remove sweep safety, snapshot codemods on records, and fix package-home cardinality scope
- Refuse to sweep `packages/<dir>/` in two new cases: (1) stray non-Stanza files exist under the dir (user-authored secrets, scratch scripts, etc.), and (2) a still-installed module lists the dir in `consumesPackages` — both append to `manualCleanup` with targeted hints instead of silently destroying user work; `findStrayFiles` and `collectConsumesPackagesProtectors` (parallel `Promise.all` over all installed records) implement the checks - Snapshot `codemods` onto each `StanzaModuleRecord` at install time; `remove` drives `revertCodemods` from that snapshot so reversal is correct even when the upstream registry has renamed the adapter or reshuffled codemod ids since install — falls back to the live registry entry only when no snapshot is present - Fix cardinality scope in `add` for package-home and repo-home categories: pass `undefined` (not `pickedAppId`) to `selectedAll` so the per-project uniqueness check covers all apps; previously a second install targeting a different app could slip past the check only to fail on the next read - Use composite owner keys (`<id>@<app>`) in `regionsOwnedBy` for app-home installs so two apps installing the same module don't share a region owner and accidentally release each other's claims during remove; bare `<id>` fallback covers pre-snapshot manifests and non-app homes - Refactor `applyCodemods` / `revertCodemods` to accept `codemods`, `adapterKey`, and `consumesPackages` directly rather than full `Module` + adapter objects; add a comprehensive `codemod-runner.test.ts` covering apply, revert, dry-run, idempotency, and error paths for all built-in codemod types - Add `packages/registry/src/safe-path.ts` with `safePath` / `isSafePath` guards and tests; use in the codemod runner to reject path-traversal write targets before any disk touch - Add `set-tsconfig-paths` builtin codemod with tests; harden `add-array-entry-in-call`, `add-jsx-child`, `wrap-root-layout`, and `replace-import` for idempotency and edge cases - Validate unknown `--app` flags early in `remove` with a targeted error before any registry fetch; replace the `posthog-provider` React component and `posthog.server.ts` in the web app with a unified `analytics.ts` / `api.events.ts` pattern
Stanza
Modular monorepo template CLI — aka shadcn for full-stack TypeScript projects.
npm init stanza my-revolutionary-app
Pick a framework, ORM, database, auth provider, and UI — get a clean monorepo with idiomatic code, vendored into your repo. Layer in more modules later with stanza-cli add.
Warning
Major work in progress! See the module registry for the roadmap.
Why Stanza?
addworks afterinit. Runstanza addon an existing project — it's manifest-driven and peer-aware, so it picks the right adapter for your stack and wires deps, env, and templates into the correct workspace package.- Your code, vendored. Generated files land in your repo verbatim. There's no Stanza runtime to install or carry around.
- Open registry. Modules are static JSON. Point the CLI at your own host and serve custom modules.
Quick start
npm init stanza my-app
cd my-app
npm install
npm run dev
Add a module to an existing project at any time:
npx stanza-cli add auth better-auth
auth, db, and orm install into their own internal workspace packages (packages/auth/, packages/db/, named @<your-app>/auth, @<your-app>/db); your app consumes them via workspace:*. Swapping an auth provider replaces the contents of packages/auth/ without touching your app's imports.
Docs
Full guides and the CLI reference live at stanza.tools/docs. Assemble a stack visually with the builder at stanza.tools.
What's inside
apps/
cli/ # stanza-cli — the CLI binary
web/ # https://stanza.tools (TanStack Start)
packages/
registry/ # shared schema, slot/peer/capability resolver
codemods/ # ts-morph helpers for region-aware patching
create-stanza/ # `npm init stanza` template shim
registry/
modules/ # first-party modules (framework, orm, db, auth, ui, tooling, testing)