JSPM

launchcrate

0.2.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 7
  • Score
    100M100P100Q34917F
  • License MIT

AI-powered feature scaffolding for Next.js. Vibe code safely.

Package Exports

  • launchcrate
  • launchcrate/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (launchcrate) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Launch Crate CLI

AI-powered feature scaffolding for Next.js. Vibe code safely.

Launch Crate scans your Next.js project for security issues, generates AI safety rules, and scaffolds new features that match your existing code patterns. It knows which files are safe to create and which ones to never touch.

Quick Start

# Audit your project's vibe safety
npx launchcrate audit

#   Scanned 3,051 files
#
#   ┌─────────────────────────────────────┐
#   │  Vibe Safety Score: B (71/100)      │
#   └─────────────────────────────────────┘
#
#   Breakdown:
#     Authentication       ████████████████████ 100%
#     Injection Safety     ░░░░░░░░░░░░░░░░░░░░   0%
#     Secrets Management   █████████████████░░░  85%
#     Input Validation     ████████████████████ 100%
#     Error Handling       ████████████████████ 100%
#
#   CRITICAL (8)
#     ✗ src/lib/db/jira.ts:181 — SQL query uses string concatenation
#     ✗ src/app/api/admin/route.ts:145 — SQL injection risk
#     ...

# Generate AI safety rules for Claude Code and Cursor
npx launchcrate guard

#   + CLAUDE.md (47 rules)
#   + .cursorrules

# Detect your project and set up safe zones
npx launchcrate init

# Scaffold a complete feature that matches your patterns
npx launchcrate scaffold "invoice management system"

#   ✓ Feature: Invoice (8 fields)
#   ✓ Generated 7 files
#
#   + src/app/api/invoices/route.ts
#   + src/app/api/invoices/[id]/route.ts
#   + src/app/dashboard/invoices/page.tsx
#   + src/app/dashboard/invoices/[id]/page.tsx
#   + src/app/dashboard/invoices/components/InvoiceForm.tsx
#   + src/app/dashboard/invoices/components/InvoiceList.tsx
#   + src/app/dashboard/invoices/types.ts

Why?

AI coding tools generate features fast — and break your auth, database, and billing even faster. You spend more time fixing AI output than you saved.

Launch Crate fixes this with three steps:

  1. Audit — find what AI already broke (security issues, injection risks, leaked secrets)
  2. Guard — generate rules so AI can't break it again (CLAUDE.md, .cursorrules)
  3. Scaffold — build new features safely (code that matches YOUR patterns, not generic templates)

Commands

launchcrate audit

Scan your codebase for security issues and get a Vibe Safety Score (0-100).

npx launchcrate audit          # Terminal output with color
npx launchcrate audit --json   # Machine-readable JSON

Checks for:

  • Unprotected API routes — endpoints missing auth checks
  • SQL injection — string concatenation in queries
  • Hardcoded secrets — API keys, tokens, passwords in source code
  • Missing input validation — request bodies used without validation
  • Error leaks — stack traces exposed to clients
  • XSS risks — dangerouslySetInnerHTML with user content

Score breakdown with weighted categories:

Category Weight What it checks
Authentication 30% Auth on every API route
Injection Safety 25% Parameterized queries, no XSS
Secrets Management 25% No hardcoded credentials
Input Validation 10% Zod/Yup/Joi on request bodies
Error Handling 10% No stack traces in responses

Exits with code 1 if critical issues found — use in CI to block unsafe merges:

# .github/workflows/audit.yml
- run: npx launchcrate audit

launchcrate guard

Auto-generate AI safety rules from your project's actual architecture.

npx launchcrate guard              # Generate CLAUDE.md + .cursorrules
npx launchcrate guard --format claude   # CLAUDE.md only
npx launchcrate guard --format cursor   # .cursorrules only

Analyzes your project and generates rules covering:

  • Safe zones — files AI must never modify (auth, db, middleware)
  • Database patterns — how to query (your ORM, your import paths)
  • Auth patterns — how auth works (your wrappers, your session handling)
  • Security rules — no hardcoded secrets, parameterized queries only
  • Code conventions — import style, naming, error handling

With ANTHROPIC_API_KEY set, rules are tailored to your specific codebase by reading your existing code. Without it, generates from a template based on detected stack.

Commit the generated files so every AI coding session respects your architecture.

launchcrate init

Detect your project structure and create .launchcrate.json config.

npx launchcrate init           # Interactive detection
npx launchcrate init --force   # Overwrite existing config

Auto-detects:

  • Framework version and router type (App Router / Pages Router)
  • Database (Prisma, Drizzle, raw SQL, Supabase, Mongoose)
  • Auth (NextAuth, Clerk, Auth0, Supabase Auth)
  • Styling (Tailwind, CSS Modules, styled-components)
  • Reference files (existing routes and pages to learn patterns from)
  • Safe zones (files that should never be touched)

launchcrate scaffold [name]

Generate a complete feature with API routes, pages, and components.

npx launchcrate scaffold                                    # Interactive
npx launchcrate scaffold "customer tickets with SLA"        # With description
npx launchcrate scaffold "blog posts" --dry-run             # Preview only
npx launchcrate scaffold "notes" --no-ai                    # Basic templates
Flag Description
-d, --description <desc> Feature description (skips prompt)
--no-ai Use basic templates instead of AI generation
--dry-run Preview files without writing them

Requires ANTHROPIC_API_KEY for AI-powered generation. Without it, generates functional but generic code.

Generated code uses your ORM, your auth pattern, your component style, your import conventions. Not generic boilerplate — code that looks like you wrote it.

What gets generated

File Purpose
api/{feature}/route.ts List (GET) and create (POST) endpoints
api/{feature}/[id]/route.ts Get, update, delete endpoints
dashboard/{feature}/page.tsx List view with search, filter, sort
dashboard/{feature}/[id]/page.tsx Detail view with edit mode
dashboard/{feature}/components/Form.tsx Reusable create/edit form
dashboard/{feature}/components/List.tsx Table/list display component
dashboard/{feature}/types.ts TypeScript interfaces

Supported Stacks

Launch Crate works with any Next.js project. It auto-detects:

Layer Supported
Router App Router, Pages Router
Language TypeScript, JavaScript
Database Prisma, Drizzle, raw SQL (pg/mssql), Supabase, Mongoose
Auth NextAuth/Auth.js, Clerk, Supabase Auth, Auth0
Styling Tailwind CSS, CSS Modules, styled-components

GitHub Action

Add Launch Crate to your CI pipeline to audit every pull request:

# .github/workflows/vibecheck.yml
name: Vibe Safety Check
on: [pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: tjpinder/launchcrate-cli@v1

The action:

  • Posts a PR comment with your Vibe Safety Score and findings breakdown
  • Fails the check if critical issues are found (configurable)
  • Updates the comment on subsequent pushes (no spam)

Options

- uses: tjpinder/launchcrate-cli@v1
  with:
    fail-on-critical: 'true'        # Block merge on critical findings (default: true)
    comment-on-pr: 'true'           # Post results as PR comment (default: true)
    working-directory: 'apps/web'   # For monorepos (default: repo root)

Safe Zones

The core idea: some files should never be generated or modified by AI.

init automatically identifies safe zones. guard writes them into CLAUDE.md. scaffold respects them when generating code. Customize in .launchcrate.json:

{
  "safeZones": [
    "**/auth/**",
    "**/lib/db.*",
    "**/middleware.*",
    "**/lib/billing.*",
    "**/api/webhooks/**"
  ]
}

Setup

# In your .env or .env.local
ANTHROPIC_API_KEY=sk-ant-...

Required for scaffold (AI code generation) and guard (project-specific rules). Without it, both commands fall back to templates.

audit and init work without an API key.

FAQ

Does this modify my existing files? No. Launch Crate only creates new files. guard generates new CLAUDE.md/.cursorrules files (with confirmation if they exist). scaffold only creates new feature files. Nothing reads, modifies, or deletes your existing code.

Can I use this in CI? Yes. audit exits with code 1 on critical findings and supports --json output. Use it as a CI gate to block unsafe merges.

Does it work with monorepos? Run commands from the app directory (e.g., apps/web), not the monorepo root.

What if I don't have an Anthropic API key? audit and init work without one. scaffold falls back to basic templates. guard falls back to stack-based rules.

Can I customize the generated code? Yes — it's your code. The reference files in .launchcrate.json influence future generations, so the more consistent your codebase, the better the output.

License

MIT

Built with Launch Crate? Test it with VibeProof — AI-powered QA for your vibe-coded app.