPath}`);
  }

  const content = fs.readFileSync(secretsPath, 'utf-8');
  try {
    return JSON.parse(content) as SecretsFile;
  } catch (error) {
    throw new Error(`Failed to parse secrets file ${secretsPath}: ${error}`);
  }
}

/**
 * Categorizes properties into logical groups
 */
function categorizeProperties(properties: ConfigProperty[]): Record<string, ConfigProperty[]> {
  const categories: Record<string, ConfigProperty[]> = {
    Service: [],
    Security: [],
    'Rate Limiting': [],
    Database: [],
    JWT: [],
    SMTP: [],
    Development: [],
    Debugging: [],
    Storage: [],
    Logging: [],
    Other: [],
  };

  for (const prop of properties) {
    const category = inferCategory(prop);
    if (categories[category]) {
      categories[category].push(prop);
    } else {
      categories['Other']?.push(prop);
    }
  }

  return categories;
}

/**
 * Infers category from property name
 */
function inferCategory(prop: ConfigProperty): string {
  const name = prop.propertyName.toLowerCase();

  if (name.includes('port') || name === 'serviceport') return 'Service';
  if (name.includes('cors') || name.includes('allowed')) return 'Security';
  if (name.includes('ratelimiter')) return 'Rate Limiting';
  if (name.includes('database') || (name.includes('data') && name.includes('uri')))
    return 'Database';
  if (name.includes('jwt')) return 'JWT';
  if (name.includes('smtp')) return 'SMTP';
  if (name.includes('dev') || name.includes('development')) return 'Development';
  if (name.includes('debug')) return 'Debugging';
  if (name.includes('storage') || name.includes('volume')) return 'Storage';
  if (name.includes('log')) return 'Logging';

  return 'Other';
}

/**
 * Maps a property name to its value from centralized config
 *
 * Uses dynamic lookup with special handling for:
 * - Renamed properties (servicePort → port)
 * - Nested objects (rateLimiter, smtp)
 * - Boolean to ON/OFF conversion
 * - Record/object to JSON string conversion
 */
function getValueFromCentralConfig(
  propName: string,
  config: ServiceConfigValues
): string | undefined {
  // Special case: servicePort maps to config.port
  if (propName === 'servicePort') {
    return config.port !== undefined ? String(config.port) : undefined;
  }

  // Rate limiter mappings (nested object)
  if (propName === 'rateLimiterPoints' && config.rateLimiter) {
    return String(config.rateLimiter.points);
  }
  if (propName === 'rateLimiterDuration' && config.rateLimiter) {
    return String(config.rateLimiter.duration);
  }

  // SMTP mappings (flatten nested smtp object)
  if (propName.startsWith('smtp') && config.smtp) {
    const smtpFieldMap: Record<string, keyof NonNullable<typeof config.smtp>> = {
      smtpUseSandbox: 'useSandbox',
      smtpSandboxAddress: 'sandboxAddress',
      smtpServiceName: 'serviceName',
      smtpAuthType: 'authType',
      smtpSenderAddress: 'senderAddress',
      smtpSenderName: 'senderName',
    };
    const smtpField = smtpFieldMap[propName];
    if (smtpField) {
      const value = config.smtp[smtpField];
      return formatValue(value);
    }
  }

  // Dynamic lookup: check if property exists directly on config
  const configRecord = config as Record<string, unknown>;
  if (propName in configRecord) {
    const value = configRecord[propName];
    // Property exists but is explicitly undefined - return empty string (intentionally not set)
    if (value === undefined) {
      return '';
    }
    return formatValue(value);
  }

  return undefined;
}

/**
 * Formats a value for .env file output
 * - undefined → undefined (not found)
 * - boolean → 'ON' | 'OFF'
 * - object/array → JSON string
 * - other → String()
 */
function formatValue(value: unknown): string | undefined {
  if (value === undefined) {
    return undefined;
  }

  if (typeof value === 'boolean') {
    return value ? 'ON' : 'OFF';
  }

  if (typeof value === 'object' && value !== null) {
    return JSON.stringify(value);
  }

  return String(value);
}

/**
 * Formats a string value for .env file output
 * - If value contains newlines, escapes them as \n and quotes the value
 * - Otherwise returns the value as-is
 */
function formatEnvValue(value: string): string {
  if (value.includes('\n')) {
    // Escape newlines and quote the value
    const escaped = value.replace(/\n/g, '\\n');
    return `"${escaped}"`;
  }
  return value;
}

/**
 * Gets default value for a property based on type, environment, and centralized config
 * Returns ValueResult with the value and optional missing info if using a placeholder
 */
function getDefaultValue(
  prop: ConfigProperty,
  environment: RuntimeEnvironment,
  centralConfig: ServiceConfigValues | undefined
): ValueResult {
  // If we have a default value from parsing, use it
  if (prop.defaultValue !== undefined) {
    return { value: prop.defaultValue };
  }

  // Try to get value from centralized config first
  if (centralConfig) {
    const configValue = getValueFromCentralConfig(prop.propertyName, centralConfig);
    if (configValue !== undefined) {
      return { value: configValue };
    }
  }

  // Fallback: provide reasonable defaults based on type and name
  const name = prop.propertyName.toLowerCase();

  // Boolean defaults - these have sensible defaults, not considered "missing"
  if (prop.tsType === 'boolean') {
    if (name.includes('debug')) {
      return { value: environment === 'dev' ? 'ON' : 'OFF' };
    }
    if (name.includes('log')) {
      return { value: environment === 'prod' ? 'ON' : 'OFF' };
    }
    return { value: 'OFF' };
  }

  // Number defaults
  if (prop.tsType === 'number') {
    if (name.includes('points')) {
      return { value: '15' };
    }
    if (name.includes('duration')) {
      return { value: '1' };
    }
    // Port and other numbers need to be provided
    if (name.includes('port')) {
      return {
        value: '<PORT>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no port value configured',
        },
      };
    }
    return {
      value: '<NUMBER>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no numeric value configured',
      },
    };
  }

  // Array defaults - empty array is a reasonable default
  if (prop.tsType.includes('[]')) {
    return { value: '[]' };
  }

  // String defaults
  if (prop.tsType === 'string') {
    // Dev environment allows wildcard CORS
    if (name.includes('origin') && environment === 'dev') {
      return { value: '*' };
    }
    // Expires has a sensible default
    if (name.includes('expires')) {
      return { value: '15m' };
    }

    // These need to be provided
    if (name.includes('origin')) {
      return {
        value: '<CORS_ORIGIN>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: `no CORS origin configured for ${environment} environment`,
        },
      };
    }
    if (name.includes('path')) {
      return {
        value: '<PATH>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no path value configured',
        },
      };
    }
    if (name.includes('uri')) {
      return {
        value: '<URI>',
        missing: {
          envVarName: prop.envVarName,
          propertyName: prop.propertyName,
          type: 'regular',
          tsType: prop.tsType,
          reason: 'no URI value configured',
        },
      };
    }
    return {
      value: '<VALUE>',
      missing: {
        envVarName: prop.envVarName,
        propertyName: prop.propertyName,
        type: 'regular',
        tsType: prop.tsType,
        reason: 'no value configured',
      },
    };
  }

  return {
    value: '<VALUE>',
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'regular',
      tsType: prop.tsType,
      reason: 'no value configured',
    },
  };
}

/**
 * Gets secret value from secrets file or returns missing info
 *
 * Looks up the env var name directly in the flat secrets structure.
 * The same secret value is used across all packages that need it.
 */
function getSecretValue(prop: ConfigProperty, secrets?: SecretsFile): ValueResult {
  const secretValue = secrets?.[prop.envVarName];
  if (secretValue !== undefined) {
    return { value: formatEnvValue(secretValue) };
  }

  // Return placeholder and mark as missing
  return {
    value: `<SECRET:${prop.envVarName}>`,
    missing: {
      envVarName: prop.envVarName,
      propertyName: prop.propertyName,
      type: 'secret',
      tsType: prop.tsType,
      reason: 'not found in secrets file',
    },
  };
}

/**
 * Generates the output path for a .env file
 *
 * @param packageName Package name
 * @param environment Runtime environment
 * @param outputDir Base output directory
 * @returns Full output path
 */
export function getEnvOutputPath(
  packageName: string,
  environment: RuntimeEnvironment,
  outputDir: string
): string {
  // Pattern: {outputDir}/{environment}.{packageName}.env
  // e.g., ./env-files/dev.cwc-sql.env
  const filename = `${environment}.${packageName}.env`;
  return path.join(outputDir, filename);
}

packages/cwc-configuration-helper/src/nameConverter.ts

/**
 * Name conversion utilities for transforming between camelCase and SCREAMING_SNAKE_CASE
 */

/**
 * Converts camelCase to SCREAMING_SNAKE_CASE
 *
 * Examples:
 * - servicePort -> SERVICE_PORT
 * - corsOrigin -> CORS_ORIGIN
 * - rateLimiterPoints -> RATE_LIMITER_POINTS
 * - userJwtSecret -> USER_JWT_SECRET
 * - isProduction -> IS_PRODUCTION
 * - dataUri -> DATA_URI
 * - debugMode -> DEBUG_MODE
 *
 * @param camelCase The camelCase property name
 * @returns The SCREAMING_SNAKE_CASE environment variable name
 */
export function camelToScreamingSnake(camelCase: string): string {
  // Handle empty string
  if (!camelCase) {
    return '';
  }

  // Insert underscore before each uppercase letter (except at start)
  // Then convert entire string to uppercase
  return camelCase
    .replace(/([A-Z])/g, '_$1')
    .toUpperCase()
    // Remove leading underscore if property started with uppercase
    .replace(/^_/, '');
}

/**
 * Converts SCREAMING_SNAKE_CASE to camelCase
 *
 * Examples:
 * - SERVICE_PORT -> servicePort
 * - CORS_ORIGIN -> corsOrigin
 * - RATE_LIMITER_POINTS -> rateLimiterPoints
 * - USER_JWT_SECRET -> userJwtSecret
 * - IS_PRODUCTION -> isProduction
 *
 * @param screamingSnake The SCREAMING_SNAKE_CASE environment variable name
 * @returns The camelCase property name
 */
export function screamingSnakeToCamel(screamingSnake: string): string {
  // Handle empty string
  if (!screamingSnake) {
    return '';
  }

  return screamingSnake
    .toLowerCase()
    .replace(/_([a-z])/g, (_, letter: string) => letter.toUpperCase());
}

/**
 * Validates that a string is valid SCREAMING_SNAKE_CASE
 *
 * @param str The string to validate
 * @returns true if valid SCREAMING_SNAKE_CASE
 */
export function isValidScreamingSnake(str: string): boolean {
  if (!str) {
    return false;
  }
  // Must be uppercase letters, digits, and underscores only
  // Cannot start with digit or underscore
  // Cannot have consecutive underscores
  return /^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$/.test(str);
}

/**
 * Validates that a string is valid camelCase
 *
 * @param str The string to validate
 * @returns true if valid camelCase
 */
export function isValidCamelCase(str: string): boolean {
  if (!str) {
    return false;
  }
  // Must start with lowercase letter
  // Can contain letters and digits
  return /^[a-z][a-zA-Z0-9]*$/.test(str);
}

packages/cwc-configuration-helper/src/packageDiscovery.ts

/**
 * Package discovery for finding backend packages with config.types.ts files
 */

import { glob } from 'glob';
import path from 'path';
import fs from 'fs';

/**
 * Discovered package information
 */
export type DiscoveredPackage = {
  /** Package name (e.g., 'cwc-sql') */
  name: string;
  /** Absolute path to package directory */
  packagePath: string;
  /** Absolute path to config.types.ts */
  configTypesPath: string;
  /** Absolute path to loadConfig.ts (may not exist) */
  loadConfigPath: string;
};

/**
 * Discovers all packages with config.types.ts files in the monorepo
 *
 * @param monorepoRoot Absolute path to monorepo root
 * @returns Array of discovered packages
 */
export async function discoverPackages(monorepoRoot: string): Promise<DiscoveredPackage[]> {
  // Find all config.types.ts files in packages
  const pattern = 'packages/cwc-*/src/config/config.types.ts';
  const matches = await glob(pattern, {
    cwd: monorepoRoot,
    absolute: true,
  });

  const packages: DiscoveredPackage[] = [];

  for (const configTypesPath of matches) {
    // Extract package name from path
    // Path: /monorepo/packages/cwc-sql/src/config/config.types.ts
    const relativePath = path.relative(monorepoRoot, configTypesPath);
    const parts = relativePath.split(path.sep);
    const packageName = parts[1]; // 'cwc-sql'

    if (!packageName) {
      continue;
    }

    const packagePath = path.join(monorepoRoot, 'packages', packageName);
    const loadConfigPath = path.join(packagePath, 'src/config/loadConfig.ts');

    packages.push({
      name: packageName,
      packagePath,
      configTypesPath,
      loadConfigPath,
    });
  }

  // Sort by package name for consistent output
  packages.sort((a, b) => a.name.localeCompare(b.name));

  return packages;
}

/**
 * Finds a specific package by name
 *
 * @param monorepoRoot Absolute path to monorepo root
 * @param packageName Package name to find
 * @returns Discovered package or undefined if not found
 */
export async function findPackage(
  monorepoRoot: string,
  packageName: string
): Promise<DiscoveredPackage | undefined> {
  const packages = await discoverPackages(monorepoRoot);
  return packages.find((p) => p.name === packageName);
}

/**
 * Gets the monorepo root from current working directory
 * Looks for pnpm-workspace.yaml or package.json with workspaces
 *
 * @param startDir Starting directory to search from
 * @returns Absolute path to monorepo root
 * @throws Error if monorepo root cannot be found
 */
export function findMonorepoRoot(startDir: string = process.cwd()): string {
  let currentDir = path.resolve(startDir);
  const root = path.parse(currentDir).root;

  while (currentDir !== root) {
    // Check for pnpm-workspace.yaml (pnpm monorepo)
    const pnpmWorkspace = path.join(currentDir, 'pnpm-workspace.yaml');
    if (fs.existsSync(pnpmWorkspace)) {
      return currentDir;
    }

    // Move up one directory
    currentDir = path.dirname(currentDir);
  }

  throw new Error(
    'Could not find monorepo root. Make sure you are running from within the monorepo.'
  );
}

packages/cwc-configuration-helper/src/types.ts

/**
 * Configuration types for cwc-configuration-helper
 */

/**
 * Represents a single configuration property extracted from a config type
 */
export type ConfigProperty = {
  /** The camelCase property name from TypeScript type */
  propertyName: string;
  /** The SCREAMING_SNAKE_CASE environment variable name */
  envVarName: string;
  /** TypeScript type as string (e.g., 'string', 'number', 'boolean') */
  tsType: string;
  /** Whether this property is optional in the TypeScript type */
  isOptional: boolean;
  /** Whether this is a secret (nested under secrets property) */
  isSecret: boolean;
  /** Default value if provided in loadConfig.ts */
  defaultValue?: string | undefined;
  /** JSDoc comment if available */
  comment?: string | undefined;
};

/**
 * Represents parsed configuration for a single package
 */
export type PackageConfig = {
  /** Package name (e.g., 'cwc-sql', 'cwc-auth') */
  packageName: string;
  /** Path to the config.types.ts file */
  configTypesPath: string;
  /** Main config type name (e.g., 'CwcSqlConfig') */
  configTypeName: string;
  /** Secrets type name if exists (e.g., 'CwcSqlConfigSecrets') */
  secretsTypeName?: string | undefined;
  /** All configuration properties (non-secret) */
  properties: ConfigProperty[];
  /** Secret configuration properties */
  secrets: ConfigProperty[];
};

/**
 * Secrets file structure - flat key-value pairs
 *
 * The tool automatically matches env var names from each package's
 * ConfigSecrets type against this flat list. No need to organize
 * by package - just list all secrets once.
 */
export type SecretsFile = {
  [envVarName: string]: string;
};

/**
 * Runtime environment type matching cwc-types
 */
export type RuntimeEnvironment = 'dev' | 'test' | 'prod' | 'unit' | 'e2e';

/**
 * Options for the generate command
 */
export type GenerateOptions = {
  /** Runtime environment to generate for */
  environment: RuntimeEnvironment;
  /** Path to secrets JSON file */
  secretsFile?: string;
  /** Specific package to generate for (default: all) */
  package?: string;
  /** Output directory for .env files */
  outputDir: string;
  /** Whether to overwrite existing files */
  overwrite: boolean;
};

/**
 * Options for the validate command
 */
export type ValidateOptions = {
  /** Runtime environment to validate */
  environment: RuntimeEnvironment;
  /** Specific package to validate (default: all) */
  package?: string;
  /** Path to existing .env file or directory */
  envPath: string;
};

/**
 * Options for the diff command
 */
export type DiffOptions = {
  /** Runtime environment to diff */
  environment: RuntimeEnvironment;
  /** Specific package to diff (default: all) */
  package?: string;
  /** Path to existing .env file or directory */
  envPath: string;
};

/**
 * Result of validation
 */
export type ValidationResult = {
  /** Whether validation passed */
  valid: boolean;
  /** Package name */
  packageName: string;
  /** Missing required variables */
  missing: string[];
  /** Extra variables not in config type */
  extra: string[];
  /** Type mismatches */
  typeMismatches: Array<{
    envVar: string;
    expected: string;
    actual: string;
  }>;
};

/**
 * Result of diff operation
 */
export type DiffResult = {
  /** Package name */
  packageName: string;
  /** Variables that need to be added */
  added: ConfigProperty[];
  /** Variables that should be removed */
  removed: string[];
  /** Variables with changed types */
  changed: Array<{
    envVar: string;
    oldType: string;
    newType: string;
  }>;
};

/**
 * Represents a missing configuration value detected during generation
 */
export type MissingValue = {
  /** The SCREAMING_SNAKE_CASE environment variable name */
  envVarName: string;
  /** The camelCase property name from TypeScript type */
  propertyName: string;
  /** Whether this is a secret or regular config value */
  type: 'secret' | 'regular';
  /** TypeScript type (e.g., 'string', 'number') */
  tsType: string;
  /** Reason why value is missing */
  reason: string;
};

/**
 * Result of .env content generation including any missing values
 */
export type GenerationResult = {
  /** Generated .env file content */
  content: string;
  /** List of missing values detected during generation */
  missingValues: MissingValue[];
};

packages/cwc-deployment/README.md

cwc-deployment

Custom TypeScript/Node.js deployment CLI for SSH-based deployment of CWC services to remote servers.

Overview

cwc-deployment is a custom deployment tool that:

Runs from your local development machine
Connects to remote servers via SSH (passwordless key authentication)
Builds deployment archives with all necessary files
Transfers archives to server and executes deployment via Docker
Supports deploy, redeploy, undeploy, and list commands
Provides comprehensive validation before deployment

Deployed as Docker containers:

Database: MariaDB 11.8
Microservices: Node.js containers (future)
Web apps: nginx + static files (future)

Prerequisites

Node.js 22 LTS
pnpm 9.x
SSH access to target deployment server
Docker installed and running on target server
SSH key for passwordless authentication

Installation

From the monorepo root:

# Install dependencies
pnpm install

# Build the deployment tool
pnpm --filter cwc-deployment build

Configuration

1. Create Secrets Directory Structure

Create a secrets directory outside the monorepo (e.g., ~/cwc-secrets):

mkdir -p ~/cwc-secrets/configuration-helper
mkdir -p ~/cwc-secrets/deployment/ssh-keys

2. Create Environment Secrets Files

Database secrets are stored in configuration-helper secrets files, one per deployment environment.

Create ~/cwc-secrets/configuration-helper/{deploymentName}-secrets.json for each environment (e.g., dev-secrets.json, test-secrets.json, prod-secrets.json):

{
  "DATABASE_ROOT_PASSWORD": "your-root-password",
  "DATABASE_USER": "your-mariadb-username",
  "DATABASE_PASSWORD": "your-mariadb-password",
  "SQL_CLIENT_API_KEY": "-----BEGIN PUBLIC KEY-----\n...",
  "USER_JWT_SECRET": "your-jwt-secret",
  "TEMP_JWT_SECRET": "your-temp-jwt-secret"
}

Note: This consolidated secrets file is used by both cwc-deployment (for database deployment) and cwc-configuration-helper (for generating .env files).

3. Create Servers Configuration

Create ~/cwc-secrets/deployment/servers.json:

{
  "dev": {
    "host": "dev.example.com",
    "username": "deploy-user",
    "sshKeyPath": "~/cwc-secrets/deployment/ssh-keys/dev-server-key",
    "basePath": "/home/deploy-user"
  },
  "test": {
    "host": "test.example.com",
    "username": "deploy-user",
    "sshKeyPath": "~/cwc-secrets/deployment/ssh-keys/test-server-key",
    "basePath": "/home/deploy-user"
  },
  "prod": {
    "host": "prod.example.com",
    "username": "deploy-user",
    "sshKeyPath": "~/cwc-secrets/deployment/ssh-keys/prod-server-key",
    "basePath": "/home/deploy-user"
  }
}

4. Add SSH Keys

Copy your SSH private keys to ~/cwc-secrets/deployment/ssh-keys/:

cp ~/.ssh/dev-server-key ~/cwc-secrets/deployment/ssh-keys/
chmod 600 ~/cwc-secrets/deployment/ssh-keys/*

5. Create Builds Directory

mkdir -p ~/cwc-builds

Usage

Deploy Database (Shell Script)

Deploy a fresh database instance using the shell script wrapper:

./deployment-scripts/deploy-db.sh \
  --server test \
  --deployment-name test \
  --secrets-path ~/cwc-secrets \
  --builds-path ~/cwc-builds \
  --create-schema

Options:

--create-schema - Include SQL initialization scripts (use for first deployment)
--port <number> - External port mapping (default: auto-calculated from deployment name)

What happens:

Validation: SSH connectivity, Docker availability, configuration
Cleanup: Removes existing containers/images matching pattern
Build: Creates deployment archive with Dockerfile and init scripts
Transfer: SCPs archive to server
Deploy: Creates Docker network, builds image, runs container
Verify: Tests database connectivity and schema creation

Build structure:

~/cwc-builds/
└── test/
    └── cwc-database/
        └── 2025-11-18-195147/
            ├── deploy/
            │   ├── Dockerfile
            │   ├── mariadb.cnf
            │   └── init-scripts/
            │       ├── 00-create-schema.sql
            │       ├── 01-create-tables.sql
            │       ├── 02-create-indexes.sql
            │       └── 03-create-views.sql
            └── cwc-database-test-2025-11-18-195147.tar.gz

Server structure:

/home/user/
├── deployment/
│   └── test/
│       └── cwc-database/
│           └── 2025-11-18-195147/
│               ├── Dockerfile
│               ├── mariadb.cnf
│               └── init-scripts/
└── test-cwc-database/
    └── data/  # Persistent database files

Redeploy Database (Shell Script)

Redeploy with a new timestamp (keeps data, removes old container/image):

./deployment-scripts/redeploy-db.sh \
  --server test \
  --deployment-name test \
  --secrets-path ~/cwc-secrets \
  --builds-path ~/cwc-builds

What happens:

Note: Redeploy is just an alias to deploy (automatic cleanup makes them equivalent)
Performs same steps as deploy command
Keeps data directory (preserves database)
New container mounts existing data (no re-initialization unless --create-schema provided)

Undeploy Database (Shell Script)

Remove a specific deployment:

./deployment-scripts/undeploy-db.sh \
  --server test \
  --deployment-name test \
  --timestamp 2025-11-18-195147 \
  --secrets-path ~/cwc-secrets

Options:

--keep-data - Preserve data directory
--keep-files - Preserve deployment files on server

What happens:

Stops container
Removes container
Removes image
Removes network (if not in use by other containers)
Removes data directory (unless --keep-data)
Removes deployment files (unless --keep-files)

List Deployments (Shell Script)

List all CWC deployments on a server:

./deployment-scripts/list-deployments.sh \
  --server test \
  --secrets-path ~/cwc-secrets

Filter by deployment name:

./deployment-scripts/list-deployments.sh \
  --server test \
  --secrets-path ~/cwc-secrets \
  --deployment-name test

Filter by service:

./deployment-scripts/list-deployments.sh \
  --server test \
  --secrets-path ~/cwc-secrets \
  --service database

Advanced Usage

Multiple Isolated Deployments

Deploy different versions side-by-side:

# Main test deployment
./deployment-scripts/deploy-db.sh \
  --server test \
  --deployment-name test \
  --secrets-path ~/cwc-secrets \
  --builds-path ~/cwc-builds

# Feature branch deployment
./deployment-scripts/deploy-db.sh \
  --server test \
  --deployment-name test-feature-auth \
  --secrets-path ~/cwc-secrets \
  --builds-path ~/cwc-builds

# Old release for comparison
./deployment-scripts/deploy-db.sh \
  --server test \
  --deployment-name test-release-1-5-6 \
  --secrets-path ~/cwc-secrets \
  --builds-path ~/cwc-builds

Each deployment gets:

Unique Docker network: cwc-test, cwc-test-feature-auth, cwc-test-release-1-5-6
Unique data directory: /home/user/test-cwc-database/, /home/user/test-feature-auth-cwc-database/, etc.
Unique containers and images with timestamps

Architecture

Naming Conventions

Timestamp Format: YYYY-MM-DD-HHMMSS (hyphenated for readability)

Example: 2025-11-18-195147

Docker Resources:

Docker Image: {serviceName}:{deploymentName}-{timestamp}
- Example: cwc-database:test-2025-11-18-195147
Docker Container: {serviceName}-{deploymentName}-{timestamp}
- Example: cwc-database-test-2025-11-18-195147
Docker Network: cwc-{deploymentName}
- Example: cwc-test (shared across all timestamps for same deployment)
Archive: {serviceName}-{deploymentName}-{timestamp}.tar.gz
- Example: cwc-database-test-2025-11-18-195147.tar.gz

Directory Structure

Build Path: {buildsPath}/{deploymentName}/{serviceName}/{timestamp}/

Server Deployment Path: {basePath}/deployment/{deploymentName}/{serviceName}/{timestamp}/

Server Data Path: {basePath}/{deploymentName}-{serviceName}/data/

Critical: Data path includes service name to prevent conflicts with other database instances

Network Configuration

Docker networks use calculated subnets to avoid conflicts:

Network name: cwc-{deploymentName}
Subnet: 192.1.{N}.0/24 (N calculated from deployment name hash, 1-254)
Container IP: 192.1.{N}.2

Example:

cwc-test → 192.1.2.0/24 → container at 192.1.2.2
cwc-prod → 192.1.3.0/24 → container at 192.1.3.2

MariaDB Auto-Initialization

Files in init-scripts/ are automatically executed by MariaDB only on first initialization when the data directory is empty:

00-create-schema.sql - Creates cwc schema
01-create-tables.sql - Creates all database tables
02-create-indexes.sql - Creates all indexes
03-create-views.sql - Creates all views

Scripts run in alphabetical order, so numbering ensures correct execution sequence.

Important: Scripts only run when data directory is empty. If data exists, MariaDB skips initialization.

Validation Checks

Before each deployment, the tool validates:

✅ Secrets path exists and is accessible
✅ Builds path exists (creates if missing)
✅ SSH key file exists and has correct permissions
✅ SSH connection successful to target server
✅ Docker installed and running on server
✅ Deployment conflicts detected (warns if redeploying)

Troubleshooting

SSH Connection Fails

Error: Failed to connect to server: Connection refused

Solutions:

Verify server is reachable: ping test.example.com
Check SSH key permissions: chmod 600 ~/cwc-secrets/deployment/ssh-keys/*
Test SSH manually: ssh -i ~/cwc-secrets/deployment/ssh-keys/test-server-key deploy-user@test.example.com
Verify SSH key path in servers.json is correct

Docker Not Available

Error: Docker is not installed on the server

Solutions:

SSH to server and install Docker
Verify Docker daemon is running: systemctl status docker
Add deployment user to docker group: usermod -aG docker deploy-user

MariaDB Lock File Error

Error: Can't lock aria control file

Root Cause: Data directory conflict - multiple MariaDB instances using same data path

Solutions:

Verify data path includes service name: {deploymentName}-{serviceName}/data
Example: test-cwc-database/data vs test-mariadb/data
Different deployments/services should have separate data directories

Root Login Fails (Access Denied)

Warning: Failed to connect as root: Access denied

Expected Behavior:

Root can only connect from localhost (docker exec)
For existing data, old root password may be retained (MariaDB doesn't re-initialize)
Use mariadb user for remote connections
Deploy treats root connection failure as warning, not error

MariaDB Client Command Not Found

Error: mysql: command not found

Root Cause: MariaDB 11.8 uses mariadb command, not mysql

Solution:

Use docker exec {container} mariadb -u... instead of mysql
Deployment handles this automatically

Schema Not Created

Warning: Database connected, but cwc schema not found

Root Cause: MariaDB init scripts only run when data directory is empty

Solutions:

For fresh deployment: Use --create-schema flag
For existing data: Manually clear data directory or run scripts separately
Check if data directory has leftover files: ls {dataPath}
Verify init-scripts were mounted: docker inspect {container}

Port Conflict

Error: Failed to start container: port already in use

Root Cause: Another service using the same port

Solutions:

Use --port flag to specify different port
Auto-calculated port range: 3306-3399 based on deployment name hash
Check what's using the port: netstat -tulpn | grep 3306

No Schemas Visible in MySQL Workbench

Root Cause: Database initialized with wrong credentials or incomplete initialization

Solutions:

Clear data directory and redeploy with --create-schema flag
Verify MARIADB_DATABASE environment variable set correctly
Check container logs: docker logs {container} | grep init-scripts

Network Conflicts

Error: Failed to create network: address already in use

Solutions:

List existing networks: docker network ls
Inspect network: docker network inspect cwc-test
Remove unused network: docker network rm cwc-test
Use different deployment name to get different network

Deployment Philosophy

Key Principles

Deploy early, deploy often - Deployment is not a final step; start deploying from day one to catch infrastructure issues early
Separation of concerns - Deployment flow is separate from source control (git) flow
Test on server first - Deploy to dev/test server and thoroughly test before pushing PR to GitHub
No local database - Always point to dev/test server database instance to reduce local setup complexity
Isolated environments - Support multiple simultaneous deployments for features, releases, and developer testing
Timestamped builds - Every deployment is timestamped for complete traceability and rollback capability
Build artifacts outside monorepo - Deployment builds never create files within the source repository

Why Custom Deployment Tool?

Workflow alignment: Developer tests on server before git push (opposite of CI/CD)
Separation of concerns: Deployment separate from source control
Isolated environments: Easy multi-deployment support for testing
Roll-your-own philosophy: Minimize dependencies, full control
Future option: Can invoke custom CLI from GitHub Actions later if desired

Why SSH-Based Deployment?

Works with any server (cloud-agnostic)
No vendor lock-in
Familiar tools (ssh, docker)
Simple mental model
Easy debugging (can SSH to server manually)

Why Timestamped Builds?

Complete traceability (know exactly when deployed)
Visible in docker ps output
Enable rollback to specific version
Multiple versions can coexist during testing
Audit trail for debugging

Why Builds Outside Monorepo?

Keep source tree clean
No accidental git commits of build artifacts
Easy to .gitignore entire builds directory
Separate concerns: source vs deployment artifacts

Future Extensions

This deployment tool is architected for future expansion:

Service deployment: Auth, API, website, dashboard microservices
Multi-container orchestration: Services connecting via Docker networks
Environment variable injection: Per-service configuration
Health checks: Service readiness verification
Log aggregation: Centralized logging across services
Rollback capability: Quick revert to previous timestamp
Cleanup automation: Remove old deployments older than N days

Development

Build

pnpm --filter cwc-deployment build

Watch Mode

pnpm --filter cwc-deployment dev

Type Check

pnpm --filter cwc-deployment typecheck

Dependencies

ssh2 - SSH client for remote server connections
tar - Archive creation and extraction
Internal: cwc-types for TypeScript type definitions

Related Packages

cwc-database: Uses schema-definition/ files for database initialization
cwc-types: Type definitions for deployment configuration (future)

License

UNLICENSED - Private project

packages/cwc-deployment/src/commands/deploy.ts

import { logger } from '../core/logger.js';
import {
  loadServersConfig,
  loadDatabaseSecrets,
  validateServersConfig,
  validateDatabaseSecrets,
  generateTimestamp,
} from '../core/config.js';
import { DatabaseDeploymentOptions } from '../types/config.js';
import { runAllValidations } from '../core/validation.js';
import { createSSHConnection, SSHConnection } from '../core/ssh.js';
import { buildDatabaseArchive } from '../database/buildArchive.js';
import { deployDatabase } from '../database/deployDatabase.js';
import { ServiceType } from '../types/deployment.js';

/**
 * Deploy command options
 */
export type DeployCommandOptions = {
  server: string;
  deploymentName: string;
  secretsPath: string;
  buildsPath: string;
  timestamp?: string;
  port?: number;
  createSchema?: boolean;
};

/**
 * Clean up existing containers and images for a deployment
 */
async function cleanupExistingDeployment(
  ssh: SSHConnection,
  deploymentName: string,
  serviceName: string
): Promise<void> {
  const containerPattern = `${serviceName}-${deploymentName}`;
  const imagePattern = `${serviceName}:${deploymentName}`;

  // Find all containers matching pattern
  const containersResult = await ssh.exec(
    `docker ps -a --filter "name=${containerPattern}" --format "{{.Names}}"`
  );

  const containers = containersResult.stdout
    .trim()
    .split('\n')
    .filter((name) => name.length > 0);

  if (containers.length > 0) {
    logger.info(`Cleaning up ${containers.length} existing container(s)...`);

    for (const containerName of containers) {
      // Stop container (ignore errors if already stopped)
      logger.debug(`Stopping ${containerName}...`);
      await ssh.exec(`docker stop ${containerName} 2>/dev/null || true`);

      // Remove container
      logger.debug(`Removing ${containerName}...`);
      const rmResult = await ssh.exec(`docker rm ${containerName} 2>&1`);
      if (rmResult.exitCode === 0) {
        logger.success(`Removed container: ${containerName}`);
      } else {
        logger.warn(`Failed to remove ${containerName}: ${rmResult.stderr}`);
      }
    }
  }

  // Find and remove all images matching pattern
  const imagesResult = await ssh.exec(
    `docker images --filter "reference=${imagePattern}*" --format "{{.Repository}}:{{.Tag}}"`
  );

  const images = imagesResult.stdout
    .trim()
    .split('\n')
    .filter((name) => name.length > 0);

  if (images.length > 0) {
    logger.info(`Cleaning up ${images.length} existing image(s)...`);

    for (const imageName of images) {
      logger.debug(`Removing ${imageName}...`);
      const rmiResult = await ssh.exec(`docker rmi ${imageName} 2>&1`);
      if (rmiResult.exitCode === 0) {
        logger.success(`Removed image: ${imageName}`);
      } else {
        logger.warn(`Failed to remove ${imageName}: ${rmiResult.stderr}`);
      }
    }
  }

  if (containers.length === 0 && images.length === 0) {
    logger.info('No existing containers or images to clean up');
  }

  // Also check for and remove any dangling volumes (optional cleanup)
  const volumePattern = `${serviceName}-${deploymentName}`;
  const volumesResult = await ssh.exec(
    `docker volume ls --filter "name=${volumePattern}" --format "{{.Name}}"`
  );

  const volumes = volumesResult.stdout
    .trim()
    .split('\n')
    .filter((name) => name.length > 0);

  if (volumes.length > 0) {
    logger.info(`Found ${volumes.length} Docker volume(s) to clean up...`);
    for (const volumeName of volumes) {
      logger.debug(`Removing volume: ${volumeName}...`);
      await ssh.exec(`docker volume rm ${volumeName} 2>/dev/null || true`);
    }
  }
}

/**
 * Deploy database command handler
 */
export async function deployDatabaseCommand(options: DeployCommandOptions): Promise<void> {
  try {
    const timestamp = options.timestamp || generateTimestamp();
    const serviceName = 'cwc-database';

    logger.section('CWC Database Deployment');
    logger.keyValue('Server', options.server);
    logger.keyValue('Deployment Name', options.deploymentName);
    logger.keyValue('Service', serviceName);
    logger.keyValue('Timestamp', timestamp);
    console.log('');

    // Load configuration
    logger.info('Loading configuration...');
    const serversConfig = await loadServersConfig(options.secretsPath);
    const serverConfig = serversConfig[options.server];

    // Validate server config
    const serverValidation = validateServersConfig(serversConfig, options.server);
    if (!serverValidation.success) {
      logger.error(serverValidation.message);
      process.exit(1);
    }

    // This should never happen due to validation above, but TypeScript needs the check
    if (!serverConfig) {
      logger.error(`Server configuration not found for: ${options.server}`);
      process.exit(1);
    }

    // Load database secrets from configuration-helper secrets file
    const secrets = await loadDatabaseSecrets(options.secretsPath, options.deploymentName);

    // Validate secrets
    const secretsValidation = validateDatabaseSecrets(secrets);
    if (!secretsValidation.success) {
      logger.error(secretsValidation.message);
      process.exit(1);
    }

    logger.success('Configuration loaded successfully\n');

    // Run all validations
    const validationResult = await runAllValidations(
      serverConfig,
      options.deploymentName,
      serviceName,
      options.secretsPath,
      options.buildsPath
    );

    if (!validationResult.success) {
      logger.error('Validation failed. Aborting deployment.');
      process.exit(1);
    }

    // Connect to server for cleanup and deployment
    logger.info('Connecting to server...');
    const ssh = await createSSHConnection(serverConfig);
    logger.success('Connected to server\n');

    // Clean up any existing deployments with the same name
    logger.section('Cleanup Existing Deployments');
    await cleanupExistingDeployment(ssh, options.deploymentName, serviceName);
    console.log('');

    // Build deployment archive
    logger.section('Building Deployment Archive');

    const buildOptions: DatabaseDeploymentOptions = {
      server: options.server,
      deploymentName: options.deploymentName,
      secretsPath: options.secretsPath,
      buildsPath: options.buildsPath,
      timestamp,
      serviceName,
      secrets,
      serverConfig,
      ...(options.port ? { port: options.port } : {}),
      ...(options.createSchema ? { createSchema: options.createSchema } : {}),
    };

    const buildResult = await buildDatabaseArchive(buildOptions);

    if (!buildResult.success || !buildResult.archivePath) {
      logger.error(buildResult.message);
      process.exit(1);
    }

    logger.success(`Build complete: ${buildResult.buildDir}\n`);

    // Deploy database (reuse existing SSH connection)
    const deployResult = await deployDatabase(buildOptions, ssh, buildResult.archivePath);

    ssh.disconnect();

    if (!deployResult.success) {
      logger.error('Deployment failed');
      process.exit(1);
    }

    logger.success('Database deployment completed successfully!');
  } catch (error) {
    if (error instanceof Error) {
      logger.error(`Deployment error: ${error.message}`);
    } else {
      logger.error('Unknown deployment error');
    }
    process.exit(1);
  }
}

/**
 * Main deploy command handler - routes to specific service deployer
 */
export async function deployCommand(
  service: ServiceType,
  options: DeployCommandOptions
): Promise<void> {
  switch (service) {
    case 'database':
      await deployDatabaseCommand(options);
      break;
    case 'auth':
    case 'api':
    case 'website':
    case 'dashboard':
      logger.error(`Service '${service}' deployment not yet implemented`);
      process.exit(1);
    default:
      logger.error(`Unknown service: ${service}`);
      process.exit(1);
  }
}

packages/cwc-deployment/src/core/config.ts

2 versions

Version 1

import fs from 'fs/promises';
import path from 'path';
import {
  ServerConfig,
  ServersConfig,
  DatabaseSecrets,
  ValidationResult,
} from '../types/config.js';

/**
 * Load servers configuration from servers.json
 */
export async function loadServersConfig(secretsPath: string): Promise<ServersConfig> {
  const serversPath = path.join(secretsPath, 'deployment/servers.json');

  try {
    const content = await fs.readFile(serversPath, 'utf-8');
    const servers = JSON.parse(content) as ServersConfig;
    return servers;
  } catch (error) {
    if (error instanceof Error) {
      throw new Error(`Failed to load servers config from ${serversPath}: ${error.message}`);
    }
    throw new Error(`Failed to load servers config from ${serversPath}`);
  }
}

/**
 * Load database secrets from secrets.json
 */
export async function loadDatabaseSecrets(secretsPath: string): Promise<DatabaseSecrets> {
  const secretsFilePath = path.join(secretsPath, 'database', 'mariadb', 'secrets.json');

  try {
    const content = await fs.readFile(secretsFilePath, 'utf-8');
    const secrets = JSON.parse(content) as DatabaseSecrets;
    return secrets;
  } catch (error) {
    if (error instanceof Error) {
      throw new Error(`Failed to load database secrets from ${secretsFilePath}: ${error.message}`);
    }
    throw new Error(`Failed to load database secrets from ${secretsFilePath}`);
  }
}

/**
 * Validate servers configuration format
 */
export function validateServersConfig(servers: ServersConfig, serverName: string): ValidationResult {
  if (!servers[serverName]) {
    return {
      success: false,
      message: `Server '${serverName}' not found in servers.json. Available servers: ${Object.keys(servers).join(', ')}`,
    };
  }

  const server = servers[serverName];
  const requiredFields: (keyof ServerConfig)[] = ['host', 'username', 'sshKeyPath', 'basePath'];

  for (const field of requiredFields) {
    if (!server[field]) {
      return {
        success: false,
        message: `Server '${serverName}' is missing required field: ${field}`,
      };
    }
  }

  return { success: true, message: 'Servers configuration is valid' };
}

/**
 * Validate database secrets format
 */
export function validateDatabaseSecrets(secrets: DatabaseSecrets): ValidationResult {
  const requiredFields: (keyof DatabaseSecrets)[] = ['rootPwd', 'mariadbUser', 'mariadbPwd'];

  for (const field of requiredFields) {
    if (!secrets[field]) {
      return {
        success: false,
        message: `Database secrets missing required field: ${field}`,
      };
    }
  }

  return { success: true, message: 'Database secrets are valid' };
}

/**
 * Expand tilde (~) in path to home directory
 */
export function expandPath(inputPath: string): string {
  if (inputPath.startsWith('~/')) {
    const homeDir = process.env['HOME'] || process.env['USERPROFILE'];
    if (!homeDir) {
      throw new Error('Unable to determine home directory');
    }
    return path.join(homeDir, inputPath.slice(2));
  }
  return inputPath;
}

/**
 * Generate timestamp in YYYY-MM-DD-HHMMSS format
 */
export function generateTimestamp(): string {
  const now = new Date();
  const year = now.getFullYear();
  const month = String(now.getMonth() + 1).padStart(2, '0');
  const day = String(now.getDate()).padStart(2, '0');
  const hours = String(now.getHours()).padStart(2, '0');
  const minutes = String(now.getMinutes()).padStart(2, '0');
  const seconds = String(now.getSeconds()).padStart(2, '0');

  return `${year}-${month}-${day}-${hours}${minutes}${seconds}`;
}

Version 2 (latest)

import fs from 'fs/promises';
import path from 'path';
import {
  ServerConfig,
  ServersConfig,
  DatabaseSecrets,
  ValidationResult,
} from '../types/config.js';

/**
 * Load servers configuration from servers.json
 */
export async function loadServersConfig(secretsPath: string): Promise<ServersConfig> {
  const serversPath = path.join(secretsPath, 'deployment/servers.json');

  try {
    const content = await fs.readFile(serversPath, 'utf-8');
    const servers = JSON.parse(content) as ServersConfig;
    return servers;
  } catch (error) {
    if (error instanceof Error) {
      throw new Error(`Failed to load servers config from ${serversPath}: ${error.message}`);
    }
    throw new Error(`Failed to load servers config from ${serversPath}`);
  }
}

/**
 * Raw secrets file structure from configuration-helper secrets files
 */
type RawSecretsFile = {
  DATABASE_ROOT_PASSWORD?: string;
  DATABASE_USER?: string;
  DATABASE_PASSWORD?: string;
  [key: string]: string | undefined;
};

/**
 * Load database secrets from configuration-helper secrets file
 *
 * Reads from {secretsPath}/configuration-helper/{deploymentName}-secrets.json
 * and maps SCREAMING_SNAKE_CASE keys to the internal DatabaseSecrets type.
 */
export async function loadDatabaseSecrets(
  secretsPath: string,
  deploymentName: string
): Promise<DatabaseSecrets> {
  const secretsFilePath = path.join(
    secretsPath,
    `configuration-helper/${deploymentName}-secrets.json`
  );

  try {
    const content = await fs.readFile(secretsFilePath, 'utf-8');
    const rawSecrets = JSON.parse(content) as RawSecretsFile;

    // Map from SCREAMING_SNAKE_CASE to internal property names
    const secrets: DatabaseSecrets = {
      rootPwd: rawSecrets.DATABASE_ROOT_PASSWORD ?? '',
      mariadbUser: rawSecrets.DATABASE_USER ?? '',
      mariadbPwd: rawSecrets.DATABASE_PASSWORD ?? '',
    };

    return secrets;
  } catch (error) {
    if (error instanceof Error) {
      throw new Error(`Failed to load database secrets from ${secretsFilePath}: ${error.message}`);
    }
    throw new Error(`Failed to load database secrets from ${secretsFilePath}`);
  }
}

/**
 * Validate servers configuration format
 */
export function validateServersConfig(servers: ServersConfig, serverName: string): ValidationResult {
  if (!servers[serverName]) {
    return {
      success: false,
      message: `Server '${serverName}' not found in servers.json. Available servers: ${Object.keys(servers).join(', ')}`,
    };
  }

  const server = servers[serverName];
  const requiredFields: (keyof ServerConfig)[] = ['host', 'username', 'sshKeyPath', 'basePath'];

  for (const field of requiredFields) {
    if (!server[field]) {
      return {
        success: false,
        message: `Server '${serverName}' is missing required field: ${field}`,
      };
    }
  }

  return { success: true, message: 'Servers configuration is valid' };
}

/**
 * Validate database secrets format
 */
export function validateDatabaseSecrets(secrets: DatabaseSecrets): ValidationResult {
  const requiredFields: (keyof DatabaseSecrets)[] = ['rootPwd', 'mariadbUser', 'mariadbPwd'];

  for (const field of requiredFields) {
    if (!secrets[field]) {
      return {
        success: false,
        message: `Database secrets missing required field: ${field}`,
      };
    }
  }

  return { success: true, message: 'Database secrets are valid' };
}

/**
 * Expand tilde (~) in path to home directory
 */
export function expandPath(inputPath: string): string {
  if (inputPath.startsWith('~/')) {
    const homeDir = process.env['HOME'] || process.env['USERPROFILE'];
    if (!homeDir) {
      throw new Error('Unable to determine home directory');
    }
    return path.join(homeDir, inputPath.slice(2));
  }
  return inputPath;
}

/**
 * Generate timestamp in YYYY-MM-DD-HHMMSS format
 */
export function generateTimestamp(): string {
  const now = new Date();
  const year = now.getFullYear();
  const month = String(now.getMonth() + 1).padStart(2, '0');
  const day = String(now.getDate()).padStart(2, '0');
  const hours = String(now.getHours()).padStart(2, '0');
  const minutes = String(now.getMinutes()).padStart(2, '0');
  const seconds = String(now.getSeconds()).padStart(2, '0');

  return `${year}-${month}-${day}-${hours}${minutes}${seconds}`;
}

packages/cwc-sql/CLAUDE.md

3 versions

Version 1

cwc-sql Package

Database access layer microservice. CRITICAL: The ONLY service that directly interacts with MariaDB database.

Critical Architecture Rule

Single Database Access Point:

All backend services (cwc-api, cwc-auth, cwc-admin-api) MUST use SqlClient HTTP client
NEVER import MariaDB or execute SQL from other packages
All database operations flow through cwc-sql via POST /data/v1/command

Security Rules - ALWAYS Enforce

SQL Injection Prevention:

✅ ALWAYS use named placeholders (:paramName)
✅ ALWAYS validate table/column names against schema before SQL generation
✅ ALWAYS use multipleStatements: false in connection pool
❌ NEVER use string concatenation for SQL
❌ NEVER use positional placeholders (?)
❌ NEVER allow semicolons in custom SQL

Schema Validation:

Call validateTable(tableName) before generating ANY SQL
Call validateColumn(schema, columnName) for each field reference
Reject operations if table/column not in cwc-schema
This prevents SQL injection via invalid identifiers

Required Filters:

UPDATE operations MUST have non-empty filters (prevent full-table update)
DELETE operations MUST have non-empty filters (prevent full-table delete)
Throw error if filters missing/empty

Primary Key Protection:

NEVER allow updating the primary key column
Check schema.pkid and reject if in UPDATE values
Example: Cannot update userPkId on user table

Connection Pool Rules

Always Release Connections:

const conn = await pool.getConnection();
try {
  // Execute operations
} finally {
  conn.release();  // ALWAYS in finally block
}

Transaction Pattern:

await conn.beginTransaction();
try {
  // Execute operations
  await conn.commit();
} catch (error) {
  await conn.rollback();
  throw error;
} finally {
  conn.release();
}

SQL Generation Patterns

SELECT with tableCount:

When operation.tableCount === true, generate COUNT query
Count AFTER filters are applied (not total table count)
Return: { rows: [...], count: N }

Array Filters (IN clause):

When filter value is array: userPkId IN (:userPkId_in)
When array is empty: 1 = 0 (no matches)
Use _in suffix for param name to avoid conflicts

Named vs Positional Params:

UPDATE: prefix SET params with set_, WHERE params with where_
Example: SET email = :set_email WHERE userPkId = :where_userPkId
Prevents param name collisions

Cache Invalidation Strategy

Table-Specific, Not Global:

INSERT/UPDATE/DELETE on table X → invalidate ALL cache entries for table X only
Custom SQL: Track all tables in customTables array
QueryCache maintains Map<tableName, Set<cacheKeys>>
NEVER clear entire cache on mutation (too expensive)

What Gets Cached:

✅ SELECT operations only
❌ NOT mutations (INSERT/UPDATE/DELETE)
❌ NOT queries inside transactions

Error Logging Pattern

Direct DB Write (No SqlClient):

Logger from cwc-backend-utils uses SqlClient internally
cwc-sql IS the SqlClient service → circular dependency
Solution: Write directly to errorLog table using connection pool
Function: logErrorToDatabase(error, codeLocation, clientName, config)
NEVER use Logger class in cwc-sql

Critical Bugs to Avoid

Environment Variables:

Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'
Use process.env['VAR_NAME'] bracket notation (not dot notation)

MariaDB Connection Pool:

SSL config must use conditional spread: ...(useSSL && { ssl: {...} })
Don't set ssl: undefined (causes type error with exactOptionalPropertyTypes)
MariaDB pools don't emit 'error' events (don't add listener)

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core
Use as SqlClient*Response cast when returning operation results (Record → Union type)

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20
SQL_CLIENT_API_KEY="-----BEGIN...\\n...END-----"  # Multi-line with \\n
SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.100  # Comma-separated
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

Key Parsing Rules:

AUTHENTICATION_PUBLIC_KEY: Replace \\n with actual newlines
SERVICE_API_ALLOWED_IPS: Split by comma, trim whitespace
Booleans: ON/OFF or TRUE/FALSE (case insensitive)
Numbers: Validate > 0 for timeouts, limits, TTL
Port: Validate 1-65535 range

Related Packages

cwc-backend-utils: Provides SqlClient, loadDotEnv, createExpressService
cwc-schema: Provides getSchema for validation
cwc-types: Provides RuntimeEnvironment type
mariadb: Database driver
node-cache: Query caching

Version 2

cwc-sql Package

Database access layer microservice. CRITICAL: The ONLY service that directly interacts with MariaDB database.

Critical Architecture Rule

Single Database Access Point:

All backend services (cwc-api, cwc-auth, cwc-admin-api) MUST use SqlClient HTTP client
NEVER import MariaDB or execute SQL from other packages
All database operations flow through cwc-sql via POST /data/v1/command

Security Rules - ALWAYS Enforce

SQL Injection Prevention:

✅ ALWAYS use named placeholders (:paramName)
✅ ALWAYS validate table/column names against schema before SQL generation
✅ ALWAYS use multipleStatements: false in connection pool
❌ NEVER use string concatenation for SQL
❌ NEVER use positional placeholders (?)
❌ NEVER allow semicolons in custom SQL

Schema Validation:

Call validateTable(tableName) before generating ANY SQL
Call validateColumn(schema, columnName) for each field reference
Reject operations if table/column not in cwc-schema
This prevents SQL injection via invalid identifiers

Required Filters:

UPDATE operations MUST have non-empty filters (prevent full-table update)
DELETE operations MUST have non-empty filters (prevent full-table delete)
Throw error if filters missing/empty

Primary Key Protection:

NEVER allow updating the primary key column
Check schema.pkid and reject if in UPDATE values
Example: Cannot update userPkId on user table

Connection Pool Rules

Always Release Connections:

const conn = await pool.getConnection();
try {
  // Execute operations
} finally {
  conn.release();  // ALWAYS in finally block
}

Transaction Pattern:

await conn.beginTransaction();
try {
  // Execute operations
  await conn.commit();
} catch (error) {
  await conn.rollback();
  throw error;
} finally {
  conn.release();
}

SQL Generation Patterns

SELECT with tableCount:

When operation.tableCount === true, generate COUNT query
Count AFTER filters are applied (not total table count)
Return: { rows: [...], count: N }

Array Filters (IN clause):

When filter value is array: userPkId IN (:userPkId_in)
When array is empty: 1 = 0 (no matches)
Use _in suffix for param name to avoid conflicts

Named vs Positional Params:

UPDATE: prefix SET params with set_, WHERE params with where_
Example: SET email = :set_email WHERE userPkId = :where_userPkId
Prevents param name collisions

Cache Invalidation Strategy

Table-Specific, Not Global:

INSERT/UPDATE/DELETE on table X → invalidate ALL cache entries for table X only
Custom SQL: Track all tables in customTables array
QueryCache maintains Map<tableName, Set<cacheKeys>>
NEVER clear entire cache on mutation (too expensive)

What Gets Cached:

✅ SELECT operations only
❌ NOT mutations (INSERT/UPDATE/DELETE)
❌ NOT queries inside transactions

Error Logging Pattern

Direct DB Write (No SqlClient):

Logger from cwc-backend-utils uses SqlClient internally
cwc-sql IS the SqlClient service → circular dependency
Solution: Write directly to errorLog table using connection pool
Function: logErrorToDatabase(error, codeLocation, clientName, config)
NEVER use Logger class in cwc-sql

Critical Bugs to Avoid

Environment Variables:

Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'
Use process.env['VAR_NAME'] bracket notation (not dot notation)

MariaDB Connection Pool:

SSL config must use conditional spread: ...(useSSL && { ssl: {...} })
Don't set ssl: undefined (causes type error with exactOptionalPropertyTypes)
MariaDB pools don't emit 'error' events (don't add listener)

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core
Use as SqlClient*Response cast when returning operation results (Record → Union type)

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20
SQL_CLIENT_API_KEY="-----BEGIN...\\n...END-----"  # Multi-line with \\n
SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.100  # Comma-separated
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

Key Parsing Rules:

SQL_CLIENT_API_KEY: Replace \\n with actual newlines
SERVICE_API_ALLOWED_IPS: Split by comma, trim whitespace
Booleans: ON/OFF or TRUE/FALSE (case insensitive)
Numbers: Validate > 0 for timeouts, limits, TTL
Port: Validate 1-65535 range

Related Packages

cwc-backend-utils: Provides SqlClient, loadDotEnv, createExpressService
cwc-schema: Provides getSchema for validation
cwc-types: Provides RuntimeEnvironment type
mariadb: Database driver
node-cache: Query caching

Version 3 (latest)

cwc-sql Package

Database access layer microservice. CRITICAL: The ONLY service that directly interacts with MariaDB database.

Critical Architecture Rule

Single Database Access Point:

All backend services (cwc-api, cwc-auth, cwc-admin-api) MUST use SqlClient HTTP client
NEVER import MariaDB or execute SQL from other packages
All database operations flow through cwc-sql via POST /data/v1/command

Security Rules - ALWAYS Enforce

SQL Injection Prevention:

✅ ALWAYS use named placeholders (:paramName)
✅ ALWAYS validate table/column names against schema before SQL generation
✅ ALWAYS use multipleStatements: false in connection pool
❌ NEVER use string concatenation for SQL
❌ NEVER use positional placeholders (?)
❌ NEVER allow semicolons in custom SQL

Schema Validation:

Call validateTable(tableName) before generating ANY SQL
Call validateColumn(schema, columnName) for each field reference
Reject operations if table/column not in cwc-schema
This prevents SQL injection via invalid identifiers

Required Filters:

UPDATE operations MUST have non-empty filters (prevent full-table update)
DELETE operations MUST have non-empty filters (prevent full-table delete)
Throw error if filters missing/empty

Primary Key Protection:

NEVER allow updating the primary key column
Check schema.pkid and reject if in UPDATE values
Example: Cannot update userPkId on user table

Connection Pool Rules

Always Release Connections:

const conn = await pool.getConnection();
try {
  // Execute operations
} finally {
  conn.release();  // ALWAYS in finally block
}

Transaction Pattern:

await conn.beginTransaction();
try {
  // Execute operations
  await conn.commit();
} catch (error) {
  await conn.rollback();
  throw error;
} finally {
  conn.release();
}

SQL Generation Patterns

SELECT with tableCount:

When operation.tableCount === true, generate COUNT query
Count AFTER filters are applied (not total table count)
Return: { rows: [...], count: N }

Array Filters (IN clause):

When filter value is array: userPkId IN (:userPkId_in)
When array is empty: 1 = 0 (no matches)
Use _in suffix for param name to avoid conflicts

Named vs Positional Params:

UPDATE: prefix SET params with set_, WHERE params with where_
Example: SET email = :set_email WHERE userPkId = :where_userPkId
Prevents param name collisions

Cache Invalidation Strategy

Table-Specific, Not Global:

INSERT/UPDATE/DELETE on table X → invalidate ALL cache entries for table X only
Custom SQL: Track all tables in customTables array
QueryCache maintains Map<tableName, Set<cacheKeys>>
NEVER clear entire cache on mutation (too expensive)

What Gets Cached:

✅ SELECT operations only
❌ NOT mutations (INSERT/UPDATE/DELETE)
❌ NOT queries inside transactions

Error Logging Pattern

Direct DB Write (No SqlClient):

Logger from cwc-backend-utils uses SqlClient internally
cwc-sql IS the SqlClient service → circular dependency
Solution: Write directly to errorLog table using connection pool
Function: logErrorToDatabase(error, codeLocation, clientName, config)
NEVER use Logger class in cwc-sql

Critical Bugs to Avoid

Environment Variables:

Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'
Use process.env['VAR_NAME'] bracket notation (not dot notation)

MariaDB Connection Pool:

SSL config must use conditional spread: ...(useSSL && { ssl: {...} })
Don't set ssl: undefined (causes type error with exactOptionalPropertyTypes)
MariaDB pools don't emit 'error' events (don't add listener)

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core
Use as SqlClient*Response cast when returning operation results (Record → Union type)

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20
SQL_CLIENT_API_KEY="-----BEGIN...\\n...END-----"  # Multi-line with \\n
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

Key Parsing Rules:

SQL_CLIENT_API_KEY: Replace \\n with actual newlines
Booleans: ON/OFF or TRUE/FALSE (case insensitive)
Numbers: Validate > 0 for timeouts, limits, TTL
Port: Validate 1-65535 range

Related Packages

cwc-backend-utils: Provides SqlClient, loadDotEnv, createExpressService
cwc-schema: Provides getSchema for validation
cwc-types: Provides RuntimeEnvironment type
mariadb: Database driver
node-cache: Query caching

packages/cwc-sql/README.md

3 versions

Version 1

cwc-sql

Database access layer microservice for the Coding with Claude (CWC) platform.

Overview

cwc-sql is the single point of database access for all CWC backend services. It provides:

Schema-driven SQL generation from cwc-schema definitions
Query caching with table-specific invalidation
Transaction support for multi-operation atomicity
Security-first design with SQL injection prevention
JWT authentication using RS256 algorithm
High performance with MariaDB connection pooling

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Why a Dedicated SQL Service?

Single Responsibility: Database access logic centralized in one service
Security: All SQL generation goes through schema validation
Performance: Centralized query caching reduces database load
Consistency: All services use the same SQL generation patterns
Maintainability: Database changes affect only one service

API Endpoint

POST /data/v1/command

Executes SQL commands with optional transactions.

Authentication: JWT token in Authorization: Bearer <token> header

Request Body:

{
  userPkId: number | undefined,  // User context for logging
  command: {
    transaction: boolean,         // Execute in transaction
    operations: [
      {
        operationType: 'select' | 'insert' | 'update' | 'delete',
        name?: string,            // Result key (default: 'operation-0')
        table: string,
        fields?: string[],        // SELECT columns
        filters?: {               // WHERE conditions
          [column: string]: value | value[]
        },
        values?: {                // INSERT/UPDATE values
          [column: string]: value
        },
        sort?: [
          { fieldName: string, direction?: 'ASC' | 'DESC' }
        ],
        limit?: {
          recordCount: number,
          startIndex: number
        },
        custom?: {
          customSql: string,
          customParams: { [key: string]: value },
          customTables: string[]
        },
        tableCount?: boolean      // Return count with results
      }
    ],
    tableCount: boolean           // Global table count flag
  }
}

Response:

// Success
{
  success: true,
  data: {
    'operation-0': [...results],  // Query results
    'operation-1': {               // Mutation result
      affectedRows: 1,
      insertId: 123,
      changedRows: 1
    }
  },
  executionTime?: number  // Only in debug mode
}

// Error
{
  success: false,
  error: 'Error message',
  executionTime?: number
}

SQL Operation Examples

SELECT Query

// Simple SELECT
{
  operationType: 'select',
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email']
}

// Generated SQL:
// SELECT `userPkId`, `username`, `email`
// FROM `user`
// WHERE `email` = :email

SELECT with Pagination

{
  operationType: 'select',
  table: 'project',
  filters: { userPkId: 123 },
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 20, startIndex: 0 },
  tableCount: true  // Returns total count for pagination
}

// Returns:
// {
//   rows: [... 20 projects ...],
//   count: 150  // Total matching projects
// }

INSERT Operation

{
  operationType: 'insert',
  table: 'user',
  values: {
    username: 'johndoe',
    email: 'john@example.com',
    enabled: 1
  }
}

// Returns:
// {
//   insertId: 123,
//   affectedRows: 1
// }

UPDATE Operation

{
  operationType: 'update',
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' }
}

// Returns:
// {
//   affectedRows: 1,
//   changedRows: 1
// }

DELETE Operation

{
  operationType: 'delete',
  table: 'user',
  filters: { userPkId: 123 }
}

// Returns:
// {
//   affectedRows: 1
// }

Custom SQL

{
  operationType: 'select',
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user']
  }
}

Batch Operations

{
  transaction: false,  // Independent operations
  operations: [
    { name: 'users', operationType: 'select', table: 'user', ... },
    { name: 'projects', operationType: 'select', table: 'project', ... }
  ]
}

// Returns:
// {
//   users: [{ ... }, { ... }],
//   projects: [{ ... }, { ... }]
// }

Transactional Operations

{
  transaction: true,  // Atomic - all succeed or all rollback
  operations: [
    { operationType: 'insert', table: 'user', values: { ... } },
    { operationType: 'insert', table: 'project', values: { ... } }
  ]
}

// Both inserts succeed or both rollback on error

Configuration

Environment Variables

Create environment file based on your runtime:

Development: ../../../../private/cwc-secrets/env/dev.cwc-sql.env
Test: ../../.env.test
Production: ../../.env.prod

# Runtime environment
RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020

# Database connection
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=secure_password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20

# SQL Client API Key (multi-line public key for verifying backend service tokens)
SQL_CLIENT_API_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBg...\n-----END PUBLIC KEY-----"

# Security
SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.100  # Comma-separated

# Debugging
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON

# Query caching
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

JWT Authentication

Token Structure:

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000',  // UUID v4
  clientName: 'cwc-api',  // cwc-api | cwc-auth | cwc-admin-api
  exp: 1234567890,        // Expiration timestamp
  iat: 1234567860         // Issued at timestamp
}

Key Location:

Development: ../../../cwc-secrets/data-api-keys/data-api-jwt-public.pem
Production: ./data-api-keys/data-api-jwt-public.pem

Query Caching

How It Works

Cache on SELECT: Only SELECT operations are cached
Table-specific keys: Each cache entry tracks which tables it references
Automatic invalidation: Mutations (INSERT/UPDATE/DELETE) invalidate all cache for that table
Configurable TTL: Cache expires after configured minutes
Max key limit: LRU eviction when limit reached

What Gets Cached

✅ Cached:

SELECT operations (non-transaction)
Custom SQL SELECT queries

❌ Not Cached:

INSERT, UPDATE, DELETE operations
Queries inside transactions
When QUERY_CACHE_ENABLED=OFF

Cache Invalidation

INSERT INTO project ...

↓

Invalidates all cache entries for 'project' table

↓

Other tables (user, comment) remain cached

Security Features

SQL Injection Prevention

Named placeholders only: :paramName syntax required
Schema validation: All table/column names validated against cwc-schema
No multiple statements: multipleStatements: false in connection pool
Semicolon detection: Custom SQL cannot contain ;
Prepared statements: All queries use MariaDB prepared statements

Required Filters

UPDATE: Must specify filters to prevent full-table updates
DELETE: Must specify filters to prevent full-table deletes

Primary Key Protection

Cannot update PkId: UPDATE operations reject attempts to modify primary key

Development

Running the Service

# Install dependencies
pnpm install

# Development mode (with auto-reload)
pnpm dev

# Build
pnpm build

# Type-check
pnpm typecheck

# Run tests
pnpm test

Testing

# Run all tests
NODE_ENV=unit pnpm test

# Run tests with coverage
NODE_ENV=unit pnpm test --coverage

# Run specific test file
NODE_ENV=unit pnpm test config.test.ts

Test Coverage:

80 unit tests covering:
- Configuration loading and validation
- SQL generation (SELECT, INSERT, UPDATE, DELETE, Custom)
- Schema validation and security checks
- Query caching with table-specific invalidation
- Error handling and edge cases

Debug Mode

Enable with DEBUG_MODE=ON:

Logs include:

Configuration details (passwords/keys redacted)
Connection pool creation parameters
SQL statements and parameters
Cache hits/misses
Transaction begin/commit/rollback
Authentication successes
Execution times

Example output:

[cwc-sql] Configuration loaded:
  Environment: dev
  Service Port: 5003
  Database: localhost/cwc
  Cache: enabled
  Debug: enabled

[cwc-sql] SELECT: SELECT * FROM user WHERE email = :email
[cwc-sql] Params: { email: 'user@example.com' }
[cwc-sql] Cache MISS for table: user
[cwc-sql] Cached result for table: user
[cwc-sql] Command completed in 45ms

Performance Considerations

Connection Pool Sizing

Default settings:

connectionLimit: 20 - Max concurrent connections
acquireTimeout: 30000ms - Fail fast under load
connectTimeout: 10000ms - Detect dead connections quickly
idleTimeout: 60000ms - Close idle connections
minimumIdle: 0 - Allow pool to shrink completely

Tuning guidance:

Start conservative (10-20 connections)
Monitor connection usage in production
Increase if seeing acquireTimeout errors
Consider database server limits

Query Optimization

Best practices:

Use fields array instead of SELECT *
Use limit for large result sets
Index frequently queried columns (in cwc-database)
Use tableCount only when needed
Minimize operations per transaction

Caching Strategy

When to enable:

Read-heavy workloads
Repeated identical queries
Acceptable stale data (within TTL)

When to disable:

Write-heavy workloads
Real-time data requirements
Low memory environments

Error Logging

Direct Database Logging:

cwc-sql writes errors directly to the errorLog table, bypassing the SqlClient client (which would create a circular dependency).

Error Log Fields:

serviceName: Always 'cwc-sql'
codeLocation: Function/file where error occurred
errorMessage: First 500 characters of error message
error: Full error string (max 65535 chars)
stack: Stack trace (max 65535 chars)
data: Additional context (e.g., client name from JWT)

Transaction Behavior

With `transaction: true`

Acquire single connection from pool
BEGIN TRANSACTION
Execute all operations sequentially on same connection
COMMIT on success
ROLLBACK on any error
Always release connection in finally block

With `transaction: false`

Each operation gets its own connection
Operations are independent (one failure doesn't affect others)
Connections released immediately after operation

Named Operations

{
  transaction: true,
  operations: [
    { name: 'createUser', operationType: 'insert', table: 'user', ... },
    { name: 'createProject', operationType: 'insert', table: 'project', ... }
  ]
}

// Response uses your names:
{
  createUser: { insertId: 123 },
  createProject: { insertId: 456 }
}

Dependencies

Runtime:

express (^5.1.0) - HTTP server
mariadb (^3.4.5) - MariaDB database driver
node-cache (^5.1.2) - In-memory query caching
jsonwebtoken (^9.0.2) - JWT verification
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types
cwc-schema (workspace) - Schema definitions
cwc-backend-utils (workspace) - Backend utilities

Development:

jest (^30.2.0) - Testing framework
ts-jest (^29.4.5) - TypeScript Jest transformer
typescript (^5.4.0) - TypeScript compiler

Related Packages

cwc-backend-utils: SqlClient HTTP client, loadDotEnv, createExpressService
cwc-schema: Schema definitions and validation
cwc-types: Shared TypeScript types
cwc-database: SQL schema scripts and migrations

License

UNLICENSED - Private project

Version 2

cwc-sql

Database access layer microservice for the Coding with Claude (CWC) platform.

Overview

cwc-sql is the single point of database access for all CWC backend services. It provides:

Schema-driven SQL generation from cwc-schema definitions
Query caching with table-specific invalidation
Transaction support for multi-operation atomicity
Security-first design with SQL injection prevention
JWT authentication using RS256 algorithm
High performance with MariaDB connection pooling

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Why a Dedicated SQL Service?

Single Responsibility: Database access logic centralized in one service
Security: All SQL generation goes through schema validation
Performance: Centralized query caching reduces database load
Consistency: All services use the same SQL generation patterns
Maintainability: Database changes affect only one service

API Endpoint

POST /data/v1/command

Executes SQL commands with optional transactions.

Authentication: JWT token in Authorization: Bearer <token> header

Request Body:

{
  userPkId: number | undefined,  // User context for logging
  command: {
    transaction: boolean,         // Execute in transaction
    operations: [
      {
        operationType: 'select' | 'insert' | 'update' | 'delete',
        name?: string,            // Result key (default: 'operation-0')
        table: string,
        fields?: string[],        // SELECT columns
        filters?: {               // WHERE conditions
          [column: string]: value | value[]
        },
        values?: {                // INSERT/UPDATE values
          [column: string]: value
        },
        sort?: [
          { fieldName: string, direction?: 'ASC' | 'DESC' }
        ],
        limit?: {
          recordCount: number,
          startIndex: number
        },
        custom?: {
          customSql: string,
          customParams: { [key: string]: value },
          customTables: string[]
        },
        tableCount?: boolean      // Return count with results
      }
    ],
    tableCount: boolean           // Global table count flag
  }
}

Response:

// Success
{
  success: true,
  data: {
    'operation-0': [...results],  // Query results
    'operation-1': {               // Mutation result
      affectedRows: 1,
      insertId: 123,
      changedRows: 1
    }
  },
  executionTime?: number  // Only in debug mode
}

// Error
{
  success: false,
  error: 'Error message',
  executionTime?: number
}

SQL Operation Examples

SELECT Query

// Simple SELECT
{
  operationType: 'select',
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email']
}

// Generated SQL:
// SELECT `userPkId`, `username`, `email`
// FROM `user`
// WHERE `email` = :email

SELECT with Pagination

{
  operationType: 'select',
  table: 'project',
  filters: { userPkId: 123 },
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 20, startIndex: 0 },
  tableCount: true  // Returns total count for pagination
}

// Returns:
// {
//   rows: [... 20 projects ...],
//   count: 150  // Total matching projects
// }

INSERT Operation

{
  operationType: 'insert',
  table: 'user',
  values: {
    username: 'johndoe',
    email: 'john@example.com',
    enabled: 1
  }
}

// Returns:
// {
//   insertId: 123,
//   affectedRows: 1
// }

UPDATE Operation

{
  operationType: 'update',
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' }
}

// Returns:
// {
//   affectedRows: 1,
//   changedRows: 1
// }

DELETE Operation

{
  operationType: 'delete',
  table: 'user',
  filters: { userPkId: 123 }
}

// Returns:
// {
//   affectedRows: 1
// }

Custom SQL

{
  operationType: 'select',
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user']
  }
}

Batch Operations

{
  transaction: false,  // Independent operations
  operations: [
    { name: 'users', operationType: 'select', table: 'user', ... },
    { name: 'projects', operationType: 'select', table: 'project', ... }
  ]
}

// Returns:
// {
//   users: [{ ... }, { ... }],
//   projects: [{ ... }, { ... }]
// }

Transactional Operations

{
  transaction: true,  // Atomic - all succeed or all rollback
  operations: [
    { operationType: 'insert', table: 'user', values: { ... } },
    { operationType: 'insert', table: 'project', values: { ... } }
  ]
}

// Both inserts succeed or both rollback on error

Configuration

Environment Variables

Create environment file based on your runtime:

Development: ../../../../private/cwc-secrets/env/dev.cwc-sql.env
Test: ../../.env.test
Production: ../../.env.prod

# Runtime environment
RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020

# Database connection
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=secure_password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20

# SQL Client API Key (multi-line public key for verifying backend service tokens)
SQL_CLIENT_API_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBg...\n-----END PUBLIC KEY-----"

# Security
SERVICE_API_ALLOWED_IPS=127.0.0.1,192.168.1.100  # Comma-separated

# Debugging
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON

# Query caching
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

JWT Authentication

Token Structure:

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000',  // UUID v4
  clientName: 'cwc-api',  // cwc-api | cwc-auth | cwc-admin-api
  exp: 1234567890,        // Expiration timestamp
  iat: 1234567860         // Issued at timestamp
}

Key Location:

Development: ../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-public.pem
Production: ./sql-client-api-keys/sql-client-api-key-public.pem

Query Caching

How It Works

Cache on SELECT: Only SELECT operations are cached
Table-specific keys: Each cache entry tracks which tables it references
Automatic invalidation: Mutations (INSERT/UPDATE/DELETE) invalidate all cache for that table
Configurable TTL: Cache expires after configured minutes
Max key limit: LRU eviction when limit reached

What Gets Cached

✅ Cached:

SELECT operations (non-transaction)
Custom SQL SELECT queries

❌ Not Cached:

INSERT, UPDATE, DELETE operations
Queries inside transactions
When QUERY_CACHE_ENABLED=OFF

Cache Invalidation

INSERT INTO project ...

↓

Invalidates all cache entries for 'project' table

↓

Other tables (user, comment) remain cached

Security Features

SQL Injection Prevention

Named placeholders only: :paramName syntax required
Schema validation: All table/column names validated against cwc-schema
No multiple statements: multipleStatements: false in connection pool
Semicolon detection: Custom SQL cannot contain ;
Prepared statements: All queries use MariaDB prepared statements

Required Filters

UPDATE: Must specify filters to prevent full-table updates
DELETE: Must specify filters to prevent full-table deletes

Primary Key Protection

Cannot update PkId: UPDATE operations reject attempts to modify primary key

Development

Running the Service

# Install dependencies
pnpm install

# Development mode (with auto-reload)
pnpm dev

# Build
pnpm build

# Type-check
pnpm typecheck

# Run tests
pnpm test

Testing

# Run all tests
NODE_ENV=unit pnpm test

# Run tests with coverage
NODE_ENV=unit pnpm test --coverage

# Run specific test file
NODE_ENV=unit pnpm test config.test.ts

Test Coverage:

80 unit tests covering:
- Configuration loading and validation
- SQL generation (SELECT, INSERT, UPDATE, DELETE, Custom)
- Schema validation and security checks
- Query caching with table-specific invalidation
- Error handling and edge cases

Debug Mode

Enable with DEBUG_MODE=ON:

Logs include:

Configuration details (passwords/keys redacted)
Connection pool creation parameters
SQL statements and parameters
Cache hits/misses
Transaction begin/commit/rollback
Authentication successes
Execution times

Example output:

[cwc-sql] Configuration loaded:
  Environment: dev
  Service Port: 5003
  Database: localhost/cwc
  Cache: enabled
  Debug: enabled

[cwc-sql] SELECT: SELECT * FROM user WHERE email = :email
[cwc-sql] Params: { email: 'user@example.com' }
[cwc-sql] Cache MISS for table: user
[cwc-sql] Cached result for table: user
[cwc-sql] Command completed in 45ms

Performance Considerations

Connection Pool Sizing

Default settings:

connectionLimit: 20 - Max concurrent connections
acquireTimeout: 30000ms - Fail fast under load
connectTimeout: 10000ms - Detect dead connections quickly
idleTimeout: 60000ms - Close idle connections
minimumIdle: 0 - Allow pool to shrink completely

Tuning guidance:

Start conservative (10-20 connections)
Monitor connection usage in production
Increase if seeing acquireTimeout errors
Consider database server limits

Query Optimization

Best practices:

Use fields array instead of SELECT *
Use limit for large result sets
Index frequently queried columns (in cwc-database)
Use tableCount only when needed
Minimize operations per transaction

Caching Strategy

When to enable:

Read-heavy workloads
Repeated identical queries
Acceptable stale data (within TTL)

When to disable:

Write-heavy workloads
Real-time data requirements
Low memory environments

Error Logging

Direct Database Logging:

cwc-sql writes errors directly to the errorLog table, bypassing the SqlClient client (which would create a circular dependency).

Error Log Fields:

serviceName: Always 'cwc-sql'
codeLocation: Function/file where error occurred
errorMessage: First 500 characters of error message
error: Full error string (max 65535 chars)
stack: Stack trace (max 65535 chars)
data: Additional context (e.g., client name from JWT)

Transaction Behavior

With `transaction: true`

Acquire single connection from pool
BEGIN TRANSACTION
Execute all operations sequentially on same connection
COMMIT on success
ROLLBACK on any error
Always release connection in finally block

With `transaction: false`

Each operation gets its own connection
Operations are independent (one failure doesn't affect others)
Connections released immediately after operation

Named Operations

{
  transaction: true,
  operations: [
    { name: 'createUser', operationType: 'insert', table: 'user', ... },
    { name: 'createProject', operationType: 'insert', table: 'project', ... }
  ]
}

// Response uses your names:
{
  createUser: { insertId: 123 },
  createProject: { insertId: 456 }
}

Dependencies

Runtime:

express (^5.1.0) - HTTP server
mariadb (^3.4.5) - MariaDB database driver
node-cache (^5.1.2) - In-memory query caching
jsonwebtoken (^9.0.2) - JWT verification
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types
cwc-schema (workspace) - Schema definitions
cwc-backend-utils (workspace) - Backend utilities

Development:

jest (^30.2.0) - Testing framework
ts-jest (^29.4.5) - TypeScript Jest transformer
typescript (^5.4.0) - TypeScript compiler

Related Packages

cwc-backend-utils: SqlClient HTTP client, loadDotEnv, createExpressService
cwc-schema: Schema definitions and validation
cwc-types: Shared TypeScript types
cwc-database: SQL schema scripts and migrations

License

UNLICENSED - Private project

Version 3 (latest)

cwc-sql

Database access layer microservice for the Coding with Claude (CWC) platform.

Overview

cwc-sql is the single point of database access for all CWC backend services. It provides:

Schema-driven SQL generation from cwc-schema definitions
Query caching with table-specific invalidation
Transaction support for multi-operation atomicity
Security-first design with SQL injection prevention
JWT authentication using RS256 algorithm
High performance with MariaDB connection pooling

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  cwc-auth   │     │   cwc-api   │     │cwc-admin-api│
│             │     │             │     │             │
└──────┬──────┘     └──────┬──────┘     └──────┬──────┘
       │                   │                   │
       │  SqlClient (HTTP)  │  SqlClient (HTTP)  │  SqlClient (HTTP)
       │  JWT RS256 auth   │  JWT RS256 auth   │  JWT RS256 auth
       │                   │                   │
       └───────────────────┼───────────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │   cwc-sql   │
                    │  (Express)  │
                    │  Port 5003  │
                    └──────┬──────┘
                           │
                    Schema validation
                    SQL generation
                    Query caching
                           │
                           ▼
                    ┌─────────────┐
                    │  MariaDB    │
                    │  Database   │
                    └─────────────┘

Why a Dedicated SQL Service?

Single Responsibility: Database access logic centralized in one service
Security: All SQL generation goes through schema validation
Performance: Centralized query caching reduces database load
Consistency: All services use the same SQL generation patterns
Maintainability: Database changes affect only one service

API Endpoint

POST /data/v1/command

Executes SQL commands with optional transactions.

Authentication: JWT token in Authorization: Bearer <token> header

Request Body:

{
  userPkId: number | undefined,  // User context for logging
  command: {
    transaction: boolean,         // Execute in transaction
    operations: [
      {
        operationType: 'select' | 'insert' | 'update' | 'delete',
        name?: string,            // Result key (default: 'operation-0')
        table: string,
        fields?: string[],        // SELECT columns
        filters?: {               // WHERE conditions
          [column: string]: value | value[]
        },
        values?: {                // INSERT/UPDATE values
          [column: string]: value
        },
        sort?: [
          { fieldName: string, direction?: 'ASC' | 'DESC' }
        ],
        limit?: {
          recordCount: number,
          startIndex: number
        },
        custom?: {
          customSql: string,
          customParams: { [key: string]: value },
          customTables: string[]
        },
        tableCount?: boolean      // Return count with results
      }
    ],
    tableCount: boolean           // Global table count flag
  }
}

Response:

// Success
{
  success: true,
  data: {
    'operation-0': [...results],  // Query results
    'operation-1': {               // Mutation result
      affectedRows: 1,
      insertId: 123,
      changedRows: 1
    }
  },
  executionTime?: number  // Only in debug mode
}

// Error
{
  success: false,
  error: 'Error message',
  executionTime?: number
}

SQL Operation Examples

SELECT Query

// Simple SELECT
{
  operationType: 'select',
  table: 'user',
  filters: { email: 'user@example.com' },
  fields: ['userPkId', 'username', 'email']
}

// Generated SQL:
// SELECT `userPkId`, `username`, `email`
// FROM `user`
// WHERE `email` = :email

SELECT with Pagination

{
  operationType: 'select',
  table: 'project',
  filters: { userPkId: 123 },
  sort: [{ fieldName: 'createdDate', direction: 'DESC' }],
  limit: { recordCount: 20, startIndex: 0 },
  tableCount: true  // Returns total count for pagination
}

// Returns:
// {
//   rows: [... 20 projects ...],
//   count: 150  // Total matching projects
// }

INSERT Operation

{
  operationType: 'insert',
  table: 'user',
  values: {
    username: 'johndoe',
    email: 'john@example.com',
    enabled: 1
  }
}

// Returns:
// {
//   insertId: 123,
//   affectedRows: 1
// }

UPDATE Operation

{
  operationType: 'update',
  table: 'user',
  filters: { userPkId: 123 },
  values: { email: 'newemail@example.com' }
}

// Returns:
// {
//   affectedRows: 1,
//   changedRows: 1
// }

DELETE Operation

{
  operationType: 'delete',
  table: 'user',
  filters: { userPkId: 123 }
}

// Returns:
// {
//   affectedRows: 1
// }

Custom SQL

{
  operationType: 'select',
  custom: {
    customSql: 'SELECT * FROM user WHERE username LIKE :pattern',
    customParams: { pattern: '%john%' },
    customTables: ['user']
  }
}

Batch Operations

{
  transaction: false,  // Independent operations
  operations: [
    { name: 'users', operationType: 'select', table: 'user', ... },
    { name: 'projects', operationType: 'select', table: 'project', ... }
  ]
}

// Returns:
// {
//   users: [{ ... }, { ... }],
//   projects: [{ ... }, { ... }]
// }

Transactional Operations

{
  transaction: true,  // Atomic - all succeed or all rollback
  operations: [
    { operationType: 'insert', table: 'user', values: { ... } },
    { operationType: 'insert', table: 'project', values: { ... } }
  ]
}

// Both inserts succeed or both rollback on error

Configuration

Environment Variables

Create environment file based on your runtime:

Development: ../../../../private/cwc-secrets/env/dev.cwc-sql.env
Test: ../../.env.test
Production: ../../.env.prod

# Runtime environment
RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5020

# Database connection
DATABASE_SERVER=localhost
DATABASE_NAME=cwc
DATABASE_USER=cwc_user
DATABASE_PASSWORD=secure_password
DATABASE_CONNECT_TIMEOUT=10000
DATABASE_CONNECTION_ACQUIRE_TIMEOUT=30000
DATABASE_CONNECTION_QUEUE_LIMIT=1000
DATABASE_CONNECTION_LIMIT=20

# SQL Client API Key (multi-line public key for verifying backend service tokens)
SQL_CLIENT_API_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBg...\n-----END PUBLIC KEY-----"

# Debugging
DEBUG_MODE=ON  # ON | OFF
LOG_ERRORS_TO_DATABASE=ON

# Query caching
QUERY_CACHE_ENABLED=ON
QUERY_CACHE_TTL=5  # minutes
QUERY_CACHE_MAX_KEYS=1000

JWT Authentication

Token Structure:

{
  dataJwtId: '550e8400-e29b-41d4-a716-446655440000',  // UUID v4
  clientName: 'cwc-api',  // cwc-api | cwc-auth | cwc-admin-api
  exp: 1234567890,        // Expiration timestamp
  iat: 1234567860         // Issued at timestamp
}

Key Location:

Development: ../../../cwc-secrets/sql-client-api-keys/sql-client-api-key-public.pem
Production: ./sql-client-api-keys/sql-client-api-key-public.pem

Query Caching

How It Works

Cache on SELECT: Only SELECT operations are cached
Table-specific keys: Each cache entry tracks which tables it references
Automatic invalidation: Mutations (INSERT/UPDATE/DELETE) invalidate all cache for that table
Configurable TTL: Cache expires after configured minutes
Max key limit: LRU eviction when limit reached

What Gets Cached

✅ Cached:

SELECT operations (non-transaction)
Custom SQL SELECT queries

❌ Not Cached:

INSERT, UPDATE, DELETE operations
Queries inside transactions
When QUERY_CACHE_ENABLED=OFF

Cache Invalidation

INSERT INTO project ...

↓

Invalidates all cache entries for 'project' table

↓

Other tables (user, comment) remain cached

Security Features

SQL Injection Prevention

Named placeholders only: :paramName syntax required
Schema validation: All table/column names validated against cwc-schema
No multiple statements: multipleStatements: false in connection pool
Semicolon detection: Custom SQL cannot contain ;
Prepared statements: All queries use MariaDB prepared statements

Required Filters

UPDATE: Must specify filters to prevent full-table updates
DELETE: Must specify filters to prevent full-table deletes

Primary Key Protection

Cannot update PkId: UPDATE operations reject attempts to modify primary key

Development

Running the Service

# Install dependencies
pnpm install

# Development mode (with auto-reload)
pnpm dev

# Build
pnpm build

# Type-check
pnpm typecheck

# Run tests
pnpm test

Testing

# Run all tests
NODE_ENV=unit pnpm test

# Run tests with coverage
NODE_ENV=unit pnpm test --coverage

# Run specific test file
NODE_ENV=unit pnpm test config.test.ts

Test Coverage:

80 unit tests covering:
- Configuration loading and validation
- SQL generation (SELECT, INSERT, UPDATE, DELETE, Custom)
- Schema validation and security checks
- Query caching with table-specific invalidation
- Error handling and edge cases

Debug Mode

Enable with DEBUG_MODE=ON:

Logs include:

Configuration details (passwords/keys redacted)
Connection pool creation parameters
SQL statements and parameters
Cache hits/misses
Transaction begin/commit/rollback
Authentication successes
Execution times

Example output:

[cwc-sql] Configuration loaded:
  Environment: dev
  Service Port: 5003
  Database: localhost/cwc
  Cache: enabled
  Debug: enabled

[cwc-sql] SELECT: SELECT * FROM user WHERE email = :email
[cwc-sql] Params: { email: 'user@example.com' }
[cwc-sql] Cache MISS for table: user
[cwc-sql] Cached result for table: user
[cwc-sql] Command completed in 45ms

Performance Considerations

Connection Pool Sizing

Default settings:

connectionLimit: 20 - Max concurrent connections
acquireTimeout: 30000ms - Fail fast under load
connectTimeout: 10000ms - Detect dead connections quickly
idleTimeout: 60000ms - Close idle connections
minimumIdle: 0 - Allow pool to shrink completely

Tuning guidance:

Start conservative (10-20 connections)
Monitor connection usage in production
Increase if seeing acquireTimeout errors
Consider database server limits

Query Optimization

Best practices:

Use fields array instead of SELECT *
Use limit for large result sets
Index frequently queried columns (in cwc-database)
Use tableCount only when needed
Minimize operations per transaction

Caching Strategy

When to enable:

Read-heavy workloads
Repeated identical queries
Acceptable stale data (within TTL)

When to disable:

Write-heavy workloads
Real-time data requirements
Low memory environments

Error Logging

Direct Database Logging:

cwc-sql writes errors directly to the errorLog table, bypassing the SqlClient client (which would create a circular dependency).

Error Log Fields:

serviceName: Always 'cwc-sql'
codeLocation: Function/file where error occurred
errorMessage: First 500 characters of error message
error: Full error string (max 65535 chars)
stack: Stack trace (max 65535 chars)
data: Additional context (e.g., client name from JWT)

Transaction Behavior

With `transaction: true`

Acquire single connection from pool
BEGIN TRANSACTION
Execute all operations sequentially on same connection
COMMIT on success
ROLLBACK on any error
Always release connection in finally block

With `transaction: false`

Each operation gets its own connection
Operations are independent (one failure doesn't affect others)
Connections released immediately after operation

Named Operations

{
  transaction: true,
  operations: [
    { name: 'createUser', operationType: 'insert', table: 'user', ... },
    { name: 'createProject', operationType: 'insert', table: 'project', ... }
  ]
}

// Response uses your names:
{
  createUser: { insertId: 123 },
  createProject: { insertId: 456 }
}

Dependencies

Runtime:

express (^5.1.0) - HTTP server
mariadb (^3.4.5) - MariaDB database driver
node-cache (^5.1.2) - In-memory query caching
jsonwebtoken (^9.0.2) - JWT verification
dotenv (^17.2.3) - Environment variable loading
cwc-types (workspace) - Shared TypeScript types
cwc-schema (workspace) - Schema definitions
cwc-backend-utils (workspace) - Backend utilities

Development:

jest (^30.2.0) - Testing framework
ts-jest (^29.4.5) - TypeScript Jest transformer
typescript (^5.4.0) - TypeScript compiler

Related Packages

cwc-backend-utils: SqlClient HTTP client, loadDotEnv, createExpressService
cwc-schema: Schema definitions and validation
cwc-types: Shared TypeScript types
cwc-database: SQL schema scripts and migrations

License

UNLICENSED - Private project

packages/cwc-sql/src/__tests__/config.test.ts

3 versions

Version 1

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear environment
    delete process.env.RUNTIME_ENVIRONMENT;
    delete process.env.SERVICE_PORT;
    delete process.env.DATABASE_SERVER;
    delete process.env.DATABASE_NAME;
    delete process.env.DATABASE_USER;
    delete process.env.DATABASE_PASSWORD;
    delete process.env.DATABASE_CONNECT_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_QUEUE_LIMIT;
    delete process.env.DATABASE_CONNECTION_LIMIT;
    delete process.env.SQL_CLIENT_API_KEY;
    delete process.env.SERVICE_API_ALLOWED_IPS;
    delete process.env.DEBUG_MODE;
    delete process.env.LOG_ERRORS_TO_DATABASE;
    delete process.env.QUERY_CACHE_ENABLED;
    delete process.env.QUERY_CACHE_TTL;
    delete process.env.QUERY_CACHE_MAX_KEYS;
    delete process.env.CORS_ORIGIN;
    delete process.env.RATE_LIMITER_POINTS;
    delete process.env.RATE_LIMITER_DURATION;
    delete process.env.END_TO_END_TESTING_MOCK_VALUES;

    // Clear module cache to ensure fresh import
    jest.resetModules();
  });

  afterEach(() => {
    // Restore original environment
    process.env = originalEnv;

    // Restore process.exit
    exitSpy.mockRestore();
  });

  it('should load valid configuration', async () => {
    // Set valid environment variables
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nTEST\\n-----END PUBLIC KEY-----';
    process.env.SERVICE_API_ALLOWED_IPS = '127.0.0.1,192.168.1.1';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'ON';
    process.env.LOG_ERRORS_TO_DATABASE = 'ON';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.RATE_LIMITER_POINTS = '150';
    process.env.RATE_LIMITER_DURATION = '90';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isDevelopment).toBe(true);
    expect(config.isProduction).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.servicePort).toBe(5003);
    expect(config.databaseServer).toBe('localhost');
    expect(config.databaseName).toBe('test_db');
    expect(config.secrets.databaseUser).toBe('test_user');
    expect(config.secrets.databasePassword).toBe('test_password');
    expect(config.secrets.authenticationPublicKey).toContain('-----BEGIN PUBLIC KEY-----');
    expect(config.serviceApiAllowedIps).toEqual(['127.0.0.1', '192.168.1.1']);
    expect(config.debugMode).toBe(true);
    expect(config.logErrorsToDatabase).toBe(true);
    expect(config.queryCacheEnabled).toBe(true);
    expect(config.queryCacheTtl).toBe(5);
    expect(config.queryCacheMaxKeys).toBe(1000);
    expect(config.corsOrigin).toBe('http://localhost:3000');
    expect(config.rateLimiterPoints).toBe(150);
    expect(config.rateLimiterDuration).toBe(90);
    expect(config.endToEndMockValues).toBeUndefined();
  });

  it('should parse production environment correctly', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'prod';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'db.example.com';
    process.env.DATABASE_NAME = 'prod_db';
    process.env.DATABASE_USER = 'prod_user';
    process.env.DATABASE_PASSWORD = 'prod_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '10';
    process.env.QUERY_CACHE_MAX_KEYS = '5000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('prod');
    expect(config.isProduction).toBe(true);
    expect(config.isDevelopment).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.debugMode).toBe(false);
  });

  it('should use default SERVICE_PORT if not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // SERVICE_PORT not set
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.servicePort).toBe(5003); // Default value
  });

  it('should parse multi-line public key with escaped newlines', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nLINE1\\nLINE2\\n-----END PUBLIC KEY-----';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    // Should convert \\n to actual newlines
    expect(config.secrets.authenticationPublicKey).toContain('\n');
    expect(config.secrets.authenticationPublicKey).not.toContain('\\n');
  });

  it('should parse comma-separated IPs', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '192.168.1.1, 192.168.1.2 , 192.168.1.3';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.serviceApiAllowedIps).toEqual(['192.168.1.1', '192.168.1.2', '192.168.1.3']);
  });

  it('should call process.exit for missing required RUNTIME_ENVIRONMENT', async () => {
    // Don't set RUNTIME_ENVIRONMENT
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid RUNTIME_ENVIRONMENT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'invalid';
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for missing DATABASE_SERVER', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // DATABASE_SERVER not set

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid number in SERVICE_PORT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = 'not-a-number';
    process.env.DATABASE_SERVER = 'localhost';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid SERVICE_PORT range', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '99999'; // Too high
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid database timeout values', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '-1'; // Invalid
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid cache settings when enabled', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '-5'; // Invalid
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should cache configuration on subsequent calls', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config1 = loadConfig();
    const config2 = loadConfig();

    // Should return the same cached instance
    expect(config1).toBe(config2);
  });

  it('should use default rate limiter values when not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    // RATE_LIMITER_* not set

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.rateLimiterPoints).toBe(100); // Default value
    expect(config.rateLimiterDuration).toBe(60); // Default value
  });

  it('should call process.exit for missing required CORS_ORIGIN', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    // CORS_ORIGIN not set
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should parse END_TO_END_TESTING_MOCK_VALUES in e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'e2e';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345","deviceId":"test-device"}';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('e2e');
    expect(config.isEndToEnd).toBe(true);
    expect(config.endToEndMockValues).toEqual({
      userPkId: '12345',
      deviceId: 'test-device',
    });
  });

  it('should ignore END_TO_END_TESTING_MOCK_VALUES in non-e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345"}'; // Should be ignored

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isEndToEnd).toBe(false);
    expect(config.endToEndMockValues).toBeUndefined();
  });
});

Version 2

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear environment
    delete process.env.RUNTIME_ENVIRONMENT;
    delete process.env.SERVICE_PORT;
    delete process.env.DATABASE_SERVER;
    delete process.env.DATABASE_NAME;
    delete process.env.DATABASE_USER;
    delete process.env.DATABASE_PASSWORD;
    delete process.env.DATABASE_CONNECT_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_QUEUE_LIMIT;
    delete process.env.DATABASE_CONNECTION_LIMIT;
    delete process.env.SQL_CLIENT_API_KEY;
    delete process.env.SERVICE_API_ALLOWED_IPS;
    delete process.env.DEBUG_MODE;
    delete process.env.LOG_ERRORS_TO_DATABASE;
    delete process.env.QUERY_CACHE_ENABLED;
    delete process.env.QUERY_CACHE_TTL;
    delete process.env.QUERY_CACHE_MAX_KEYS;
    delete process.env.CORS_ORIGIN;
    delete process.env.RATE_LIMITER_POINTS;
    delete process.env.RATE_LIMITER_DURATION;
    delete process.env.END_TO_END_TESTING_MOCK_VALUES;

    // Clear module cache to ensure fresh import
    jest.resetModules();
  });

  afterEach(() => {
    // Restore original environment
    process.env = originalEnv;

    // Restore process.exit
    exitSpy.mockRestore();
  });

  it('should load valid configuration', async () => {
    // Set valid environment variables
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nTEST\\n-----END PUBLIC KEY-----';
    process.env.SERVICE_API_ALLOWED_IPS = '127.0.0.1,192.168.1.1';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'ON';
    process.env.LOG_ERRORS_TO_DATABASE = 'ON';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.RATE_LIMITER_POINTS = '150';
    process.env.RATE_LIMITER_DURATION = '90';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isDevelopment).toBe(true);
    expect(config.isProduction).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.servicePort).toBe(5003);
    expect(config.databaseServer).toBe('localhost');
    expect(config.databaseName).toBe('test_db');
    expect(config.secrets.databaseUser).toBe('test_user');
    expect(config.secrets.databasePassword).toBe('test_password');
    expect(config.secrets.sqlClientApiKey).toContain('-----BEGIN PUBLIC KEY-----');
    expect(config.serviceApiAllowedIps).toEqual(['127.0.0.1', '192.168.1.1']);
    expect(config.debugMode).toBe(true);
    expect(config.logErrorsToDatabase).toBe(true);
    expect(config.queryCacheEnabled).toBe(true);
    expect(config.queryCacheTtl).toBe(5);
    expect(config.queryCacheMaxKeys).toBe(1000);
    expect(config.corsOrigin).toBe('http://localhost:3000');
    expect(config.rateLimiterPoints).toBe(150);
    expect(config.rateLimiterDuration).toBe(90);
    expect(config.endToEndMockValues).toBeUndefined();
  });

  it('should parse production environment correctly', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'prod';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'db.example.com';
    process.env.DATABASE_NAME = 'prod_db';
    process.env.DATABASE_USER = 'prod_user';
    process.env.DATABASE_PASSWORD = 'prod_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '10';
    process.env.QUERY_CACHE_MAX_KEYS = '5000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('prod');
    expect(config.isProduction).toBe(true);
    expect(config.isDevelopment).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.debugMode).toBe(false);
  });

  it('should use default SERVICE_PORT if not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // SERVICE_PORT not set
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.servicePort).toBe(5003); // Default value
  });

  it('should parse multi-line public key with escaped newlines', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nLINE1\\nLINE2\\n-----END PUBLIC KEY-----';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    // Should convert \\n to actual newlines
    expect(config.secrets.sqlClientApiKey).toContain('\n');
    expect(config.secrets.sqlClientApiKey).not.toContain('\\n');
  });

  it('should parse comma-separated IPs', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '192.168.1.1, 192.168.1.2 , 192.168.1.3';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.serviceApiAllowedIps).toEqual(['192.168.1.1', '192.168.1.2', '192.168.1.3']);
  });

  it('should call process.exit for missing required RUNTIME_ENVIRONMENT', async () => {
    // Don't set RUNTIME_ENVIRONMENT
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid RUNTIME_ENVIRONMENT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'invalid';
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for missing DATABASE_SERVER', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // DATABASE_SERVER not set

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid number in SERVICE_PORT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = 'not-a-number';
    process.env.DATABASE_SERVER = 'localhost';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid SERVICE_PORT range', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '99999'; // Too high
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid database timeout values', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '-1'; // Invalid
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid cache settings when enabled', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '-5'; // Invalid
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should cache configuration on subsequent calls', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config1 = loadConfig();
    const config2 = loadConfig();

    // Should return the same cached instance
    expect(config1).toBe(config2);
  });

  it('should use default rate limiter values when not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    // RATE_LIMITER_* not set

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.rateLimiterPoints).toBe(100); // Default value
    expect(config.rateLimiterDuration).toBe(60); // Default value
  });

  it('should call process.exit for missing required CORS_ORIGIN', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    // CORS_ORIGIN not set
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should parse END_TO_END_TESTING_MOCK_VALUES in e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'e2e';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345","deviceId":"test-device"}';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('e2e');
    expect(config.isEndToEnd).toBe(true);
    expect(config.endToEndMockValues).toEqual({
      userPkId: '12345',
      deviceId: 'test-device',
    });
  });

  it('should ignore END_TO_END_TESTING_MOCK_VALUES in non-e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.SERVICE_API_ALLOWED_IPS = '';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345"}'; // Should be ignored

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isEndToEnd).toBe(false);
    expect(config.endToEndMockValues).toBeUndefined();
  });
});

Version 3 (latest)

import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';

describe('Configuration Loading', () => {
  let originalEnv: NodeJS.ProcessEnv;
  let exitSpy: jest.SpiedFunction<typeof process.exit>;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };

    // Mock process.exit to prevent test termination
    exitSpy = jest.spyOn(process, 'exit').mockImplementation((code?: string | number) => {
      throw new Error(`process.exit called with ${code}`);
    }) as jest.SpiedFunction<typeof process.exit>;

    // Clear environment
    delete process.env.RUNTIME_ENVIRONMENT;
    delete process.env.SERVICE_PORT;
    delete process.env.DATABASE_SERVER;
    delete process.env.DATABASE_NAME;
    delete process.env.DATABASE_USER;
    delete process.env.DATABASE_PASSWORD;
    delete process.env.DATABASE_CONNECT_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT;
    delete process.env.DATABASE_CONNECTION_QUEUE_LIMIT;
    delete process.env.DATABASE_CONNECTION_LIMIT;
    delete process.env.SQL_CLIENT_API_KEY;
    delete process.env.DEBUG_MODE;
    delete process.env.LOG_ERRORS_TO_DATABASE;
    delete process.env.QUERY_CACHE_ENABLED;
    delete process.env.QUERY_CACHE_TTL;
    delete process.env.QUERY_CACHE_MAX_KEYS;
    delete process.env.CORS_ORIGIN;
    delete process.env.RATE_LIMITER_POINTS;
    delete process.env.RATE_LIMITER_DURATION;
    delete process.env.END_TO_END_TESTING_MOCK_VALUES;

    // Clear module cache to ensure fresh import
    jest.resetModules();
  });

  afterEach(() => {
    // Restore original environment
    process.env = originalEnv;

    // Restore process.exit
    exitSpy.mockRestore();
  });

  it('should load valid configuration', async () => {
    // Set valid environment variables
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nTEST\\n-----END PUBLIC KEY-----';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'ON';
    process.env.LOG_ERRORS_TO_DATABASE = 'ON';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.RATE_LIMITER_POINTS = '150';
    process.env.RATE_LIMITER_DURATION = '90';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isDevelopment).toBe(true);
    expect(config.isProduction).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.servicePort).toBe(5003);
    expect(config.databaseServer).toBe('localhost');
    expect(config.databaseName).toBe('test_db');
    expect(config.secrets.databaseUser).toBe('test_user');
    expect(config.secrets.databasePassword).toBe('test_password');
    expect(config.secrets.sqlClientApiKey).toContain('-----BEGIN PUBLIC KEY-----');
    expect(config.debugMode).toBe(true);
    expect(config.logErrorsToDatabase).toBe(true);
    expect(config.queryCacheEnabled).toBe(true);
    expect(config.queryCacheTtl).toBe(5);
    expect(config.queryCacheMaxKeys).toBe(1000);
    expect(config.corsOrigin).toBe('http://localhost:3000');
    expect(config.rateLimiterPoints).toBe(150);
    expect(config.rateLimiterDuration).toBe(90);
    expect(config.endToEndMockValues).toBeUndefined();
  });

  it('should parse production environment correctly', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'prod';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'db.example.com';
    process.env.DATABASE_NAME = 'prod_db';
    process.env.DATABASE_USER = 'prod_user';
    process.env.DATABASE_PASSWORD = 'prod_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '10';
    process.env.QUERY_CACHE_MAX_KEYS = '5000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('prod');
    expect(config.isProduction).toBe(true);
    expect(config.isDevelopment).toBe(false);
    expect(config.isTest).toBe(false);
    expect(config.debugMode).toBe(false);
  });

  it('should use default SERVICE_PORT if not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // SERVICE_PORT not set
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.servicePort).toBe(5003); // Default value
  });

  it('should parse multi-line public key with escaped newlines', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = '-----BEGIN PUBLIC KEY-----\\nLINE1\\nLINE2\\n-----END PUBLIC KEY-----';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    // Should convert \\n to actual newlines
    expect(config.secrets.sqlClientApiKey).toContain('\n');
    expect(config.secrets.sqlClientApiKey).not.toContain('\\n');
  });

  it('should call process.exit for missing required RUNTIME_ENVIRONMENT', async () => {
    // Don't set RUNTIME_ENVIRONMENT
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid RUNTIME_ENVIRONMENT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'invalid';
    process.env.SERVICE_PORT = '5003';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for missing DATABASE_SERVER', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    // DATABASE_SERVER not set

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid number in SERVICE_PORT', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = 'not-a-number';
    process.env.DATABASE_SERVER = 'localhost';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid SERVICE_PORT range', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '99999'; // Too high
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid database timeout values', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '-1'; // Invalid
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should call process.exit for invalid cache settings when enabled', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'ON';
    process.env.QUERY_CACHE_TTL = '-5'; // Invalid
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should cache configuration on subsequent calls', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');
    const config1 = loadConfig();
    const config2 = loadConfig();

    // Should return the same cached instance
    expect(config1).toBe(config2);
  });

  it('should use default rate limiter values when not provided', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    // RATE_LIMITER_* not set

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.rateLimiterPoints).toBe(100); // Default value
    expect(config.rateLimiterDuration).toBe(60); // Default value
  });

  it('should call process.exit for missing required CORS_ORIGIN', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    // CORS_ORIGIN not set
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';

    const { loadConfig } = await import('../config/loadConfig');

    expect(() => loadConfig()).toThrow('process.exit called with 1');
    expect(exitSpy).toHaveBeenCalledWith(1);
  });

  it('should parse END_TO_END_TESTING_MOCK_VALUES in e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'e2e';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345","deviceId":"test-device"}';

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('e2e');
    expect(config.isEndToEnd).toBe(true);
    expect(config.endToEndMockValues).toEqual({
      userPkId: '12345',
      deviceId: 'test-device',
    });
  });

  it('should ignore END_TO_END_TESTING_MOCK_VALUES in non-e2e environment', async () => {
    process.env.RUNTIME_ENVIRONMENT = 'dev';
    process.env.SERVICE_PORT = '5003';
    process.env.DATABASE_SERVER = 'localhost';
    process.env.DATABASE_NAME = 'test_db';
    process.env.DATABASE_USER = 'test_user';
    process.env.DATABASE_PASSWORD = 'test_password';
    process.env.DATABASE_CONNECT_TIMEOUT = '10000';
    process.env.DATABASE_CONNECTION_ACQUIRE_TIMEOUT = '30000';
    process.env.DATABASE_CONNECTION_QUEUE_LIMIT = '1000';
    process.env.DATABASE_CONNECTION_LIMIT = '20';
    process.env.SQL_CLIENT_API_KEY = 'test-key';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.CORS_ORIGIN = 'http://localhost:3000';
    process.env.DEBUG_MODE = 'OFF';
    process.env.LOG_ERRORS_TO_DATABASE = 'OFF';
    process.env.QUERY_CACHE_ENABLED = 'OFF';
    process.env.QUERY_CACHE_TTL = '5';
    process.env.QUERY_CACHE_MAX_KEYS = '1000';
    process.env.END_TO_END_TESTING_MOCK_VALUES = '{"userPkId":"12345"}'; // Should be ignored

    const { loadConfig } = await import('../config/loadConfig');
    const config = loadConfig();

    expect(config.runtimeEnvironment).toBe('dev');
    expect(config.isEndToEnd).toBe(false);
    expect(config.endToEndMockValues).toBeUndefined();
  });
});

packages/cwc-sql/src/__tests__/queryCache.test.ts

2 versions

Version 1

import { describe, it, expect, beforeEach } from '@jest/globals';
import { QueryCache } from '../cache/queryCache';
import type { CwcSqlConfig } from '../config';
import type { SqlClientOperation } from 'cwc-backend-utils';

describe('QueryCache', () => {
  let config: CwcSqlConfig;
  let cache: QueryCache;

  beforeEach(() => {
    config = {
      runtimeEnvironment: 'unit',
      isProduction: false,
      isDevelopment: false,
      isTest: false,
      isUnitTest: true,
      isEndToEnd: false,
      servicePort: 5003,
      databaseServer: 'localhost',
      databaseName: 'test',
      databaseUser: 'test',
      databasePassword: 'test',
      databaseConnectTimeout: 10000,
      databaseConnectionAcquireTimeout: 30000,
      databaseConnectionQueueLimit: 1000,
      databaseConnectionLimit: 20,
      sqlClientApiKey: 'test-key',
      serviceApiAllowedIps: [],
      debugMode: false,
      logErrorsToDatabase: false,
      queryCacheEnabled: true,
      queryCacheTtl: 5,
      queryCacheMaxKeys: 1000,
    };

    cache = new QueryCache(config);
  });

  it('should cache SELECT operation result', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const data = [{ userPkId: 1, email: 'test@example.com' }];

    // Set cache
    cache.set(operation, data);

    // Get cache
    const cached = cache.get(operation);

    expect(cached).toEqual(data);
  });

  it('should return undefined for cache miss', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const cached = cache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should not cache non-SELECT operations', () => {
    const operation: SqlClientOperation = {
      operationType: 'insert',
      table: 'user',
      values: { username: 'test' },
    };

    const data = { insertId: 123 };

    cache.set(operation, data);
    const cached = cache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should generate different cache keys for different operations', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test1@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test2@example.com' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    const cached1 = cache.get(operation1);
    const cached2 = cache.get(operation2);

    expect(cached1).toEqual([{ id: 1 }]);
    expect(cached2).toEqual([{ id: 2 }]);
  });

  it('should invalidate cache for specific table', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Invalidate user table
    cache.invalidateTable('user');

    // User cache should be cleared
    expect(cache.get(operation1)).toBeUndefined();

    // Project cache should remain
    expect(cache.get(operation2)).toEqual([{ id: 2 }]);
  });

  it('should invalidate cache for multiple tables', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    const operation3: SqlClientOperation = {
      operationType: 'select',
      table: 'comment',
      filters: { content: 'Test Comment' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);
    cache.set(operation3, [{ id: 3 }]);

    // Invalidate user and project tables
    cache.invalidateTables(['user', 'project']);

    // User and project caches should be cleared
    expect(cache.get(operation1)).toBeUndefined();
    expect(cache.get(operation2)).toBeUndefined();

    // Comment cache should remain
    expect(cache.get(operation3)).toEqual([{ id: 3 }]);
  });

  it('should track custom tables for invalidation', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      custom: {
        customSql: 'SELECT * FROM user JOIN project ON ...',
        customParams: {},
        customTables: ['user', 'project'],
      },
    };

    cache.set(operation, [{ id: 1 }]);

    // Invalidating either table should clear the cache
    cache.invalidateTable('user');

    expect(cache.get(operation)).toBeUndefined();
  });

  it('should clear entire cache', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Clear all cache
    cache.clear();

    expect(cache.get(operation1)).toBeUndefined();
    expect(cache.get(operation2)).toBeUndefined();
  });

  it('should not cache when caching is disabled', () => {
    const disabledConfig = { ...config, queryCacheEnabled: false };
    const disabledCache = new QueryCache(disabledConfig);

    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    disabledCache.set(operation, [{ id: 1 }]);
    const cached = disabledCache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should return cache statistics', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Trigger cache hits and misses
    cache.get(operation1); // Hit
    cache.get(operation1); // Hit
    cache.get({ operationType: 'select', table: 'comment' }); // Miss

    const stats = cache.getStats();

    expect(stats.keys).toBe(2);
    expect(stats.hits).toBeGreaterThan(0);
    expect(stats.misses).toBeGreaterThan(0);
    expect(stats.tables).toBe(2);
  });
});

Version 2 (latest)

import { describe, it, expect, beforeEach } from '@jest/globals';
import { QueryCache } from '../cache/queryCache';
import type { CwcSqlConfig } from '../config';
import type { SqlClientOperation } from 'cwc-backend-utils';

describe('QueryCache', () => {
  let config: CwcSqlConfig;
  let cache: QueryCache;

  beforeEach(() => {
    config = {
      runtimeEnvironment: 'unit',
      isProduction: false,
      isDevelopment: false,
      isTest: false,
      isUnitTest: true,
      isEndToEnd: false,
      servicePort: 5003,
      databaseServer: 'localhost',
      databaseName: 'test',
      databaseUser: 'test',
      databasePassword: 'test',
      databaseConnectTimeout: 10000,
      databaseConnectionAcquireTimeout: 30000,
      databaseConnectionQueueLimit: 1000,
      databaseConnectionLimit: 20,
      sqlClientApiKey: 'test-key',
      debugMode: false,
      logErrorsToDatabase: false,
      queryCacheEnabled: true,
      queryCacheTtl: 5,
      queryCacheMaxKeys: 1000,
    };

    cache = new QueryCache(config);
  });

  it('should cache SELECT operation result', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const data = [{ userPkId: 1, email: 'test@example.com' }];

    // Set cache
    cache.set(operation, data);

    // Get cache
    const cached = cache.get(operation);

    expect(cached).toEqual(data);
  });

  it('should return undefined for cache miss', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const cached = cache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should not cache non-SELECT operations', () => {
    const operation: SqlClientOperation = {
      operationType: 'insert',
      table: 'user',
      values: { username: 'test' },
    };

    const data = { insertId: 123 };

    cache.set(operation, data);
    const cached = cache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should generate different cache keys for different operations', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test1@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test2@example.com' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    const cached1 = cache.get(operation1);
    const cached2 = cache.get(operation2);

    expect(cached1).toEqual([{ id: 1 }]);
    expect(cached2).toEqual([{ id: 2 }]);
  });

  it('should invalidate cache for specific table', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Invalidate user table
    cache.invalidateTable('user');

    // User cache should be cleared
    expect(cache.get(operation1)).toBeUndefined();

    // Project cache should remain
    expect(cache.get(operation2)).toEqual([{ id: 2 }]);
  });

  it('should invalidate cache for multiple tables', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    const operation3: SqlClientOperation = {
      operationType: 'select',
      table: 'comment',
      filters: { content: 'Test Comment' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);
    cache.set(operation3, [{ id: 3 }]);

    // Invalidate user and project tables
    cache.invalidateTables(['user', 'project']);

    // User and project caches should be cleared
    expect(cache.get(operation1)).toBeUndefined();
    expect(cache.get(operation2)).toBeUndefined();

    // Comment cache should remain
    expect(cache.get(operation3)).toEqual([{ id: 3 }]);
  });

  it('should track custom tables for invalidation', () => {
    const operation: SqlClientOperation = {
      operationType: 'select',
      custom: {
        customSql: 'SELECT * FROM user JOIN project ON ...',
        customParams: {},
        customTables: ['user', 'project'],
      },
    };

    cache.set(operation, [{ id: 1 }]);

    // Invalidating either table should clear the cache
    cache.invalidateTable('user');

    expect(cache.get(operation)).toBeUndefined();
  });

  it('should clear entire cache', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Clear all cache
    cache.clear();

    expect(cache.get(operation1)).toBeUndefined();
    expect(cache.get(operation2)).toBeUndefined();
  });

  it('should not cache when caching is disabled', () => {
    const disabledConfig = { ...config, queryCacheEnabled: false };
    const disabledCache = new QueryCache(disabledConfig);

    const operation: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    disabledCache.set(operation, [{ id: 1 }]);
    const cached = disabledCache.get(operation);

    expect(cached).toBeUndefined();
  });

  it('should return cache statistics', () => {
    const operation1: SqlClientOperation = {
      operationType: 'select',
      table: 'user',
      filters: { email: 'test@example.com' },
    };

    const operation2: SqlClientOperation = {
      operationType: 'select',
      table: 'project',
      filters: { title: 'Test Project' },
    };

    cache.set(operation1, [{ id: 1 }]);
    cache.set(operation2, [{ id: 2 }]);

    // Trigger cache hits and misses
    cache.get(operation1); // Hit
    cache.get(operation1); // Hit
    cache.get({ operationType: 'select', table: 'comment' }); // Miss

    const stats = cache.getStats();

    expect(stats.keys).toBe(2);
    expect(stats.hits).toBeGreaterThan(0);
    expect(stats.misses).toBeGreaterThan(0);
    expect(stats.tables).toBe(2);
  });
});

packages/cwc-sql/src/auth/verifyToken.ts

import jwt from 'jsonwebtoken';
import type { Request, Response, NextFunction } from 'express';
import type { CwcSqlConfig } from '../config';

/**
 * JWT payload structure for cwc-sql authentication tokens
 */
export type SqlAuthTokenPayload = {
  dataJwtId: string; // UUID v4
  clientName: 'cwc-api' | 'cwc-auth' | 'cwc-admin-api';
  exp: number; // Expiration timestamp
  iat: number; // Issued at timestamp
};

/**
 * Valid client names that can access cwc-sql
 */
const VALID_CLIENT_NAMES = ['cwc-api', 'cwc-auth', 'cwc-admin-api'] as const;

/**
 * Express middleware to verify JWT authentication tokens
 * Extracts token from Authorization header and validates it
 */
export function createVerifyTokenMiddleware(config: CwcSqlConfig) {
  return async function verifyToken(
    req: Request,
    res: Response,
    next: NextFunction
  ): Promise<void> {
    try {
      // Extract Authorization header
      const authHeader = req.headers.authorization;

      if (!authHeader) {
        res.status(401).json({
          success: false,
          error: 'Missing Authorization header',
        });
        return;
      }

      // Check Bearer format
      if (!authHeader.startsWith('Bearer ')) {
        res.status(401).json({
          success: false,
          error: 'Invalid Authorization header format. Expected: Bearer <token>',
        });
        return;
      }

      // Extract token
      const token = authHeader.substring(7); // Remove "Bearer " prefix

      if (!token) {
        res.status(401).json({
          success: false,
          error: 'Missing authentication token',
        });
        return;
      }

      // Verify token signature and expiration
      let decoded: unknown;
      try {
        decoded = jwt.verify(token, config.secrets.sqlClientApiKey, {
          algorithms: ['RS256'], // Only accept RS256 algorithm
        });
      } catch (error) {
        if (error instanceof jwt.TokenExpiredError) {
          res.status(401).json({
            success: false,
            error: 'Authentication token has expired',
          });
          return;
        }

        if (error instanceof jwt.JsonWebTokenError) {
          res.status(401).json({
            success: false,
            error: 'Invalid authentication token',
          });
          return;
        }

        // Unexpected error
        throw error;
      }

      // Validate payload structure
      if (!decoded || typeof decoded !== 'object') {
        res.status(401).json({
          success: false,
          error: 'Invalid token payload',
        });
        return;
      }

      const payload = decoded as Partial<SqlAuthTokenPayload>;

      // Validate required fields
      if (!payload.dataJwtId || typeof payload.dataJwtId !== 'string') {
        res.status(401).json({
          success: false,
          error: 'Invalid token: missing or invalid dataJwtId',
        });
        return;
      }

      if (!payload.clientName || typeof payload.clientName !== 'string') {
        res.status(401).json({
          success: false,
          error: 'Invalid token: missing or invalid clientName',
        });
        return;
      }

      // Validate clientName against whitelist
      if (!VALID_CLIENT_NAMES.includes(payload.clientName as typeof VALID_CLIENT_NAMES[number])) {
        res.status(401).json({
          success: false,
          error: `Invalid token: clientName must be one of: ${VALID_CLIENT_NAMES.join(', ')}`,
        });
        return;
      }

      // Token is valid - attach payload to request for use in handlers
      req.authPayload = payload as SqlAuthTokenPayload;

      if (config.debugMode) {
        console.log(`[cwc-sql] Authenticated request from: ${payload.clientName}`);
      }

      next();
    } catch (error) {
      console.error('[cwc-sql] Token verification error:', error);
      res.status(500).json({
        success: false,
        error: 'Internal authentication error',
      });
    }
  };
}

/**
 * Extend Express Request to include auth payload
 */
declare global {
  namespace Express {
    interface Request {
      authPayload?: SqlAuthTokenPayload;
    }
  }
}

packages/cwc-sql/src/config/config.types.ts

2 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-sql
 * These values must be provided via secrets file, never committed to code
 */
export type CwcSqlConfigSecrets = {
  databaseUser: string;
  databasePassword: string;
  sqlClientApiKey: string;
};

/**
 * Configuration for the cwc-sql microservice
 */
export type CwcSqlConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  servicePort: number;

  // Database connection
  databaseServer: string;
  databaseName: string;
  databaseConnectTimeout: number;
  databaseConnectionAcquireTimeout: number;
  databaseConnectionQueueLimit: number;
  databaseConnectionLimit: number;

  // Security
  serviceApiAllowedIps: string[];
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Debugging
  debugMode: boolean;
  logErrorsToDatabase: boolean;

  // Query caching
  queryCacheEnabled: boolean;
  queryCacheTtl: number;
  queryCacheMaxKeys: number;

  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string>;

  // Secrets (nested)
  secrets: CwcSqlConfigSecrets;
};

Version 2 (latest)

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-sql
 * These values must be provided via secrets file, never committed to code
 */
export type CwcSqlConfigSecrets = {
  databaseUser: string;
  databasePassword: string;
  sqlClientApiKey: string;
};

/**
 * Configuration for the cwc-sql microservice
 */
export type CwcSqlConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  servicePort: number;

  // Database connection
  databaseServer: string;
  databaseName: string;
  databaseConnectTimeout: number;
  databaseConnectionAcquireTimeout: number;
  databaseConnectionQueueLimit: number;
  databaseConnectionLimit: number;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Debugging
  debugMode: boolean;
  logErrorsToDatabase: boolean;

  // Query caching
  queryCacheEnabled: boolean;
  queryCacheTtl: number;
  queryCacheMaxKeys: number;

  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string>;

  // Secrets (nested)
  secrets: CwcSqlConfigSecrets;
};

packages/cwc-sql/src/config/loadConfig.ts

3 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcSqlConfig } from './config.types';

/**
 * Validates that a required environment variable is present
 */
function requireEnv(name: string): string {
  const value = process.env[name];
  if (value === undefined || value === '') {
    throw new Error(`Missing required environment variable: ${name}`);
  }
  return value;
}

/**
 * Parses an environment variable as a number
 */
function parseNumber(name: string, defaultValue?: number): number {
  const value = process.env[name];
  if (value === undefined || value === '') {
    if (defaultValue !== undefined) {
      return defaultValue;
    }
    throw new Error(`Missing required environment variable: ${name}`);
  }

  const parsed = Number(value);
  if (isNaN(parsed)) {
    throw new Error(`Environment variable ${name} must be a number, got: ${value}`);
  }
  return parsed;
}

/**
 * Parses an environment variable as a boolean (ON/OFF)
 */
function parseBoolean(name: string, defaultValue: boolean = false): boolean {
  const value = process.env[name];
  if (value === undefined || value === '') {
    return defaultValue;
  }

  const upper = value.toUpperCase();
  if (upper === 'ON' || upper === 'TRUE' || upper === '1') {
    return true;
  }
  if (upper === 'OFF' || upper === 'FALSE' || upper === '0') {
    return false;
  }

  throw new Error(`Environment variable ${name} must be ON/OFF, got: ${value}`);
}

/**
 * Parses comma-separated list into array
 */
function parseArray(name: string, defaultValue: string[] = []): string[] {
  const value = process.env[name];
  if (value === undefined || value === '') {
    return defaultValue;
  }

  return value
    .split(',')
    .map((item) => item.trim())
    .filter((item) => item.length > 0);
}

/**
 * Parses multi-line public key from environment variable
 * Environment variables escape newlines as \n, so we need to convert them
 */
function parsePublicKey(name: string): string {
  const value = requireEnv(name);

  // Replace escaped \n with actual newlines
  return value.replace(/\\n/g, '\n');
}

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcSqlConfig | undefined;

export function loadConfig(): CwcSqlConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcSqlConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5003),

      // Database connection
      databaseServer: requireEnv('DATABASE_SERVER'),
      databaseName: requireEnv('DATABASE_NAME'),
      databaseConnectTimeout: parseNumber('DATABASE_CONNECT_TIMEOUT'),
      databaseConnectionAcquireTimeout: parseNumber('DATABASE_CONNECTION_ACQUIRE_TIMEOUT'),
      databaseConnectionQueueLimit: parseNumber('DATABASE_CONNECTION_QUEUE_LIMIT'),
      databaseConnectionLimit: parseNumber('DATABASE_CONNECTION_LIMIT'),

      // Security
      serviceApiAllowedIps: parseArray('SERVICE_API_ALLOWED_IPS'),
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      // RATE_LIMITER_POINTS: Maximum number of requests allowed per duration
      // RATE_LIMITER_DURATION: Time window in seconds
      // Example: 100 points / 60 seconds = max 100 requests per minute per IP
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 100),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 60),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE'),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE'),

      // Query caching
      queryCacheEnabled: parseBoolean('QUERY_CACHE_ENABLED'),
      queryCacheTtl: parseNumber('QUERY_CACHE_TTL'),
      queryCacheMaxKeys: parseNumber('QUERY_CACHE_MAX_KEYS'),

      // End-to-end testing (optional, only in e2e environment)
      endToEndMockValues:
        isEndToEnd && process.env['END_TO_END_TESTING_MOCK_VALUES']
          ? JSON.parse(process.env['END_TO_END_TESTING_MOCK_VALUES'])
          : undefined,

      // Secrets (nested)
      secrets: {
        databaseUser: requireEnv('DATABASE_USER'),
        databasePassword: requireEnv('DATABASE_PASSWORD'),
        sqlClientApiKey: parsePublicKey('SQL_CLIENT_API_KEY'),
      },
    };

    // Validate database connection settings
    if (config.databaseConnectTimeout <= 0) {
      throw new Error('DATABASE_CONNECT_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionAcquireTimeout <= 0) {
      throw new Error('DATABASE_CONNECTION_ACQUIRE_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionQueueLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_QUEUE_LIMIT must be greater than 0');
    }
    if (config.databaseConnectionLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_LIMIT must be greater than 0');
    }

    // Validate cache settings
    if (config.queryCacheEnabled) {
      if (config.queryCacheTtl <= 0) {
        throw new Error('QUERY_CACHE_TTL must be greater than 0');
      }
      if (config.queryCacheMaxKeys <= 0) {
        throw new Error('QUERY_CACHE_MAX_KEYS must be greater than 0');
      }
    }

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-sql] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Database Server: ${config.databaseServer}`);
      console.log(`  Database Name: ${config.databaseName}`);
      console.log(`  Database User: [REDACTED]`);
      console.log(`  Database Password: [REDACTED]`);
      console.log(`  Database Connect Timeout: ${config.databaseConnectTimeout}ms`);
      console.log(`  Database Connection Acquire Timeout: ${config.databaseConnectionAcquireTimeout}ms`);
      console.log(`  Database Connection Queue Limit: ${config.databaseConnectionQueueLimit}`);
      console.log(`  Database Connection Limit: ${config.databaseConnectionLimit}`);
      console.log(`  Authentication Public Key: [REDACTED]`);
      console.log(`  Allowed IPs: ${config.serviceApiAllowedIps.length > 0 ? config.serviceApiAllowedIps.join(', ') : 'all'}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
      console.log(`  Query Cache Enabled: ${config.queryCacheEnabled}`);
      if (config.queryCacheEnabled) {
        console.log(`  Query Cache TTL: ${config.queryCacheTtl} minutes`);
        console.log(`  Query Cache Max Keys: ${config.queryCacheMaxKeys}`);
      }
    }

    return config;
  } catch (error) {
    console.error('[cwc-sql] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 2

import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcSqlConfig } from './config.types';

/**
 * Validates that a required environment variable is present
 */
function requireEnv(name: string): string {
  const value = process.env[name];
  if (value === undefined || value === '') {
    throw new Error(`Missing required environment variable: ${name}`);
  }
  return value;
}

/**
 * Parses an environment variable as a number
 */
function parseNumber(name: string, defaultValue?: number): number {
  const value = process.env[name];
  if (value === undefined || value === '') {
    if (defaultValue !== undefined) {
      return defaultValue;
    }
    throw new Error(`Missing required environment variable: ${name}`);
  }

  const parsed = Number(value);
  if (isNaN(parsed)) {
    throw new Error(`Environment variable ${name} must be a number, got: ${value}`);
  }
  return parsed;
}

/**
 * Parses an environment variable as a boolean (ON/OFF)
 */
function parseBoolean(name: string, defaultValue: boolean = false): boolean {
  const value = process.env[name];
  if (value === undefined || value === '') {
    return defaultValue;
  }

  const upper = value.toUpperCase();
  if (upper === 'ON' || upper === 'TRUE' || upper === '1') {
    return true;
  }
  if (upper === 'OFF' || upper === 'FALSE' || upper === '0') {
    return false;
  }

  throw new Error(`Environment variable ${name} must be ON/OFF, got: ${value}`);
}

/**
 * Parses comma-separated list into array
 */
function parseArray(name: string, defaultValue: string[] = []): string[] {
  const value = process.env[name];
  if (value === undefined || value === '') {
    return defaultValue;
  }

  return value
    .split(',')
    .map((item) => item.trim())
    .filter((item) => item.length > 0);
}

/**
 * Parses multi-line public key from environment variable
 * Environment variables escape newlines as \n, so we need to convert them
 */
function parsePublicKey(name: string): string {
  const value = requireEnv(name);

  // Replace escaped \n with actual newlines
  return value.replace(/\\n/g, '\n');
}

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcSqlConfig | undefined;

export function loadConfig(): CwcSqlConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcSqlConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5003),

      // Database connection
      databaseServer: requireEnv('DATABASE_SERVER'),
      databaseName: requireEnv('DATABASE_NAME'),
      databaseConnectTimeout: parseNumber('DATABASE_CONNECT_TIMEOUT'),
      databaseConnectionAcquireTimeout: parseNumber('DATABASE_CONNECTION_ACQUIRE_TIMEOUT'),
      databaseConnectionQueueLimit: parseNumber('DATABASE_CONNECTION_QUEUE_LIMIT'),
      databaseConnectionLimit: parseNumber('DATABASE_CONNECTION_LIMIT'),

      // Security
      serviceApiAllowedIps: parseArray('SERVICE_API_ALLOWED_IPS'),
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      // RATE_LIMITER_POINTS: Maximum number of requests allowed per duration
      // RATE_LIMITER_DURATION: Time window in seconds
      // Example: 100 points / 60 seconds = max 100 requests per minute per IP
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 100),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 60),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE'),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE'),

      // Query caching
      queryCacheEnabled: parseBoolean('QUERY_CACHE_ENABLED'),
      queryCacheTtl: parseNumber('QUERY_CACHE_TTL'),
      queryCacheMaxKeys: parseNumber('QUERY_CACHE_MAX_KEYS'),

      // End-to-end testing (optional, only in e2e environment)
      endToEndMockValues:
        isEndToEnd && process.env['END_TO_END_TESTING_MOCK_VALUES']
          ? JSON.parse(process.env['END_TO_END_TESTING_MOCK_VALUES'])
          : undefined,

      // Secrets (nested)
      secrets: {
        databaseUser: requireEnv('DATABASE_USER'),
        databasePassword: requireEnv('DATABASE_PASSWORD'),
        sqlClientApiKey: parsePublicKey('SQL_CLIENT_API_KEY'),
      },
    };

    // Validate database connection settings
    if (config.databaseConnectTimeout <= 0) {
      throw new Error('DATABASE_CONNECT_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionAcquireTimeout <= 0) {
      throw new Error('DATABASE_CONNECTION_ACQUIRE_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionQueueLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_QUEUE_LIMIT must be greater than 0');
    }
    if (config.databaseConnectionLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_LIMIT must be greater than 0');
    }

    // Validate cache settings
    if (config.queryCacheEnabled) {
      if (config.queryCacheTtl <= 0) {
        throw new Error('QUERY_CACHE_TTL must be greater than 0');
      }
      if (config.queryCacheMaxKeys <= 0) {
        throw new Error('QUERY_CACHE_MAX_KEYS must be greater than 0');
      }
    }

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-sql] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Database Server: ${config.databaseServer}`);
      console.log(`  Database Name: ${config.databaseName}`);
      console.log(`  Database User: [REDACTED]`);
      console.log(`  Database Password: [REDACTED]`);
      console.log(`  Database Connect Timeout: ${config.databaseConnectTimeout}ms`);
      console.log(`  Database Connection Acquire Timeout: ${config.databaseConnectionAcquireTimeout}ms`);
      console.log(`  Database Connection Queue Limit: ${config.databaseConnectionQueueLimit}`);
      console.log(`  Database Connection Limit: ${config.databaseConnectionLimit}`);
      console.log(`  SQL Client API Key: [REDACTED]`);
      console.log(`  Allowed IPs: ${config.serviceApiAllowedIps.length > 0 ? config.serviceApiAllowedIps.join(', ') : 'all'}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
      console.log(`  Query Cache Enabled: ${config.queryCacheEnabled}`);
      if (config.queryCacheEnabled) {
        console.log(`  Query Cache TTL: ${config.queryCacheTtl} minutes`);
        console.log(`  Query Cache Max Keys: ${config.queryCacheMaxKeys}`);
      }
    }

    return config;
  } catch (error) {
    console.error('[cwc-sql] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 3 (latest)

import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcSqlConfig } from './config.types';

/**
 * Validates that a required environment variable is present
 */
function requireEnv(name: string): string {
  const value = process.env[name];
  if (value === undefined || value === '') {
    throw new Error(`Missing required environment variable: ${name}`);
  }
  return value;
}

/**
 * Parses an environment variable as a number
 */
function parseNumber(name: string, defaultValue?: number): number {
  const value = process.env[name];
  if (value === undefined || value === '') {
    if (defaultValue !== undefined) {
      return defaultValue;
    }
    throw new Error(`Missing required environment variable: ${name}`);
  }

  const parsed = Number(value);
  if (isNaN(parsed)) {
    throw new Error(`Environment variable ${name} must be a number, got: ${value}`);
  }
  return parsed;
}

/**
 * Parses an environment variable as a boolean (ON/OFF)
 */
function parseBoolean(name: string, defaultValue: boolean = false): boolean {
  const value = process.env[name];
  if (value === undefined || value === '') {
    return defaultValue;
  }

  const upper = value.toUpperCase();
  if (upper === 'ON' || upper === 'TRUE' || upper === '1') {
    return true;
  }
  if (upper === 'OFF' || upper === 'FALSE' || upper === '0') {
    return false;
  }

  throw new Error(`Environment variable ${name} must be ON/OFF, got: ${value}`);
}

/**
 * Parses multi-line public key from environment variable
 * Environment variables escape newlines as \n, so we need to convert them
 */
function parsePublicKey(name: string): string {
  const value = requireEnv(name);

  // Replace escaped \n with actual newlines
  return value.replace(/\\n/g, '\n');
}

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcSqlConfig | undefined;

export function loadConfig(): CwcSqlConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcSqlConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5003),

      // Database connection
      databaseServer: requireEnv('DATABASE_SERVER'),
      databaseName: requireEnv('DATABASE_NAME'),
      databaseConnectTimeout: parseNumber('DATABASE_CONNECT_TIMEOUT'),
      databaseConnectionAcquireTimeout: parseNumber('DATABASE_CONNECTION_ACQUIRE_TIMEOUT'),
      databaseConnectionQueueLimit: parseNumber('DATABASE_CONNECTION_QUEUE_LIMIT'),
      databaseConnectionLimit: parseNumber('DATABASE_CONNECTION_LIMIT'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      // RATE_LIMITER_POINTS: Maximum number of requests allowed per duration
      // RATE_LIMITER_DURATION: Time window in seconds
      // Example: 100 points / 60 seconds = max 100 requests per minute per IP
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 100),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 60),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE'),
      logErrorsToDatabase: parseBoolean('LOG_ERRORS_TO_DATABASE'),

      // Query caching
      queryCacheEnabled: parseBoolean('QUERY_CACHE_ENABLED'),
      queryCacheTtl: parseNumber('QUERY_CACHE_TTL'),
      queryCacheMaxKeys: parseNumber('QUERY_CACHE_MAX_KEYS'),

      // End-to-end testing (optional, only in e2e environment)
      endToEndMockValues:
        isEndToEnd && process.env['END_TO_END_TESTING_MOCK_VALUES']
          ? JSON.parse(process.env['END_TO_END_TESTING_MOCK_VALUES'])
          : undefined,

      // Secrets (nested)
      secrets: {
        databaseUser: requireEnv('DATABASE_USER'),
        databasePassword: requireEnv('DATABASE_PASSWORD'),
        sqlClientApiKey: parsePublicKey('SQL_CLIENT_API_KEY'),
      },
    };

    // Validate database connection settings
    if (config.databaseConnectTimeout <= 0) {
      throw new Error('DATABASE_CONNECT_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionAcquireTimeout <= 0) {
      throw new Error('DATABASE_CONNECTION_ACQUIRE_TIMEOUT must be greater than 0');
    }
    if (config.databaseConnectionQueueLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_QUEUE_LIMIT must be greater than 0');
    }
    if (config.databaseConnectionLimit <= 0) {
      throw new Error('DATABASE_CONNECTION_LIMIT must be greater than 0');
    }

    // Validate cache settings
    if (config.queryCacheEnabled) {
      if (config.queryCacheTtl <= 0) {
        throw new Error('QUERY_CACHE_TTL must be greater than 0');
      }
      if (config.queryCacheMaxKeys <= 0) {
        throw new Error('QUERY_CACHE_MAX_KEYS must be greater than 0');
      }
    }

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-sql] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Database Server: ${config.databaseServer}`);
      console.log(`  Database Name: ${config.databaseName}`);
      console.log(`  Database User: [REDACTED]`);
      console.log(`  Database Password: [REDACTED]`);
      console.log(`  Database Connect Timeout: ${config.databaseConnectTimeout}ms`);
      console.log(`  Database Connection Acquire Timeout: ${config.databaseConnectionAcquireTimeout}ms`);
      console.log(`  Database Connection Queue Limit: ${config.databaseConnectionQueueLimit}`);
      console.log(`  Database Connection Limit: ${config.databaseConnectionLimit}`);
      console.log(`  SQL Client API Key: [REDACTED]`);
      console.log(`  Debug Mode: ${config.debugMode}`);
      console.log(`  Log Errors to Database: ${config.logErrorsToDatabase}`);
      console.log(`  Query Cache Enabled: ${config.queryCacheEnabled}`);
      if (config.queryCacheEnabled) {
        console.log(`  Query Cache TTL: ${config.queryCacheTtl} minutes`);
        console.log(`  Query Cache Max Keys: ${config.queryCacheMaxKeys}`);
      }
    }

    return config;
  } catch (error) {
    console.error('[cwc-sql] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

packages/cwc-sql/src/index.ts

2 versions

Version 1

import {
  loadDotEnv,
  createExpressService,
  type ExpressApi,
  type BackendUtilsConfigBasic,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { Request, Response } from 'express';
import type { CwcSqlConfig } from './config';
import { loadConfig } from './config';
import { createPool, testConnection, closePool } from './database';
import { createVerifyTokenMiddleware } from './auth';
import { QueryCache } from './cache';
import { createCommandHandler } from './handlers';
import { logErrorToDatabase } from './errorLogger';

/**
 * Converts CwcSqlConfig to BackendUtilsConfigBasic for createExpressService
 */
function createBackendUtilsConfig(sqlConfig: CwcSqlConfig): BackendUtilsConfigBasic {
  return {
    debugMode: sqlConfig.debugMode,
    isDevelopment: sqlConfig.isDevelopment,
    isTest: sqlConfig.isTest,
    isProduction: sqlConfig.isProduction,
    isUnitTest: sqlConfig.isUnitTest,
    isEndToEnd: sqlConfig.isEndToEnd,
    corsOrigin: sqlConfig.corsOrigin,
    servicePort: sqlConfig.servicePort,
    rateLimiterPoints: sqlConfig.rateLimiterPoints,
    rateLimiterDuration: sqlConfig.rateLimiterDuration,
    devMachines: undefined,
    devCorsOrigin: sqlConfig.isDevelopment ? sqlConfig.corsOrigin : '',
    endToEndMockValues: sqlConfig.endToEndMockValues,
  };
}

/**
 * Health check endpoint for load balancers and monitoring
 */
function healthHandler(_req: Request, res: Response): void {
  res.json({
    status: 'healthy',
    service: 'cwc-sql',
    timestamp: new Date().toISOString(),
  });
}

/**
 * Main entry point for the cwc-sql microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-sql] Starting cwc-sql microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-sql',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-sql] Configuration loaded successfully');

    // Create database connection pool
    createPool(config);

    console.log('[cwc-sql] Database connection pool created');

    // Test database connection
    await testConnection(config);

    console.log('[cwc-sql] Database connection test successful');

    // Create query cache
    const cache = new QueryCache(config);

    console.log('[cwc-sql] Query cache initialized');

    // Create JWT verification middleware
    const verifyToken = createVerifyTokenMiddleware(config);

    // Create command handler
    const commandHandler = createCommandHandler(cache, config);

    // Define API routes
    const apis: ExpressApi[] = [
      {
        version: 1,
        path: '/health',
        handler: healthHandler,
      },
      {
        version: 1,
        path: '/data/v1/command',
        handler: commandHandler,
      },
    ];

    // Create Express service
    const service = createExpressService({
      config: createBackendUtilsConfig(config),
      serviceName: 'cwc-sql',
      apis,
      allowGet: false,
      allowPost: true,
      allowOptions: true,
      payloadLimit: undefined,
    });

    // Apply JWT verification middleware to all routes
    service.expressApp.use(verifyToken);

    // Start the service
    service.start(apis);

    // Listen on configured port
    service.httpServer.listen(config.servicePort, () => {
      console.log('');
      console.log('='.repeat(60));
      console.log(`[cwc-sql] Service started successfully`);
      console.log(`[cwc-sql] Environment: ${config.runtimeEnvironment}`);
      console.log(`[cwc-sql] Port: ${config.servicePort}`);
      console.log(`[cwc-sql] Database: ${config.databaseServer}/${config.databaseName}`);
      console.log(`[cwc-sql] Cache: ${config.queryCacheEnabled ? 'enabled' : 'disabled'}`);
      console.log(`[cwc-sql] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
      console.log('='.repeat(60));
      console.log('');
    });

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-sql] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-sql] HTTP server closed');

        // Close database pool
        await closePool();

        console.log('[cwc-sql] Database pool closed');

        console.log('[cwc-sql] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-sql] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', async (reason, promise) => {
      console.error('[cwc-sql] Unhandled Rejection at:', promise, 'reason:', reason);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        try {
          const error = reason instanceof Error ? reason : new Error(String(reason));
          await logErrorToDatabase(error, 'index.ts:unhandledRejection', undefined, config);
        } catch (logError) {
          console.error('[cwc-sql] Failed to log unhandled rejection to database:', logError);
        }
      }

      // Don't exit on unhandled rejection in production
      if (!config.isProduction) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', async (error) => {
      console.error('[cwc-sql] Uncaught Exception:', error);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        try {
          await logErrorToDatabase(error, 'index.ts:uncaughtException', undefined, config);
        } catch (logError) {
          console.error('[cwc-sql] Failed to log uncaught exception to database:', logError);
        }
      }

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-sql] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

Version 2 (latest)

import {
  loadDotEnv,
  createExpressService,
  type ExpressApi,
  type BackendUtilsConfigBasic,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { Request, Response } from 'express';
import type { CwcSqlConfig } from './config';
import { loadConfig } from './config';
import { createPool, testConnection, closePool } from './database';
import { createVerifyTokenMiddleware } from './auth';
import { QueryCache } from './cache';
import { createCommandHandler } from './handlers';
import { logErrorToDatabase } from './errorLogger';

/**
 * Converts CwcSqlConfig to BackendUtilsConfigBasic for createExpressService
 */
function createBackendUtilsConfig(sqlConfig: CwcSqlConfig): BackendUtilsConfigBasic {
  return {
    debugMode: sqlConfig.debugMode,
    isDevelopment: sqlConfig.isDevelopment,
    isTest: sqlConfig.isTest,
    isProduction: sqlConfig.isProduction,
    isUnitTest: sqlConfig.isUnitTest,
    isEndToEnd: sqlConfig.isEndToEnd,
    corsOrigin: sqlConfig.corsOrigin,
    servicePort: sqlConfig.servicePort,
    rateLimiterPoints: sqlConfig.rateLimiterPoints,
    rateLimiterDuration: sqlConfig.rateLimiterDuration,
    devCorsOrigin: sqlConfig.isDevelopment ? sqlConfig.corsOrigin : '',
    endToEndMockValues: sqlConfig.endToEndMockValues,
  };
}

/**
 * Health check endpoint for load balancers and monitoring
 */
function healthHandler(_req: Request, res: Response): void {
  res.json({
    status: 'healthy',
    service: 'cwc-sql',
    timestamp: new Date().toISOString(),
  });
}

/**
 * Main entry point for the cwc-sql microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-sql] Starting cwc-sql microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-sql',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-sql] Configuration loaded successfully');

    // Create database connection pool
    createPool(config);

    console.log('[cwc-sql] Database connection pool created');

    // Test database connection
    await testConnection(config);

    console.log('[cwc-sql] Database connection test successful');

    // Create query cache
    const cache = new QueryCache(config);

    console.log('[cwc-sql] Query cache initialized');

    // Create JWT verification middleware
    const verifyToken = createVerifyTokenMiddleware(config);

    // Create command handler
    const commandHandler = createCommandHandler(cache, config);

    // Define API routes
    const apis: ExpressApi[] = [
      {
        version: 1,
        path: '/health',
        handler: healthHandler,
      },
      {
        version: 1,
        path: '/data/v1/command',
        handler: commandHandler,
      },
    ];

    // Create Express service
    const service = createExpressService({
      config: createBackendUtilsConfig(config),
      serviceName: 'cwc-sql',
      apis,
      allowGet: false,
      allowPost: true,
      allowOptions: true,
      payloadLimit: undefined,
    });

    // Apply JWT verification middleware to all routes
    service.expressApp.use(verifyToken);

    // Start the service
    service.start(apis);

    // Listen on configured port
    service.httpServer.listen(config.servicePort, () => {
      console.log('');
      console.log('='.repeat(60));
      console.log(`[cwc-sql] Service started successfully`);
      console.log(`[cwc-sql] Environment: ${config.runtimeEnvironment}`);
      console.log(`[cwc-sql] Port: ${config.servicePort}`);
      console.log(`[cwc-sql] Database: ${config.databaseServer}/${config.databaseName}`);
      console.log(`[cwc-sql] Cache: ${config.queryCacheEnabled ? 'enabled' : 'disabled'}`);
      console.log(`[cwc-sql] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
      console.log('='.repeat(60));
      console.log('');
    });

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-sql] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-sql] HTTP server closed');

        // Close database pool
        await closePool();

        console.log('[cwc-sql] Database pool closed');

        console.log('[cwc-sql] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-sql] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', async (reason, promise) => {
      console.error('[cwc-sql] Unhandled Rejection at:', promise, 'reason:', reason);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        try {
          const error = reason instanceof Error ? reason : new Error(String(reason));
          await logErrorToDatabase(error, 'index.ts:unhandledRejection', undefined, config);
        } catch (logError) {
          console.error('[cwc-sql] Failed to log unhandled rejection to database:', logError);
        }
      }

      // Don't exit on unhandled rejection in production
      if (!config.isProduction) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', async (error) => {
      console.error('[cwc-sql] Uncaught Exception:', error);

      // Log to database if enabled
      if (config.logErrorsToDatabase) {
        try {
          await logErrorToDatabase(error, 'index.ts:uncaughtException', undefined, config);
        } catch (logError) {
          console.error('[cwc-sql] Failed to log uncaught exception to database:', logError);
        }
      }

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-sql] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

packages/cwc-storage/CLAUDE.md

2 versions

Version 1

cwc-storage Package

File storage microservice for CWC application. Provides filesystem-based storage for coding session data files organized by project.

Architecture

Standalone Microservice:

Does NOT use database (no SqlClient dependency)
Uses file-based Logger (writes to ./logs/{date}.log)
Authenticates via API key (x-api-key header)
Uses BackendUtilsConfigBasic (not full BackendUtilsConfig)

Storage Model:

Files organized by projectId directories
Path: {STORAGE_VOLUME_PATH}/{projectId}/{filename}
Validates filenames to prevent path traversal attacks

Directory Structure:

{STORAGE_VOLUME_PATH}/
├── {projectId}/                                           # Project natural key/slug
│   ├── 2025-11-19_17-16-35_abc123-def456.json.gz         # {timestamp}_{sessionId}.json.gz
│   ├── 2025-11-20_09-30-00_xyz789-uvw012.json.gz
│   └── ...
├── another-project/
│   └── ...

Configuration Pattern

Follows cwc-sql pattern:

Config in src/config/ folder with 3 files:
- config.types.ts - CwcStorageConfig type definition
- loadConfig.ts - Loads and validates from environment
- index.ts - Exports
Uses shared helpers from cwc-backend-utils:
- requireEnv(), optionalEnv(), parseNumber(), parseBoolean(), parseJson()
Adapter function converts to BackendUtilsConfigBasic for Express service

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5030
CORS_ORIGIN=http://localhost:3000
STORAGE_API_KEY=your-secret-api-key
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
STORAGE_VOLUME_PATH=/path/to/storage
LOG_PATH=./logs
DEBUG_MODE=ON  # ON | OFF
DEV_CORS_ORIGIN=

API Routes

All routes require x-api-key header and use POST method.

Route	Description	Payload
`/storage/v1/coding-session-data-get`	Retrieve session file	`{ projectId, filename }`
`/storage/v1/coding-session-data-put`	Store session file	`{ projectId, filename, dataUri }`
`/storage/v1/coding-session-data-delete`	Delete session file	`{ projectId, filename }`

Example Usage:

// PUT a session-data file
{
  projectId: "coding-with-claude",
  filename: "2025-11-19_17-16-35_abc123-def456.json.gz",
  dataUri: "<base64-encoded-gzipped-json>"
}

// GET a session-data file
{
  projectId: "coding-with-claude",
  filename: "2025-11-19_17-16-35_abc123-def456.json.gz"
}

Security

API Key Authentication:

Uses constant-time comparison (crypto.timingSafeEqual) to prevent timing attacks
API key required in x-api-key header for all requests

HTTPS Enforcement:

Only required in production (isProduction: true)
Checks x-forwarded-proto header for proxy/load balancer scenarios

Filename Validation:

Rejects filenames with /, \, or ..
Prevents path traversal attacks

File-Based Logger

Different from cwc-backend-utils Logger:

Writes to filesystem ({logPath}/{YYYY-MM-DD}.log)
Does NOT write to database (cwc-storage has no DB access)
Supports ERROR, INFO, DEBUG levels
DEBUG only outputs when debugMode: true

Dependency Injection Pattern

Config passed to constructors (not imported globally):

// index.ts
const config = loadConfig();
const apis: ExpressApi[] = [new StorageApiV1(config)];

// StorageApiV1 passes config to handlers
const handlerFactories = {
  storage: () => new StorageHandler(handlerOptions, this.config),
};

// Routes receive config for storage functions
export const getRoutes = (config: CwcStorageConfig): StorageRouteConfigs => ({
  '/coding-session-data-get': {
    worker: createGetFromStorage(config),
    // ...
  },
});

Related Packages

Depends On:

cwc-backend-utils (workspace) - Express service factory, config helpers, loadDotEnv
cwc-types (workspace) - RuntimeEnvironment type
express - Web framework

Does NOT Depend On:

cwc-sql - No database access
SqlClient - No database queries

Version 2 (latest)

cwc-storage Package

File storage microservice for CWC application. Provides filesystem-based storage for coding session data files organized by project.

Architecture

Standalone Microservice:

Does NOT use database (no SqlClient dependency)
Uses file-based Logger (writes to ./logs/{date}.log)
Authenticates via API key (x-api-key header)
Uses BackendUtilsConfigBasic (not full BackendUtilsConfig)

Storage Model:

Files organized by projectId directories
Path: {STORAGE_VOLUME_PATH}/{projectId}/{filename}
Validates filenames to prevent path traversal attacks

Directory Structure:

{STORAGE_VOLUME_PATH}/
├── {projectId}/                                           # Project natural key/slug
│   ├── 2025-11-19_17-16-35_abc123-def456.json.gz         # {timestamp}_{sessionId}.json.gz
│   ├── 2025-11-20_09-30-00_xyz789-uvw012.json.gz
│   └── ...
├── another-project/
│   └── ...

Configuration Pattern

Follows cwc-sql pattern:

Config in src/config/ folder with 3 files:
- config.types.ts - CwcStorageConfig type definition
- loadConfig.ts - Loads and validates from environment
- index.ts - Exports
Uses shared helpers from cwc-backend-utils:
- requireEnv(), optionalEnv(), parseNumber(), parseBoolean(), parseJson()
Adapter function converts to BackendUtilsConfigBasic for Express service

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev  # dev | test | prod | unit | e2e
SERVICE_PORT=5030
CORS_ORIGIN=http://localhost:3000
STORAGE_API_KEY=your-secret-api-key
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
STORAGE_VOLUME_PATH=/path/to/storage
STORAGE_LOG_PATH=./logs
DEBUG_MODE=ON  # ON | OFF
DEV_CORS_ORIGIN=

API Routes

All routes require x-api-key header and use POST method.

Route	Description	Payload
`/storage/v1/coding-session-data-get`	Retrieve session file	`{ projectId, filename }`
`/storage/v1/coding-session-data-put`	Store session file	`{ projectId, filename, dataUri }`
`/storage/v1/coding-session-data-delete`	Delete session file	`{ projectId, filename }`

Example Usage:

// PUT a session-data file
{
  projectId: "coding-with-claude",
  filename: "2025-11-19_17-16-35_abc123-def456.json.gz",
  dataUri: "<base64-encoded-gzipped-json>"
}

// GET a session-data file
{
  projectId: "coding-with-claude",
  filename: "2025-11-19_17-16-35_abc123-def456.json.gz"
}

Security

API Key Authentication:

Uses constant-time comparison (crypto.timingSafeEqual) to prevent timing attacks
API key required in x-api-key header for all requests

HTTPS Enforcement:

Only required in production (isProduction: true)
Checks x-forwarded-proto header for proxy/load balancer scenarios

Filename Validation:

Rejects filenames with /, \, or ..
Prevents path traversal attacks

File-Based Logger

Different from cwc-backend-utils Logger:

Writes to filesystem ({storageLogPath}/{YYYY-MM-DD}.log)
Does NOT write to database (cwc-storage has no DB access)
Supports ERROR, INFO, DEBUG levels
DEBUG only outputs when debugMode: true

Dependency Injection Pattern

Config passed to constructors (not imported globally):

// index.ts
const config = loadConfig();
const apis: ExpressApi[] = [new StorageApiV1(config)];

// StorageApiV1 passes config to handlers
const handlerFactories = {
  storage: () => new StorageHandler(handlerOptions, this.config),
};

// Routes receive config for storage functions
export const getRoutes = (config: CwcStorageConfig): StorageRouteConfigs => ({
  '/coding-session-data-get': {
    worker: createGetFromStorage(config),
    // ...
  },
});

Related Packages

Depends On:

cwc-backend-utils (workspace) - Express service factory, config helpers, loadDotEnv
cwc-types (workspace) - RuntimeEnvironment type
express - Web framework

Does NOT Depend On:

cwc-sql - No database access
SqlClient - No database queries

packages/cwc-storage/src/apis/StorageApiV1/index.ts

import crypto from 'crypto';
import { NextFunction, Request, Response } from 'express';
import { RequestPayload, StorageApi } from '../../types';
import { getRoutes } from './routes';
import {
  StorageApiResponseData,
  StorageHandlerResponse,
  StorageRouteConfigs,
  StorageRouteHandler,
  StorageRouteHandlerOptions,
} from './types';
import { StorageHandler } from './StorageHandler';
import { Logger } from '../../Logger';
import type { CwcStorageConfig } from '../../config';

const codeLocation = 'src/apis/StorageApiV1/index.ts';

export class StorageApiV1 implements StorageApi {
  private routes: StorageRouteConfigs;
  private logger: Logger;
  private apiKey: string;
  private config: CwcStorageConfig;

  constructor(config: CwcStorageConfig) {
    this.config = config;
    this.logger = new Logger({
      logPath: config.storageLogPath,
      serviceName: 'cwc-storage',
      debugMode: config.debugMode,
    });
    this.routes = getRoutes(config);
    this.apiKey = config.secrets.storageApiKey;
  }

  public get path(): string {
    return '/storage/v1';
  }

  public get version(): number {
    return 1;
  }

  private validateApiKey(req: Request): boolean {
    // Check for API key in x-api-key header
    const requestApiKey = req.headers['x-api-key'];

    if (!requestApiKey || typeof requestApiKey !== 'string') {
      return false;
    }

    if (!this.apiKey) {
      this.logger.logError({
        username: undefined,
        codeLocation,
        message: 'API key not configured',
        error: 'storageApiKey is undefined',
        value: undefined,
        request: undefined,
      });
      return false;
    }

    // Use constant-time comparison to prevent timing attacks
    try {
      const requestBuffer = Buffer.from(requestApiKey);
      const apiKeyBuffer = Buffer.from(this.apiKey);

      // timingSafeEqual requires equal-length buffers
      if (requestBuffer.length !== apiKeyBuffer.length) {
        return false;
      }

      return crypto.timingSafeEqual(requestBuffer, apiKeyBuffer);
    } catch (error) {
      this.logger.logError({
        username: undefined,
        codeLocation,
        message: 'API key comparison failed',
        error,
        value: undefined,
        request: undefined,
      });
      return false;
    }
  }

  private isHttpsRequired(): boolean {
    // Only require HTTPS in "prod" environment
    return this.config.isProduction;
  }

  private validateHttps(req: Request): boolean {
    // Check if HTTPS is required
    if (!this.isHttpsRequired()) {
      return true; // Allow HTTP in development/test
    }

    // Check protocol from request
    const protocol = req.protocol;
    const isSecure = req.secure || protocol === 'https';

    // Also check x-forwarded-proto header (for proxies/load balancers)
    const forwardedProto = req.headers['x-forwarded-proto'];
    const isForwardedSecure = forwardedProto === 'https';

    return isSecure || isForwardedSecure;
  }

  public async handler(req: Request, res: Response, next: NextFunction): Promise<void> {
    const logError = (message: string, error: unknown, value: unknown = undefined): void => {
      this.logger.logError({
        username: undefined,
        request: undefined,
        codeLocation,
        message,
        value,
        error,
      });
    };

    try {
      if (res.statusCode !== 200) {
        return;
      }
      if (res.writableEnded) {
        return;
      }

      const { body, path, query, method } = req;

      // Enforce HTTPS in "prod"
      if (!this.validateHttps(req)) {
        logError('HTTPS required', 'Non-HTTPS request in "prod" environment');
        res.status(403).send('HTTPS required');
        return;
      }

      // Validate API key for all requests
      if (!this.validateApiKey(req)) {
        res.status(401).send('unauthorized');
        return;
      }

      // Validate the path
      if (!this.isPathValid(path)) {
        res.status(404).send('not found');
        return;
      }

      // Locate the corresponding route config object
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        logError('handler', 'ROUTE CONFIG NOT FOUND', { path });
        next();
        return;
      }

      if (method !== routeConfig.method) {
        logError('handler', 'ROUTE NOT FOUND', { path });
        res.status(404).send('invalid route');
        return;
      }

      // Build payload from body and query params
      const payload: RequestPayload = body ?? {};
      if (routeConfig.params && routeConfig.params.length > 0 && query) {
        for (let i = 0; i < routeConfig.params.length; i++) {
          const key = routeConfig.params[i];
          if (key) {
            payload[key] = query[key.toLowerCase()];
          }
        }
      }

      // Instantiate the route handler
      const handlerOptions: StorageRouteHandlerOptions = {
        payload,
        routeConfig,
      };

      const handlerFactories = {
        storage: () => new StorageHandler(handlerOptions, this.config),
      };
      type FactoryFunction = () => StorageRouteHandler;
      const factory: FactoryFunction = handlerFactories[routeConfig.handlerType];

      if (!factory) {
        logError('handler', 'HANDLER FACTORY NOT FOUND', { path });
        res.status(404).send('invalid route');
        return;
      }

      const routeHandler: StorageRouteHandler = factory();
      if (!routeHandler) {
        logError('handler', 'HANDLER FACTORY FAILED', { path });
        res.status(404).send('invalid route');
        return;
      }

      // Invoke the route handler
      const handlerResponse: StorageHandlerResponse = await routeHandler.processRequest();

      const statusCode = handlerResponse.statusCode;
      const data: StorageApiResponseData = {
        success: false,
        data: undefined,
      };

      const success = statusCode === 200 && handlerResponse?.success === true;
      if (success === true) {
        data.success = true;
        data.data = handlerResponse.data;
      }

      if (routeConfig.cacheControl) {
        res.header('Cache-Control', routeConfig.cacheControl);
      }

      res.status(statusCode).json(data);
    } catch (error) {
      logError('StorageApiV1.handler - ERROR', error);
      res.status(404).send('request failed');
    }
  }

  private isPathValid(path: string): boolean {
    if (!path || path === '/') {
      return false;
    }
    return true;
  }
}

packages/cwc-storage/src/apis/StorageApiV1/StorageHandler.ts

'use strict';

import { Logger } from '../../Logger';
import { RequestPayload } from '../../types';
import {
  StorageHandlerResponse,
  StorageRouteHandler,
  StorageRouteHandlerOptions,
  StorageFunction,
  StorageFunctionResult,
} from './types';
import { requestError, requestFailed } from './utils';
import type { CwcStorageConfig } from '../../config';

const codeLocation = './src/apis/StorageApiV1/StorageHandler.ts';

export class StorageHandler implements StorageRouteHandler {
  public get serviceFunctionType(): string {
    return 'storage';
  }
  private payload: RequestPayload;
  private path: string;
  private debug: boolean = false;
  private worker: StorageFunction<unknown>;
  private logger: Logger;

  constructor({ payload, routeConfig }: StorageRouteHandlerOptions, config: CwcStorageConfig) {
    this.logger = new Logger({
      logPath: config.storageLogPath,
      serviceName: 'cwc-storage',
      debugMode: config.debugMode,
    });
    this.payload = payload;
    this.path = routeConfig.path;
    this.debug = Boolean(routeConfig.debug);
    this.worker = routeConfig.worker as StorageFunction<unknown>;

    this.debugInfo('constructor', { path: this.path });
  }

  private debugInfo(description: string, info: unknown): void {
    if (this.debug) {
      this.logger.logInformation({
        username: undefined,
        codeLocation,
        message: `${this.path} - ${description}`,
        value: { info },
      });
    }
  }

  public async processRequest(): Promise<StorageHandlerResponse> {
    try {
      // Execute the worker function with the payload
      const workerResult: StorageFunctionResult<unknown> = await this.worker({
        payload: this.payload,
      });

      if (!workerResult.success || !workerResult.data || workerResult.error) {
        this.logger.logError({
          username: undefined,
          codeLocation,
          message: 'processRequest',
          error: workerResult.error,
          value: undefined,
          request: { path: this.path, payload: this.payload },
        });
        return requestFailed(workerResult.error || 'storage operation failed');
      }

      // Successfully processed the request
      const result: StorageHandlerResponse = {
        statusCode: 200,
        success: true,
        data: workerResult.data,
        error: undefined,
      };
      return result;
    } catch (error) {
      this.logger.logError({
        username: undefined,
        codeLocation,
        message: 'processRequest',
        error,
        value: undefined,
        request: { path: this.path, payload: this.payload },
      });
      return await requestError(error);
    }
  }
}

packages/cwc-storage/src/config/config.types.ts

2 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-storage
 * These values must be provided via secrets file, never committed to code
 */
export type CwcStorageConfigSecrets = {
  storageApiKey: string;
};

/**
 * Configuration for the cwc-storage microservice
 */
export type CwcStorageConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  servicePort: number;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Development settings
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;

  // Storage-specific settings
  storageVolumePath: string;
  logPath: string;

  // Secrets (nested)
  secrets: CwcStorageConfigSecrets;
};

Version 2 (latest)

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-storage
 * These values must be provided via secrets file, never committed to code
 */
export type CwcStorageConfigSecrets = {
  storageApiKey: string;
};

/**
 * Configuration for the cwc-storage microservice
 */
export type CwcStorageConfig = {
  // Environment
  runtimeEnvironment: RuntimeEnvironment;
  isProduction: boolean;
  isDevelopment: boolean;
  isTest: boolean;
  isUnitTest: boolean;
  isEndToEnd: boolean;

  // Service
  servicePort: number;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Development settings
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;

  // Storage-specific settings
  storageVolumePath: string;
  storageLogPath: string;

  // Secrets (nested)
  secrets: CwcStorageConfigSecrets;
};

packages/cwc-storage/src/config/loadConfig.ts

4 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';
import {
  requireEnv,
  optionalEnv,
  parseNumber,
  parseBoolean,
  parseJson,
} from 'cwc-backend-utils';
import type { CwcStorageConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcStorageConfig | undefined;

export function loadConfig(): CwcStorageConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcStorageConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5004),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', ''),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Storage-specific settings
      storageVolumePath: requireEnv('STORAGE_VOLUME_PATH'),
      logPath: optionalEnv('LOG_PATH', './logs'),

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate storage volume path is not empty
    if (config.storageVolumePath.trim() === '') {
      throw new Error('STORAGE_VOLUME_PATH cannot be empty');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-storage] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(`  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`);
      console.log(`  Storage Volume Path: ${config.storageVolumePath}`);
      console.log(`  Log Path: ${config.logPath}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-storage] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 2

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean } from 'cwc-backend-utils';
import type { CwcStorageConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcStorageConfig | undefined;

export function loadConfig(): CwcStorageConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcStorageConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5004),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', ''),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Storage-specific settings
      storageVolumePath: requireEnv('STORAGE_VOLUME_PATH'),
      logPath: optionalEnv('LOG_PATH', './logs'),

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate storage volume path is not empty
    if (config.storageVolumePath.trim() === '') {
      throw new Error('STORAGE_VOLUME_PATH cannot be empty');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-storage] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(`  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`);
      console.log(`  Storage Volume Path: ${config.storageVolumePath}`);
      console.log(`  Log Path: ${config.logPath}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-storage] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 3

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean } from 'cwc-backend-utils';
import type { CwcStorageConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcStorageConfig | undefined;

export function loadConfig(): CwcStorageConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcStorageConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5004),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', 'http://localhost:3000'),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Storage-specific settings
      storageVolumePath: requireEnv('STORAGE_VOLUME_PATH'),
      logPath: optionalEnv('LOG_PATH', './logs'),

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate storage volume path is not empty
    if (config.storageVolumePath.trim() === '') {
      throw new Error('STORAGE_VOLUME_PATH cannot be empty');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-storage] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(
        `  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`
      );
      console.log(`  Storage Volume Path: ${config.storageVolumePath}`);
      console.log(`  Log Path: ${config.logPath}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-storage] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 4 (latest)

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean } from 'cwc-backend-utils';
import type { CwcStorageConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcStorageConfig | undefined;

export function loadConfig(): CwcStorageConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProduction = runtimeEnvironment === 'prod';
    const isDevelopment = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnitTest = runtimeEnvironment === 'unit';
    const isEndToEnd = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcStorageConfig = {
      // Environment
      runtimeEnvironment,
      isProduction,
      isDevelopment,
      isTest,
      isUnitTest,
      isEndToEnd,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5004),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Development settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', 'http://localhost:3000'),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Storage-specific settings
      storageVolumePath: requireEnv('STORAGE_VOLUME_PATH'),
      storageLogPath: optionalEnv('STORAGE_LOG_PATH', './logs'),

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate storage volume path is not empty
    if (config.storageVolumePath.trim() === '') {
      throw new Error('STORAGE_VOLUME_PATH cannot be empty');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-storage] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(
        `  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`
      );
      console.log(`  Storage Volume Path: ${config.storageVolumePath}`);
      console.log(`  Storage Log Path: ${config.storageLogPath}`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-storage] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

packages/cwc-storage/src/environment.d.ts

declare namespace NodeJS {
  interface ProcessEnv {
    // Environment
    RUNTIME_ENVIRONMENT: string; // 'dev' | 'prod' | 'test' | 'unit' | 'e2e'

    // Service
    SERVICE_PORT: string;

    // Security
    CORS_ORIGIN: string;
    STORAGE_API_KEY: string;

    // Rate limiter
    RATE_LIMITER_POINTS: string;
    RATE_LIMITER_DURATION: string;

    // Development settings
    DEV_CORS_ORIGIN: string;

    // Debugging
    DEBUG_MODE: 'OFF' | 'ON';

    // Storage-specific settings
    STORAGE_VOLUME_PATH: string;
    LOG_PATH: string;
  }
}

packages/cwc-storage/src/index.ts

import {
  loadDotEnv,
  createExpressService,
  type ExpressApi,
  type BackendUtilsConfigBasic,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { CwcStorageConfig } from './config';
import { loadConfig } from './config';
import { StorageApiV1 } from './apis/StorageApiV1';

console.log(`
 .d8888b. 88888888888 .d88888b.  8888888b.         d8888  .d8888b.  8888888888
d88P  Y88b    888    d88P" "Y88b 888   Y88b       d88888 d88P  Y88b 888
Y88b.         888    888     888 888    888      d88P888 888    888 888
 "Y888b.      888    888     888 888   d88P     d88P 888 888        8888888
    "Y88b.    888    888     888 8888888P"     d88P  888 888  88888 888
      "888    888    888     888 888 T88b     d88P   888 888    888 888
Y88b  d88P    888    Y88b. .d88P 888  T88b   d8888888888 Y88b  d88P 888
 "Y8888P"     888     "Y88888P"  888   T88b d88P     888  "Y8888P88 8888888888
`);

/**
 * Converts CwcStorageConfig to BackendUtilsConfigBasic for createExpressService
 */
function createBackendUtilsConfig(storageConfig: CwcStorageConfig): BackendUtilsConfigBasic {
  return {
    debugMode: storageConfig.debugMode,
    isDevelopment: storageConfig.isDevelopment,
    isTest: storageConfig.isTest,
    isProduction: storageConfig.isProduction,
    isUnitTest: storageConfig.isUnitTest,
    isEndToEnd: storageConfig.isEndToEnd,
    corsOrigin: storageConfig.corsOrigin,
    servicePort: storageConfig.servicePort,
    rateLimiterPoints: storageConfig.rateLimiterPoints,
    rateLimiterDuration: storageConfig.rateLimiterDuration,
    devCorsOrigin: storageConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-storage microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-storage] Starting cwc-storage microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-storage',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-storage] Configuration loaded successfully');

    // Create API instances
    const apis: ExpressApi[] = [new StorageApiV1(config)];

    // Create Express service
    const service = createExpressService({
      config: createBackendUtilsConfig(config),
      serviceName: 'cwc-storage',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: '2mb',
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-storage] Service started successfully`);
    console.log(`[cwc-storage] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-storage] Port: ${config.servicePort}`);
    console.log(`[cwc-storage] Storage Volume: ${config.storageVolumePath}`);
    console.log(`[cwc-storage] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-storage] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-storage] HTTP server closed');
        console.log('[cwc-storage] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-storage] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', (reason, promise) => {
      console.error('[cwc-storage] Unhandled Rejection at:', promise, 'reason:', reason);

      // Don't exit on unhandled rejection in production
      if (!config.isProduction) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', (error) => {
      console.error('[cwc-storage] Uncaught Exception:', error);

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-storage] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

Session 18: resume config helper

Session 18: resume config helper

Summary of Findings

Issue 1: MariaDB Secrets Location

Issue 2: Path.join Syntax

Issue 3: authenticationPublicKey Rename

Issue 4: Configuration Helper Generate Command

Plan: CWC Configuration Improvements

Recommended Order

Issue 1: Consolidate MariaDB Secrets into Configuration Helper

Changes Required

Issue 2: Improve path.join Syntax for Searchability

Changes Required

Pattern

Issue 3: Rename authenticationPublicKey → sqlClientApiKey

Code Files to Update

Documentation to Update

Naming Guideline to Add to CLAUDE.md

Issue 4: Configuration Helper - Error on Missing Values

Changes Required

Error Report Format

Implementation Approach

Files Summary

Must Modify

Typecheck After Each Issue

Summary of Changes

Issue 3: Rename authenticationPublicKey → sqlClientApiKey ✅

Issue 2: Improve path.join syntax for searchability ✅

Issue 1: Consolidate MariaDB secrets ✅

Issue 4: Configuration helper - error on missing values ✅

Additional Fix

Current STATE_API_ALLOWED_IPS Usage

The Problem with Docker Compose Networking

Current Security Layers

Plan: Replace IP Whitelisting with Service Name Whitelisting

Background

Current Usage

Files Affected

cwc-sql

cwc-auth

cwc-backend-utils

Options to Consider

Option A: Remove IP whitelisting entirely

Option B: Replace with service name whitelisting

Option C: Keep IP whitelisting for non-Docker deployments

Questions to Resolve

Summary

My Recommendation: Remove IP Whitelisting (Option A)

Files to Modify

Performance Analysis

However, Docker Networking Changes the Equation

My Updated Recommendation

Plan: Remove IP Whitelisting

Decision

Files to Modify

cwc-sql

cwc-auth

cwc-configuration-helper

cwc-backend-utils

Implementation Order

Summary of Changes

cwc-sql

cwc-auth

cwc-backend-utils

Current Implementation Analysis

DEV_MACHINES Purpose

DEV_CORS_ORIGIN Purpose

Hard-coded Docker IPs (Lines 38-39)

Key Inconsistency

Analysis: Protecting test.codingwithclaude.dev

Plan: Clean Up CORS Implementation and Dev Access Configuration

Context

Decisions

Rationale: Why Remove IP Check from CORS

Files to Modify

cwc-backend-utils (core changes)

cwc-auth

cwc-storage

cwc-sql

cwc-configuration-helper