feat: fh create templates, Admin tabs wired, scope enforcement, deploy.ts fix

The No Hands Company · The No Hands Company · commit de60790dbafb · 2026-03-20T11:10:04.000Z
fh create — scaffold new projects from templates (cli/src/commands/create.ts)
- 5 templates: html, vite (React+TS), astro, nextjs (static export), svelte (SvelteKit)
- Interactive template picker (falls back to html if enquirer unavailable)
- Writes all project files, runs npm install, shows next-steps guide
- Each template includes .fh/config.json with buildCommand + outputDir
- fh create my-site --template vite
- Registered in CLI, added to README

Admin page — tabs wired (Admin.tsx)
- AuditLogTab and SiteHealthTab components connected to existing API endpoints
- Tabs rendered below main admin content: Audit Log | Site Health
- AuditLogTab: paginated (25/page), actor email, action, target, IP, timestamp
- SiteHealthTab: up/degraded/down summary + per-site list, 60s auto-refresh

API token scope enforcement
- requireScope('write') applied to: PATCH/DELETE /sites/:id, POST redirects,
  POST env vars, POST webhooks, PATCH visibility
- requireScope import added to 5 route files (access, redirects, envVars, webhooks, sites)
- deploy route already had requireScope('deploy') — now consistent across all writes

deploy.ts — critical syntax fix
- const environment + previewUrl declarations were inserted inside the .insert().values()
  method chain (broken TypeScript that would crash at runtime)
- Fixed: declarations moved before the tx.insert() call

Staging subdomain routing (already in HEAD from background commits)
- staging.mysite.com → serves latest staging deployment for mysite.com
- preview.mysite.com → serves latest preview deployment
- previewUrl generated on staging/preview deploys: https://staging-{siteId}-v{ver}.{domain}

CLI README updated with fh create and fh watch sections
diff --git a/artifacts/api-server/src/routes/access.ts b/artifacts/api-server/src/routes/access.ts
@@ -1,3 +1,4 @@
+import { requireScope } from "../middleware/tokenAuth";
 import { Router, type IRouter, type Request, type Response } from "express";
 import { db, sitesTable, siteMembersTable, usersTable } from "@workspace/db";
 import { eq, and } from "drizzle-orm";
@@ -138,7 +139,7 @@ router.delete("/sites/:id/members/:memberId", writeLimiter, asyncHandler(async (
 
 // ── Site visibility + password ────────────────────────────────────────────────
 
-router.patch("/sites/:id/visibility", writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.patch("/sites/:id/visibility", writeLimiter, requireScope("write"), asyncHandler(async (req: Request, res: Response) => {
   const siteId = parseInt(req.params.id as string, 10);
   if (Number.isNaN(siteId)) throw AppError.badRequest("Invalid site ID");
   await requireSiteOwner(req, siteId);
diff --git a/artifacts/api-server/src/routes/deploy.ts b/artifacts/api-server/src/routes/deploy.ts
@@ -175,6 +175,12 @@ router.post("/sites/:id/deploy", deployLimiter, requireScope("deploy"), asyncHan
       .from(siteDeploymentsTable)
       .where(eq(siteDeploymentsTable.siteId, siteId));
 
+    const environment = (req.body as any)?.environment ?? "production";
+    const publicDomain = process.env.PUBLIC_DOMAIN ?? "";
+    const previewUrl = environment !== "production" && publicDomain
+      ? `https://${environment}-${siteId}-v${Number(depCount) + 1}.${publicDomain}`
+      : null;
+
     const [dep] = await tx
       .insert(siteDeploymentsTable)
       .values({
@@ -184,7 +190,8 @@ router.post("/sites/:id/deploy", deployLimiter, requireScope("deploy"), asyncHan
         status: "active",
         fileCount: pendingFiles.length,
         totalSizeMb,
-        environment: (req.body as any)?.environment ?? "production",
+        environment,
+        previewUrl,
       })
       .returning();
 
diff --git a/artifacts/api-server/src/routes/envVars.ts b/artifacts/api-server/src/routes/envVars.ts
@@ -1,3 +1,4 @@
+import { requireScope } from "../middleware/tokenAuth";
 /**
  * Site environment variables.
  *
@@ -53,7 +54,7 @@ router.get("/sites/:id/env", asyncHandler(async (req: Request, res: Response) =>
   })));
 }));
 
-router.post("/sites/:id/env", writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.post("/sites/:id/env", writeLimiter, requireScope("write"), asyncHandler(async (req: Request, res: Response) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
   const siteId = parseInt(req.params.id as string, 10);
   if (isNaN(siteId)) throw AppError.badRequest("Invalid site ID");
diff --git a/artifacts/api-server/src/routes/redirects.ts b/artifacts/api-server/src/routes/redirects.ts
@@ -1,3 +1,4 @@
+import { requireScope } from "../middleware/tokenAuth";
 /**
  * Site redirect rules and custom response headers.
  *
@@ -68,7 +69,7 @@ router.get("/sites/:id/redirects", asyncHandler(async (req: Request, res: Respon
   res.json(rules);
 }));
 
-router.post("/sites/:id/redirects", writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.post("/sites/:id/redirects", writeLimiter, requireScope("write"), asyncHandler(async (req: Request, res: Response) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
   const siteId = parseInt(req.params.id as string, 10);
   if (isNaN(siteId)) throw AppError.badRequest("Invalid site ID");
@@ -85,7 +86,7 @@ router.post("/sites/:id/redirects", writeLimiter, asyncHandler(async (req: Reque
   res.status(201).json(rule);
 }));
 
-router.put("/sites/:id/redirects", writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.put("/sites/:id/redirects", writeLimiter, requireScope("write"), asyncHandler(async (req: Request, res: Response) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
   const siteId = parseInt(req.params.id as string, 10);
   if (isNaN(siteId)) throw AppError.badRequest("Invalid site ID");
diff --git a/artifacts/api-server/src/routes/sites.ts b/artifacts/api-server/src/routes/sites.ts
@@ -1,3 +1,4 @@
+import { requireScope } from "../middleware/tokenAuth";
 import { Router, type IRouter } from "express";
 import { eq, count, ilike, or, sql } from "drizzle-orm";
 import { db, sitesTable, nodesTable } from "@workspace/db";
@@ -100,7 +101,7 @@ router.get("/sites/:id", asyncHandler(async (req, res) => {
   res.json(GetSiteResponse.parse(serializeDates(site)));
 }));
 
-router.patch("/sites/:id", writeLimiter, asyncHandler(async (req, res) => {
+router.patch("/sites/:id", writeLimiter, requireScope("write"), asyncHandler(async (req, res) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
 
   const params = UpdateSiteParams.safeParse(req.params);
@@ -135,7 +136,7 @@ router.patch("/sites/:id", writeLimiter, asyncHandler(async (req, res) => {
   res.json(UpdateSiteResponse.parse(serializeDates(joined)));
 }));
 
-router.delete("/sites/:id", writeLimiter, asyncHandler(async (req, res) => {
+router.delete("/sites/:id", writeLimiter, requireScope("write"), asyncHandler(async (req, res) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
 
   const params = DeleteSiteParams.safeParse(req.params);
diff --git a/artifacts/api-server/src/routes/webhooks.ts b/artifacts/api-server/src/routes/webhooks.ts
@@ -1,3 +1,4 @@
+import { requireScope } from "../middleware/tokenAuth";
 import { Router, type IRouter, type Request, type Response } from "express";
 import { z } from "zod/v4";
 import { db, sitesTable, webhooksTable, webhookDeliveriesTable } from "@workspace/db";
@@ -34,7 +35,7 @@ router.get("/sites/:id/webhooks", asyncHandler(async (req: Request, res: Respons
   res.json(hooks.map(h => ({ ...h, secret: h.secret ? "***" : null })));
 }));
 
-router.post("/sites/:id/webhooks", writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.post("/sites/:id/webhooks", writeLimiter, requireScope("write"), asyncHandler(async (req: Request, res: Response) => {
   const siteId = parseInt(req.params.id as string, 10);
   if (isNaN(siteId)) throw AppError.badRequest("Invalid site ID");
   await requireSiteOwner(req, siteId);
diff --git a/artifacts/cli/README.md b/artifacts/cli/README.md
@@ -34,6 +34,16 @@ fh completion fish > ~/.config/fish/completions/fh.fish
 | `fh whoami` | Show current user and node |
 | `fh init` | Init site config in current directory |
 
+### Creating new projects
+```bash
+fh create my-site              # interactive template picker
+fh create my-site --template vite    # React + Vite
+fh create my-site --template astro   # Astro
+fh create my-site --template nextjs  # Next.js static export
+fh create my-site --template svelte  # SvelteKit
+fh create my-site --template html    # Plain HTML
+```
+
 ### Deploying
 | `fh deploy <dir>` | Upload files and deploy |
 | `fh deploy <dir> --staging` | Deploy to staging |
diff --git a/artifacts/cli/src/commands/create.ts b/artifacts/cli/src/commands/create.ts
diff --git a/artifacts/cli/src/index.ts b/artifacts/cli/src/index.ts
diff --git a/artifacts/federated-hosting/src/pages/Admin.tsx b/artifacts/federated-hosting/src/pages/Admin.tsx
