MVP starter with email/password auth, RBAC, password reset codes, admin user management, and security-focused defaults.
- Next.js 16 (App Router)
- NextAuth v4 credentials auth
- Prisma ORM + Prisma Postgres local dev
- PostgreSQL via
npx prisma dev
- Passwords and reset codes are stored as hashes only.
- Reset flow uses 6-digit codes, TTL, single active code, attempts limit.
- RBAC is centralized via
requireRole. - Login/reset endpoints apply rate limiting.
- No-PII logging policy for sensitive auth data.
- Soft-delete for users (
deletedAt) with login blocked for deactivated users.
USERJUNIOR_ADMINADMIN
Permissions:
ADMINandJUNIOR_ADMINcan view/admin/users.- Only
ADMINcan change roles and deactivate users. ADMINandJUNIOR_ADMINcan issue reset codes, butJUNIOR_ADMINonly forUSERtargets.
- Node.js
20.19+,22.12+, or24+(Prisma 7 supported ranges) - pnpm
9+
- Install dependencies:
pnpm install- Start local Prisma Postgres and copy
DATABASE_URL:
npx prisma dev- Create env file:
cp .env.example .env.local-
Set
DATABASE_URLin.env.localfromnpx prisma devoutput. -
Run migrations:
pnpm db:migrate:dev- Seed data:
pnpm db:seed- Run app:
pnpm dev- (Optional) Open Prisma Studio:
npx prisma studiopnpm devpnpm lintpnpm typecheckpnpm testpnpm test:smokepnpm db:devpnpm db:migrate:devpnpm db:seed
db:migrate:dev and db:seed are wrapped by scripts/guard-env.mjs.
If APP_ENV=prod, destructive commands are blocked unless you explicitly set:
I_UNDERSTAND_PROD=1Public auth:
POST /api/auth/registerPOST /api/auth/password/request-codePOST /api/auth/password/confirm
Admin:
GET /api/admin/usersPOST /api/admin/users/:id/rolePOST /api/admin/users/:id/deactivatePOST /api/admin/users/:id/reset-code
- Process playbook:
docs/skill_dev_playbook.md - Implementation tracker:
docs/implementation_plan.md