create-fast-express-structure

A production-grade scaffolder for clean, scalable MVC Express.js applications.

Created by Youssef Selk.

It behaves like modern create-* tooling: polished prompts by default, complete non-interactive flags for automation, safe file writes, optional dependency installation, and professional project structures that are ready for real work.

Highlights

• TypeScript or JavaScript
• ES Modules or CommonJS
• Minimal MVC foundation by default
• Dynamic add-on prompts that appear only after a feature is selected
• MVC plus optional feature modules
• Security-conscious optional middleware: Helmet with CSP, explicit CORS credentials, configurable trust proxy, rate limiting, input validation, request IDs, centralized errors
• Optional TailwindCSS + EJS views
• Optional JWT auth starter and RBAC middleware
• Optional MongoDB/Mongoose or PostgreSQL/Prisma/Drizzle starter
• Optional Vitest/Jest, ESLint/Biome, Prettier, Docker, Git, Husky, Commitlint
• Dry-run, force, skip-install, preset, and CI-friendly --yes modes
• TypeScript setup goes through fast-ts-integrator
• Generated apps include a security:audit script; Swagger is emitted only when selected and stays disabled until ENABLE_SWAGGER=true

Usage

npm create fast-express-structure@latest my-api
npx create-fast-express-structure my-api --template secure-api --language ts --module esm
fes my-api --language js --module cjs --no-tailwind --no-env --skip-install
fes my-api --yes --skip-install
fes my-api --auth --validation --rate-limit --env
fes data-api --db postgresql --orm prisma --env --no-tailwind
fes my-api --dry-run --template mvc-full

Presets

• minimal: small Express MVC baseline with no optional add-ons
• api: TypeScript API with validation, logging, and versioned routes
• secure-api: explicit preset with security middleware enabled
• mvc-full: views, Tailwind, auth, Swagger, PostgreSQL/Prisma, Docker, and Git

Flags

--yes
--template <minimal|api|secure-api|mvc-full>
--language <ts|js>
--module <esm|cjs>
--pm <npm|pnpm|yarn>
--tailwind / --no-tailwind
--env / --no-env
--lint <none|eslint|biome>
--format
--test <none|vitest|jest>
--docker
--examples
--health-check
--validation
--logger
--error-handling
--rate-limit
--helmet
--cors
--compression
--auth
--jwt
--rbac
--db <none|mongodb|postgresql>
--orm <mongoose|prisma|drizzle>
--swagger
--api-versioning
--git
--skip-install
--dry-run
--force

fast-ts-integrator Integration

When --language ts is selected, the generator delegates TypeScript setup to fast-ts-integrator through src/integrations/fastTsIntegrator.ts.

The adapter intentionally owns the coupling because fast-ts-integrator@1.0.2 is CLI-first and does not expose a documented library API. The preferred path uses its generator module for tsconfig, lint, and test setup. If that internal API changes, the adapter falls back to a local strict NodeNext tsconfig.

The rest of this package depends only on the adapter contract.

Generated Structure

my-app/
  src/
    app.ts
    server.ts
    index.ts
    config/
    controllers/
    middlewares/
    routes/
    services/
    modules/       # only when selected feature packs need modules
    utils/         # only when selected feature packs need utilities
    views/         # only with Tailwind/EJS
    public/        # only with Tailwind/EJS
  tests/           # only when testing is selected
  package.json
  README.md
  .env.example     # only when dotenv support is selected

Development

npm install
npm run typecheck
npm test
npm run build

Security Posture

• Creator attribution is checked by npm run verify:authorship before pack and publish.
• Published package metadata includes publishConfig.provenance=true for provenance-aware release workflows.
• .env, local npm config, private keys, and certificate files are ignored by default.
• TRUST_PROXY defaults to loopback instead of broad proxy trust.
• Optional CORS credentials default to false and wildcard origins are rejected when credentials are enabled.
• Optional JWT starters sign and verify with explicit issuer, audience, and algorithm settings.
• Optional auth login routes get a stricter rate limiter when rate limiting is selected.
• Optional Docker templates run as the node user, use dumb-init, and include a health check.

Publish Checklist

1. Confirm the npm package owner is Youssef Selk and account 2FA is enabled.
2. Prefer npm trusted publishing with OIDC, then configure package publishing access to disallow traditional tokens.
3. Run npm run verify:authorship.
4. Run npm run prepack.
5. Run npm run publish:dry-run.
6. Verify dist, bin, templates, README.md, LICENSE, NOTICE, and SECURITY.md are included.
7. Check the generated tarball by scaffolding a temporary TS ESM app and a JS CJS app.
8. Publish with provenance from a clean git tag.

Template Maintenance

Templates live in templates/ and are registered in src/templates/registry.ts. Keep feature decisions in the registry and keep file contents in templates. This makes new template packs and snapshot testing straightforward over time.

Future Improvements

• External template pack API
• Redis cache starter
• OpenTelemetry starter
• Kubernetes manifests
• GitHub Actions workflow generation
• Migration mode for existing Express apps