feat: initial commit (v0.1.0)

Author: local-scaffold

.gitignore

@@ -0,0 +1,11 @@
+.DS_Store
+node_modules/
+*.log
+.env
+.env.local
+dist/
+.next/
+build/
+coverage/
+playwright-report/
+test-results/

README.md

@@ -0,0 +1,68 @@
+# Stack
+
+Tech defaults, configs, and working starters for products built within the [bloom](https://github.com/derrybirkett/bloom) system.
+
+Stack is the answer to "what do I default to when I want to ship quickly without re-deciding the same basics every time."
+
+## Two profiles
+
+Stack exposes two profiles. A product picks one at bootstrap.
+
+| Profile | Thesis | Stage fit |
+|---|---|---|
+| **lite** (default) | Vercel + Supabase + single Next.js app | Discovery, MVP, validation, single-team |
+| **full** | Nx monorepo + NestJS API + Postgres-in-Docker + custom auth | Post-validation, regulated, on-prem, portability needs |
+
+The default contract is in [`stack.yaml`](stack.yaml) — that file IS the lite profile. The full profile lives in [`profiles/full.yaml`](profiles/full.yaml).
+
+Default to lite. Most products will never graduate to full; that's a feature.
+
+## What's in stack
+
+```
+stack/
+  README.md
+  stack.yaml                    # the lite contract (canonical default)
+  profiles/
+    full.yaml                   # the full contract (heavyweight thesis from retired hatch)
+  configs/                      # portable config fragments
+    typescript/tsconfig.base.json
+    eslint/eslint.config.js
+    prettier/.prettierrc
+    github/ci.yml
+    git/hooks/pre-commit-no-main
+  templates/
+    lite/                       # working Next.js + Supabase starter (Phase 4)
+    full/                       # working Nx + NestJS starter (Phase 4, from hatch salvage)
+  docs/
+    ui-baseline.md              # the 5-component baseline
+  decisions/
+    0001-vercel-supabase-default.md
+```
+
+## How to consume
+
+Three valid modes.
+
+**Reference**: read `stack.yaml`, copy the bits you need into your product manually. Best for products with custom constraints.
+
+**Submodule**: mount stack under `.bloom/stack/` and reference configs by path. Best for normal use — get versioned reuse without copying.
+
+```bash
+git submodule add https://github.com/derrybirkett/stack .bloom/stack
+ln -s .bloom/stack/configs/typescript/tsconfig.base.json tsconfig.base.json
+```
+
+**Selective copy**: bootstrap from a starter template under `templates/`, then diverge. Best when speed matters most.
+
+## When to deviate
+
+A product may deviate from the contract. When it does, record the deviation in the product's own `decisions/NNNN-deviate-from-stack.md` ADR with rationale. Three or more products deviating on the same concern is a signal to update the stack contract — open an ADR here.
+
+## Versioning
+
+Patch bumps for clarifications and config fragment updates. Minor for additions (new profile, new config fragment). Major for breaking semantic changes (changing a default vendor in the lite profile).
+
+## License
+
+MIT

configs/eslint/eslint.config.js

@@ -0,0 +1,32 @@
+// Shared ESLint flat config for bloom-built products.
+//
+// Consumption: products extend this in their own eslint.config.js:
+//
+//   import bloomConfig from '.bloom/stack/configs/eslint/eslint.config.js';
+//   export default [...bloomConfig, { /* project overrides */ }];
+//
+// Keep this file minimal. Project-specific rules belong in the consuming
+// product, not here.
+
+import js from '@eslint/js';
+import tseslint from 'typescript-eslint';
+
+export default [
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    rules: {
+      // Strict but pragmatic
+      '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+      '@typescript-eslint/no-explicit-any': 'warn',
+      '@typescript-eslint/consistent-type-imports': 'error',
+      'no-console': ['warn', { allow: ['warn', 'error'] }],
+      'prefer-const': 'error',
+      'no-var': 'error',
+      'eqeqeq': ['error', 'always'],
+    },
+  },
+  {
+    ignores: ['node_modules/**', 'dist/**', '.next/**', 'build/**', 'coverage/**'],
+  },
+];

configs/git/hooks/pre-commit-no-main

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+#
+# pre-commit hook: block direct commits to main.
+#
+# Install locally:
+#   cp .bloom/stack/configs/git/hooks/pre-commit-no-main .git/hooks/pre-commit
+#   chmod +x .git/hooks/pre-commit
+#
+# Or install globally (one-time):
+#   mkdir -p ~/.git-hooks
+#   cp pre-commit-no-main ~/.git-hooks/pre-commit
+#   chmod +x ~/.git-hooks/pre-commit
+#   git config --global core.hooksPath ~/.git-hooks
+#
+# Salvaged from the council repo's "no commits on main" pattern. Applies the
+# same rule to every bloom-built product.
+
+set -euo pipefail
+
+branch=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
+
+if [[ "$branch" == "main" || "$branch" == "master" ]]; then
+  echo ""
+  echo "ERROR: direct commits to '$branch' are not allowed."
+  echo ""
+  echo "Create a branch instead:"
+  echo "  git checkout -b feat/your-change"
+  echo "  git commit ..."
+  echo "  git push -u origin feat/your-change"
+  echo ""
+  echo "Then open a pull request for review and squash-merge."
+  echo ""
+  exit 1
+fi
+
+exit 0

configs/github/ci.yml

@@ -0,0 +1,92 @@
+# GitHub Actions CI workflow for bloom-built products (lite profile).
+#
+# Copy this into a product's .github/workflows/ci.yml. Adjust the e2e step
+# if the product needs a different browser matrix.
+#
+# Salvaged and refined from the retired hatch repo's CI pattern.
+
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: Typecheck + Lint + Build + Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Unit tests
+        run: pnpm test
+
+      - name: Build
+        run: pnpm build
+
+      - name: Audit
+        run: pnpm audit --audit-level=high
+        continue-on-error: true
+
+  e2e:
+    name: E2E (Playwright)
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    needs: ci
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Install Playwright browsers
+        run: pnpm exec playwright install --with-deps chromium
+
+      - name: Run e2e tests
+        run: pnpm test:e2e
+
+      - name: Upload Playwright report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7

configs/prettier/.prettierrc

@@ -0,0 +1,11 @@
+{
+  "semi": true,
+  "trailingComma": "all",
+  "singleQuote": true,
+  "printWidth": 100,
+  "tabWidth": 2,
+  "useTabs": false,
+  "arrowParens": "always",
+  "bracketSpacing": true,
+  "endOfLine": "lf"
+}

configs/typescript/tsconfig.base.json

@@ -0,0 +1,38 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["ES2022", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "jsx": "preserve",
+    "allowJs": false,
+    "checkJs": false,
+
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "strictFunctionTypes": true,
+    "strictBindCallApply": true,
+    "strictPropertyInitialization": true,
+    "noImplicitThis": true,
+    "alwaysStrict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "noImplicitReturns": true,
+    "noUncheckedIndexedAccess": true,
+
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true,
+    "forceConsistentCasingInFileNames": true,
+    "isolatedModules": true,
+    "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "incremental": true,
+
+    "declaration": false,
+    "sourceMap": true
+  },
+  "exclude": ["node_modules", "dist", ".next", "build"]
+}

decisions/0001-vercel-supabase-default.md

@@ -0,0 +1,49 @@
+# ADR-0001: Lite profile default is Vercel + Supabase + single Next.js app
+
+Date: 2026-05-07
+Status: Accepted
+
+## Context
+
+The previous bloom-system iteration carried four conflicting "what is the default stack" definitions across `prefs/prefs.yaml`, `stack/docs/stacks/vercel-stack.md`, `skills/CLAUDE.md`, and `skills/skills/vercel-saas-stack/spec.yaml`. They disagreed on package manager (npm vs pnpm), auth + db provider (Supabase vs Clerk + Neon), and monorepo strategy (Nx vs single Next app). New products bootstrapped from "bloom" got incompatible answers depending on which file was read first.
+
+A canonical default must be picked and documented in exactly one place.
+
+## Decision
+
+The lite profile, defined in [`stack.yaml`](../stack.yaml), uses:
+
+- Framework: Next.js (App Router) + TypeScript on Vercel.
+- Package manager: pnpm.
+- Auth + database: Supabase (via `@supabase/ssr`).
+- UI: Tailwind + shadcn/ui (copied into project), monochrome zinc palette.
+- Testing: Vitest (unit) + Playwright (e2e), Chromium-only by default.
+- Payments: Stripe (Checkout + Customer Portal).
+- Email: Resend.
+- Analytics: PostHog + Vercel Analytics + Sentry.
+
+A second profile, `full`, is preserved at [`profiles/full.yaml`](../profiles/full.yaml) for products that need ownership/portability (Nx + NestJS + Postgres-in-Docker + custom JWT). Default is lite.
+
+## Consequences
+
+**Positive**:
+- Time-to-first-deploy under an hour for the common case.
+- Single managed-services vendor for auth + db + storage (Supabase) reduces integration surface.
+- shadcn copied-in pattern means no runtime UI dependency.
+- pnpm gives strict dep resolution and disk efficiency across many side projects.
+- The `full` profile preserves the heavyweight thesis for the rare product that needs it, without forcing it on every bootstrap.
+
+**Negative**:
+- Vendor lock-in on Vercel + Supabase + Stripe. Acceptable for validation-stage products; the full profile is the escape hatch when not.
+- Single Next.js app is harder to split into multiple deployables if a product grows. Acceptable; that's the graduation signal for full.
+- pnpm installation is a one-time tax on a fresh machine.
+
+## Alternatives considered
+
+**Clerk + Neon for auth + db**: Best-in-class auth UX, but adds a second vendor and SSO/B2B-org features that the user does not yet need. Documented as the alternative path when those needs emerge.
+
+**Nx + 3-app monorepo as default**: Solves portability and team-scale problems the user does not have yet. Adds operational complexity (multiple servers, more CI surface) for negligible gain at validation stage. Preserved as the `full` profile.
+
+**npm as the package manager**: Lower mental overhead, every tutorial assumes it. But pnpm's strict resolution and disk savings compound across many side projects; Vercel's docs increasingly default to pnpm. Documented npm as the acceptable fallback when consuming external starters that hard-assume it.
+
+**Drizzle + Neon instead of Supabase native**: Drizzle is a fine ORM but pairs more naturally with Neon. With Supabase, the native client + RLS pattern is the better fit and removes one moving part.