git.stevedylan.dev

chore: docs updates e911147a

Steve Simkins · 2026-05-20 20:31 3 file(s) · +592 −531

docs/docs/pages/diy/skills.mdx +6 −0


The canonical CSS and fonts live in the [`crates-go/darkmatter`](https://github.com/stevedylandev/andromeda/tree/main/crates-go/darkmatter) module. Mount its handler set and link `/assets/darkmatter.css` from your templates — the skill guides style decisions while the module serves the actual bytes.

## andromeda-stack

[`andromeda-stack`](https://github.com/stevedylandev/andromeda/tree/main/skills/andromeda-stack/SKILL.md) scaffolds a new Go CRUD app in the monorepo using the standard project layout: `net/http` mux, `html/template`, `modernc.org/sqlite`, and the `crates-go/{auth,web,config,sqlite,darkmatter}` packages wired in via `replace` directives.

It covers the full app shape — `main.go` / `app.go` / `routes.go` / `db.go` / `handlers_*.go` / `templates/` / `static/` — plus session vs. API-key vs. bearer auth, the multi-stage `CGO_ENABLED=0` Dockerfile, and the workspace files that need updating (root `docker-compose.yml`, both `.github/workflows/docker*.yml` lists) so a new app actually ships.

## Installing

Use [`npx skills add`](https://github.com/vercel-labs/skills) to pull the skill directly from the repo:

docs/docs/pages/diy/stack.mdx +7 −2

Provides session-based password authentication used across apps that require login. It handles:

- Constant-time password verification (bcrypt + plain)
- Session cookie management with an in-memory store
- Session cookie management backed by a `sessions` table in the app's SQLite DB
- `RequireSession`, `RequireAPIKey`, and `RequireBearerOrSession` middleware
- Short-id and session-token generators

### crates-go/sqlite

Thin bootstrap around `database/sql` + `modernc.org/sqlite`. `Open(path, schema)` opens the DB with the project defaults (`PRAGMA foreign_keys=ON`, single open connection) and applies an optional schema string on first open.

### crates-go/web


import "github.com/stevedylandev/andromeda/crates-go/darkmatter"

mux := http.NewServeMux()
darkmatter.Mount(mux)
darkmatter.Mount(mux, "/assets")
```

Then reference `/assets/darkmatter.css` from your templates instead of duplicating the styles per app.

skills/andromeda-stack/SKILL.md +579 −529

---
name: Andromeda Stack
description: Scaffold a Rust CRUD web application with Axum, SQLite, Askama templates, andromeda-auth session auth, embedded static assets, and Docker deployment. Use when the user wants to build a new Rust web server with CRUD operations in the andromeda monorepo.
description: Scaffold a Go CRUD web app using net/http + html/template + modernc.org/sqlite + the shared andromeda crates-go packages (auth, web, config, sqlite, darkmatter). Use when the user wants to build a new Go web server with CRUD operations in the andromeda monorepo.
---

# Rust Andromeda Web App
# Go Andromeda Web App

## Overview

Scaffold and build Rust CRUD web applications in the andromeda workspace using Axum + SQLite + Askama templates + `andromeda-auth` for authentication. The result is a single binary web server with HTML pages, a JSON API, optional session or API key auth, and Docker deployment.
Scaffold and build Go CRUD web apps in the andromeda workspace using the
standard library `net/http` mux, `html/template`, `modernc.org/sqlite` (pure
Go, no cgo) and the shared `crates-go/*` packages. Each app ships a single Go
binary with HTML pages, a JSON API, optional session or API key auth, embedded
templates + static assets via `embed.FS`, and Docker deployment.

Apps live under `apps/<name>/`. Each app is its own Go module. Shared packages
live under `crates-go/` and are each their own module, wired in via local
`replace` directives.

All apps live under `apps/` in the workspace and share dependencies via the root `Cargo.toml`. Shared crates live under `crates/`:
Shared crates:

- `andromeda-auth` — password verify, session token, cookie helpers
- `andromeda-db` — DB connection helpers, optional `session` feature
- `andromeda-darkmatter-css` — shared CSS theme
- `crates-go/auth` — session `Store`, `RequireSession` / `RequireAPIKey` /
  `RequireBearerOrSession` middleware, `SecureEqual`, `VerifyPassword`
  (bcrypt or plaintext), `GenerateSessionToken`, `GenerateShortID`.
- `crates-go/web` — `Render`, `WriteJSON`, `WriteError`, `DecodeJSON`,
  `EmbeddedHandler`, `RedirectWithError`, `RedirectWithSuccess`, `PathInt64`.
- `crates-go/config` — `LoadDotEnv`, `Getenv`, `GetenvInt`, `GetenvBool`.
- `crates-go/sqlite` — `Open(path, schema)` opens SQLite with the project
  defaults (`PRAGMA foreign_keys=ON`, `SetMaxOpenConns(1)`).
- `crates-go/darkmatter` — embedded shared CSS + fonts plus `Mount(mux,
  "/assets")` to register routes on any `*http.ServeMux`.

## Project Structure

```
apps/app-name/
├── src/
│   ├── main.rs         # Entry point, starts the server
│   ├── server.rs       # Axum routes, middleware, handlers, static asset serving
│   ├── db.rs           # SQLite schema, CRUD functions, error types
│   └── auth.rs         # Session/cookie auth wrapper (uses andromeda-auth crate)
├── templates/          # Askama HTML templates
│   ├── base.html       # Base layout with blocks (title, content)
│   └── *.html          # Pages extend base.html
├── static/             # CSS, fonts, favicons (served via tower-http ServeDir)
│   └── styles.css
├── .env.example        # Environment variable reference
├── Dockerfile          # Multi-stage workspace build
└── docker-compose.yml  # Compose config with volume for DB persistence
├── main.go              # entry point; loads env, opens DB, builds App, starts server
├── app.go               # App struct + embed.FS + page-data structs
├── routes.go            # *http.ServeMux wiring + middleware
├── db.go                # schema, model, CRUD funcs (or thin wrapper around internal/store)
├── handlers_web.go      # HTML handlers (login, index, CRUD pages)
├── handlers_api.go      # JSON API handlers
├── templates/           # html/template files
│   ├── base.html        # layout with {{ block "title" . }} / {{ block "content" . }}
│   └── *.html           # pages that {{ template "base" . }} or define blocks
├── static/              # CSS, JS, images embedded via embed.FS
├── .env.example
├── Dockerfile           # multi-stage Go build, built from repo root
├── docker-compose.yml   # app-local dev compose
├── go.mod / go.sum
└── README.md
```

## Dependencies (Cargo.toml)
Apps with extra surface (e.g. `jotts` has `tui/` + `cmd_*.go` subcommands,
`feeds` has `subscriptions.go` + background poller) layer files on top of this
shape; do not invent new layers unless the app needs them.

## go.mod

Module path: `github.com/stevedylandev/andromeda/apps/<app-name>`. Pin
`go 1.25` (match other apps). Pull the shared crates by their canonical paths
and add `replace` directives for the local checkout:

```go
module github.com/stevedylandev/andromeda/apps/APP_NAME

Apps use workspace dependencies from the root `Cargo.toml`. Use `{ workspace = true }` for shared crates:
go 1.25

```toml
[package]
name = "app-name"
version = "0.1.0"
edition = "2024"
description = "Short app description"
license = "MIT"
repository = "https://github.com/stevedylandev/andromeda"
homepage = "https://github.com/stevedylandev/andromeda"
require (
	github.com/stevedylandev/andromeda/crates-go/auth v0.0.0
	github.com/stevedylandev/andromeda/crates-go/config v0.0.0
	github.com/stevedylandev/andromeda/crates-go/darkmatter v0.0.0
	github.com/stevedylandev/andromeda/crates-go/sqlite v0.0.0
	github.com/stevedylandev/andromeda/crates-go/web v0.0.0
)

[dependencies]
axum = { workspace = true }
tokio = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
rusqlite = { workspace = true }
nanoid = { workspace = true }
rust-embed = { workspace = true }
dotenvy = { workspace = true }
subtle = { workspace = true }
rand = { workspace = true }
tracing = { workspace = true }
tracing-subscriber = { workspace = true }
andromeda-auth = { workspace = true }
andromeda-db = { workspace = true, features = ["session"] }  # if using session auth
andromeda-darkmatter-css = { workspace = true }              # if using shared theme
askama = "0.15"
askama_web = { version = "0.15", features = ["axum-0.8"] }
replace (
	github.com/stevedylandev/andromeda/crates-go/auth       => ../../crates-go/auth
	github.com/stevedylandev/andromeda/crates-go/config     => ../../crates-go/config
	github.com/stevedylandev/andromeda/crates-go/darkmatter => ../../crates-go/darkmatter
	github.com/stevedylandev/andromeda/crates-go/sqlite     => ../../crates-go/sqlite
	github.com/stevedylandev/andromeda/crates-go/web        => ../../crates-go/web
)
```

After creating the app, register it in the workspace root `Cargo.toml` under `[workspace] members`. See **Wiring up a new app** below for the full set of workspace files to update.
Add `crates-go/tui` only if the app ships a TUI. Add `golang.org/x/crypto`,
`yuin/goldmark`, etc. only when the specific app needs them. The Dockerfile
must copy `crates-go/` into the build context for the replace directives.

Only add additional crates when the specific app requires them. Do NOT include TUI crates (ratatui, crossterm), CLI crates (clap), or HTTP client crates (reqwest) unless explicitly requested.
Do NOT add ORMs, web frameworks (gin, echo, chi), connection pools, or HTTP
client libs unless explicitly requested. The stdlib `net/http` mux (with
method-prefixed patterns like `GET /notes/{short_id}`) is sufficient.

- `tracing` + `tracing-subscriber` — structured logging, always include
- `rand` — needed for session token generation when using session-based auth
- `tower-http` — for serving static files from disk via `ServeDir`
## main.go

Minimal — loads env, sets up logging + DB + sessions, starts the server.

```go
package main

## Database Layer (db.rs)
import (
	"html/template"
	"log"
	"log/slog"
	"net/http"
	"os"

Pattern: single-file module with `Arc<Mutex<Connection>>` for thread-safe SQLite access.
	"github.com/stevedylandev/andromeda/crates-go/auth"
	"github.com/stevedylandev/andromeda/crates-go/config"
)

### Structure
func main() {
	config.LoadDotEnv(".env")
	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}))

```rust
use nanoid::nanoid;
use rusqlite::{Connection, params};
use serde::{Deserialize, Serialize};
use std::fmt;
use std::sync::{Arc, Mutex};
	dbPath := config.Getenv("APP_DB_PATH", "app.sqlite")
	db, err := openDB(dbPath)
	if err != nil {
		log.Fatal(err)
	}
	defer db.Close()

pub type Db = Arc<Mutex<Connection>>;
	sessions := &auth.Store{
		DB:           db,
		CookieName:   "session",
		CookieSecure: config.GetenvBool("COOKIE_SECURE", false),
	}
	if err := sessions.EnsureSchema(); err != nil {
		log.Fatal(err)
	}
	sessions.PruneExpired()

#[derive(Debug)]
pub enum DbError {
    Sqlite(rusqlite::Error),
    LockPoisoned,
}
	tmpl := template.Must(template.ParseFS(appFS, "templates/*.html"))

impl fmt::Display for DbError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            DbError::Sqlite(e) => write!(f, "Database error: {}", e),
            DbError::LockPoisoned => write!(f, "Database lock poisoned"),
        }
    }
}
	password := os.Getenv("APP_PASSWORD")
	if password == "" {
		logger.Warn("APP_PASSWORD not set, using default 'changeme'")
		password = "changeme"
	}
	apiKey := os.Getenv("APP_API_KEY")
	if apiKey == "" {
		logger.Info("APP_API_KEY not set, /api/* will return 403")
	}

impl std::error::Error for DbError {}
	app := &App{
		DB:           db,
		Log:          logger,
		Templates:    tmpl,
		Sessions:     sessions,
		Password:     password,
		APIKey:       apiKey,
		CookieSecure: sessions.CookieSecure,
	}

impl From<rusqlite::Error> for DbError {
    fn from(e: rusqlite::Error) -> Self {
        DbError::Sqlite(e)
    }
	addr := config.Getenv("HOST", "127.0.0.1") + ":" + config.Getenv("PORT", "3000")
	logger.Info("APP_NAME server running", "addr", addr)
	if err := http.ListenAndServe(addr, app.routes()); err != nil {
		log.Fatal(err)
	}
}
```

### Key patterns
Apps that also expose CLI subcommands (e.g. `jotts`, `sipp`) keep `main.go`
as a dispatcher and move `runServer` into `cmd_server.go`.

- **Model struct**: derive `Serialize, Deserialize`, all fields `pub`
- **ID generation**: `nanoid!(10)` for short unique IDs
- **DB path from env**: `std::env::var("APP_DB_PATH").unwrap_or_else(|_| "app.sqlite".to_string())`
- **init_db()**: opens connection, runs `CREATE TABLE IF NOT EXISTS`, returns `Arc<Mutex<Connection>>`
- **CRUD functions**: standalone functions that take `&Db` as first param
  - `create_*` — INSERT, return created model with `last_insert_rowid()`
  - `get_*_by_short_id` — SELECT, return `Result<Option<Model>, DbError>`
  - `get_all_*` — SELECT with ORDER BY id DESC
  - `delete_*_by_short_id` — DELETE, return `Result<bool, DbError>` (rows_affected > 0)
  - `update_*_by_short_id` — UPDATE then SELECT to return updated model
- **Error handling**: `QueryReturnedNoRows` maps to `Ok(None)`, not an error
## app.go — App struct + embed

## Server Layer (server.rs)
Holds dependencies, embedded FS, and per-page data structs.

### Embedded assets with rust_embed
```go
package main

```rust
use rust_embed::Embed;
import (
	"database/sql"
	"embed"
	"html/template"
	"log/slog"

#[derive(Embed)]
#[folder = "assets/"]
struct Assets;
	"github.com/stevedylandev/andromeda/crates-go/auth"
)

#[derive(Embed)]
#[folder = "static/"]
struct Static;
```
//go:embed templates/*.html static/*
var appFS embed.FS

Serve with handlers that match on file path and return correct MIME types:

```rust
fn mime_from_path(path: &str) -> &'static str {
    match path.rsplit('.').next().unwrap_or("") {
        "css" => "text/css",
        "js" => "application/javascript",
        "html" => "text/html",
        "png" => "image/png",
        "ico" => "image/x-icon",
        "svg" => "image/svg+xml",
        "woff" | "woff2" => "font/woff2",
        "ttf" => "font/ttf",
        "otf" => "font/otf",
        "json" | "webmanifest" => "application/json",
        _ => "application/octet-stream",
    }
type App struct {
	DB           *sql.DB
	Log          *slog.Logger
	Templates    *template.Template
	Sessions     *auth.Store
	Password     string
	APIKey       string
	CookieSecure bool
}
```

### App state
type indexPageData struct {
	Items []Item
}

```rust
#[derive(Clone)]
struct AppState {
    db: Db,
    server_config: ServerConfig,
type loginPageData struct {
	Error string
}
```

Add domain-specific fields as needed (e.g., a highlighter, cache, etc).
Page-data structs go here too. Keep names like `<page>PageData`.

### Askama templates
## routes.go

```rust
use askama::Template;
use askama_web::WebTemplate;
Wire routes on a `*http.ServeMux` using method-prefixed patterns. Mount
darkmatter assets and static files. Wrap protected routes with
`Sessions.RequireSession` / `auth.RequireAPIKey`.

#[derive(Template)]
#[template(path = "index.html")]
struct IndexTemplate;
```go
package main

// Templates with data:
#[derive(Template)]
#[template(path = "item.html")]
struct ItemTemplate {
    name: String,
    content: String,
}
```
import (
	"net/http"

Render with `WebTemplate(MyTemplate { ... })`.
	"github.com/stevedylandev/andromeda/crates-go/auth"
	"github.com/stevedylandev/andromeda/crates-go/darkmatter"
	"github.com/stevedylandev/andromeda/crates-go/web"
)

### Route structure
func (a *App) routes() *http.ServeMux {
	mux := http.NewServeMux()

Two sets of routes: **web routes** (HTML pages + form submissions) and **API routes** (JSON).
	mux.HandleFunc("GET /static/", web.EmbeddedHandler(appFS, "static"))
	darkmatter.Mount(mux, "/assets")

**Web routes:**
- `GET /` — index page (template)
- `GET /admin` — admin panel (template)
- `POST /items` — form submission, redirects on success
- `GET /items/{short_id}` — view single item (template)
	requireSession := func(next http.HandlerFunc) http.HandlerFunc {
		return a.Sessions.RequireSession("/login", next)
	}
	requireAPIKey := func(next http.HandlerFunc) http.HandlerFunc {
		return auth.RequireAPIKey(a.APIKey, next)
	}

**API routes:**
- `GET /api/items` — list all (JSON)
- `POST /api/items` — create (JSON body → 201 + JSON)
- `GET /api/items/{short_id}` — get one (JSON)
- `PUT /api/items/{short_id}` — update (JSON body → JSON)
- `DELETE /api/items/{short_id}` — delete (JSON)
	mux.HandleFunc("GET /login", a.loginGetHandler)
	mux.HandleFunc("POST /login", a.loginPostHandler)
	mux.HandleFunc("GET /logout", a.logoutHandler)

**Static asset routes:**
- `GET /assets/{*path}` — embedded assets (favicons, fonts, images)
- `GET /static/{*path}` — embedded static files (CSS)
	mux.HandleFunc("GET /{$}", requireSession(a.indexHandler))
	mux.HandleFunc("GET /items/new", requireSession(a.newItemGetHandler))
	mux.HandleFunc("POST /items", requireSession(a.createItemHandler))
	mux.HandleFunc("GET /items/{short_id}", requireSession(a.viewItemHandler))
	mux.HandleFunc("GET /items/{short_id}/edit", requireSession(a.editItemGetHandler))
	mux.HandleFunc("POST /items/{short_id}", requireSession(a.updateItemHandler))
	mux.HandleFunc("POST /items/{short_id}/delete", requireSession(a.deleteItemHandler))

### Form deserialization
	mux.HandleFunc("GET /api/items", requireAPIKey(a.apiListItems))
	mux.HandleFunc("POST /api/items", requireAPIKey(a.apiCreateItem))
	mux.HandleFunc("GET /api/items/{short_id}", requireAPIKey(a.apiGetItem))
	mux.HandleFunc("PUT /api/items/{short_id}", requireAPIKey(a.apiUpdateItem))
	mux.HandleFunc("DELETE /api/items/{short_id}", requireAPIKey(a.apiDeleteItem))

```rust
#[derive(Deserialize)]
struct CreateItemForm {
    name: String,
    content: String,
	return mux
}
```

Use `Form(form): Form<CreateItemForm>` for HTML forms, `Json(body): Json<CreateItem>` for API.
Notes:
- `GET /{$}` matches exactly `/` (no prefix matching).
- Path params extracted with `r.PathValue("short_id")`.
- For HTML forms (no JS), delete via `POST /items/{short_id}/delete`. The
  `/api/*` routes use real `DELETE`/`PUT`.

### Error responses
## db.go (or internal/store)

- Web handlers return `Result<..., (StatusCode, Html<String>)>`
- API handlers return `Result<..., (StatusCode, Json<serde_json::Value>)>`
- Use `serde_json::json!({"error": "message"})` for API error bodies
Single-file module: schema, model, CRUD. `crates-go/sqlite.Open` handles the
driver, pragmas, and schema bootstrap.

## Authentication
```go
package main

The workspace provides a shared `andromeda-auth` crate at `crates/auth/` with these primitives:
import (
	"database/sql"
	"errors"

```rust
// andromeda-auth public API
pub fn verify_password(input: &str, expected: &str) -> bool;
pub fn generate_session_token() -> String;
pub fn build_session_cookie(token: &str, secure: bool) -> String;
pub fn clear_session_cookie() -> String;
pub fn extract_session_cookie(headers: &axum::http::HeaderMap) -> Option<String>;
```

Apps import `andromeda-auth` via workspace dependency and wrap it in a local `auth.rs` module.
	"github.com/stevedylandev/andromeda/crates-go/auth"
	"github.com/stevedylandev/andromeda/crates-go/sqlite"
)

### Session/cookie auth (for web-facing apps)
type Item struct {
	ID        int64  `json:"id"`
	ShortID   string `json:"short_id"`
	Title     string `json:"title"`
	Content   string `json:"content"`
	CreatedAt string `json:"created_at"`
	UpdatedAt string `json:"updated_at"`
}

The standard pattern for apps that need login (e.g., jotts, parcels, feeds). Create a `src/auth.rs` that wraps the auth crate with app-specific session storage and an Axum extractor.
type ItemInput struct {
	Title   string `json:"title"`
	Content string `json:"content"`
}

**Sessions table in db.rs:**
const itemColumns = `id, short_id, title, content, created_at, updated_at`

```sql
CREATE TABLE IF NOT EXISTS sessions (
const schema = `
CREATE TABLE IF NOT EXISTS items (
    id         INTEGER PRIMARY KEY AUTOINCREMENT,
    token      TEXT NOT NULL UNIQUE,
    expires_at TEXT NOT NULL
    short_id   TEXT NOT NULL UNIQUE,
    title      TEXT NOT NULL,
    content    TEXT NOT NULL,
    created_at TEXT NOT NULL DEFAULT (datetime('now')),
    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
);
```
`

**Session DB functions in db.rs:**
func openDB(path string) (*sql.DB, error) { return sqlite.Open(path, schema) }

```rust
pub fn insert_session(db: &Db, token: &str, expires_at: &str) -> Result<(), DbError> {
    let conn = db.lock().map_err(|_| DbError::LockPoisoned)?;
    conn.execute("INSERT INTO sessions (token, expires_at) VALUES (?1, ?2)", params![token, expires_at])?;
    Ok(())
func scanItem(s interface{ Scan(...any) error }) (*Item, error) {
	var it Item
	err := s.Scan(&it.ID, &it.ShortID, &it.Title, &it.Content, &it.CreatedAt, &it.UpdatedAt)
	if errors.Is(err, sql.ErrNoRows) {
		return nil, nil
	}
	if err != nil {
		return nil, err
	}
	return &it, nil
}

pub fn get_session_expiry(db: &Db, token: &str) -> Result<Option<String>, DbError> {
    let conn = db.lock().map_err(|_| DbError::LockPoisoned)?;
    match conn.query_row("SELECT expires_at FROM sessions WHERE token = ?1", params![token], |row| row.get(0)) {
        Ok(val) => Ok(Some(val)),
        Err(rusqlite::Error::QueryReturnedNoRows) => Ok(None),
        Err(e) => Err(DbError::Sqlite(e)),
    }
func createItem(db *sql.DB, title, content string) (*Item, error) {
	shortID, err := auth.GenerateShortID(10)
	if err != nil {
		return nil, err
	}
	res, err := db.Exec(`INSERT INTO items (short_id, title, content) VALUES (?, ?, ?)`, shortID, title, content)
	if err != nil {
		return nil, err
	}
	id, err := res.LastInsertId()
	if err != nil {
		return nil, err
	}
	return scanItem(db.QueryRow(`SELECT `+itemColumns+` FROM items WHERE id = ?`, id))
}

pub fn delete_session(db: &Db, token: &str) -> Result<(), DbError> {
    let conn = db.lock().map_err(|_| DbError::LockPoisoned)?;
    conn.execute("DELETE FROM sessions WHERE token = ?1", params![token])?;
    Ok(())
func getItemByShortID(db *sql.DB, shortID string) (*Item, error) {
	return scanItem(db.QueryRow(`SELECT `+itemColumns+` FROM items WHERE short_id = ?`, shortID))
}

pub fn prune_expired_sessions(db: &Db) -> Result<(), DbError> {
    let conn = db.lock().map_err(|_| DbError::LockPoisoned)?;
    conn.execute("DELETE FROM sessions WHERE expires_at < datetime('now')", [])?;
    Ok(())
func listItems(db *sql.DB) ([]Item, error) {
	rows, err := db.Query(`SELECT ` + itemColumns + ` FROM items ORDER BY id DESC`)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	var out []Item
	for rows.Next() {
		var it Item
		if err := rows.Scan(&it.ID, &it.ShortID, &it.Title, &it.Content, &it.CreatedAt, &it.UpdatedAt); err != nil {
			return nil, err
		}
		out = append(out, it)
	}
	return out, rows.Err()
}

func updateItemByShortID(db *sql.DB, shortID, title, content string) (*Item, error) {
	res, err := db.Exec(`UPDATE items SET title=?, content=?, updated_at=datetime('now') WHERE short_id=?`, title, content, shortID)
	if err != nil {
		return nil, err
	}
	if n, _ := res.RowsAffected(); n == 0 {
		return nil, nil
	}
	return getItemByShortID(db, shortID)
}

func deleteItemByShortID(db *sql.DB, shortID string) (bool, error) {
	res, err := db.Exec(`DELETE FROM items WHERE short_id = ?`, shortID)
	if err != nil {
		return false, err
	}
	n, _ := res.RowsAffected()
	return n > 0, nil
}
```

**auth.rs module — wraps andromeda-auth with session validation:**
Conventions:
- Short IDs via `auth.GenerateShortID(10)`.
- Model fields use `json:"..."` tags so the same struct serializes for the API.
- "Not found" returns `(nil, nil)`, not an error — handlers check `if x == nil`.
- DB path comes from `<APP>_DB_PATH` env (e.g. `JOTTS_DB_PATH`).
- For more complex apps, move this into `internal/store/` and keep `db.go` as
  thin pass-through wrappers (see `apps/jotts`).

```rust
use axum::{
    extract::{FromRef, FromRequestParts},
    http::request::Parts,
    response::{IntoResponse, Redirect, Response},
};
use std::sync::Arc;
## handlers_web.go

use crate::AppState;
HTML handlers. Use `web.Render` for templates and `web.RedirectWithError` for
flash-style errors via query params.

/// Axum extractor — guards routes behind login. Redirects to /login if invalid.
pub struct AuthSession;
```go
package main

impl<S> FromRequestParts<S> for AuthSession
where
    S: Send + Sync,
    Arc<AppState>: FromRef<S>,
{
    type Rejection = Response;
import (
	"net/http"
	"strings"

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        let state = Arc::<AppState>::from_ref(state);
        let token = andromeda_auth::extract_session_cookie(&parts.headers);
        if let Some(token) = token {
            if is_valid_session(&state, &token) {
                return Ok(AuthSession);
            }
        }
        Err(Redirect::to("/login").into_response())
    }
}
	"github.com/stevedylandev/andromeda/crates-go/auth"
	"github.com/stevedylandev/andromeda/crates-go/web"
)

fn is_valid_session(state: &AppState, token: &str) -> bool {
    // Check DB for token expiry — return true if token exists and hasn't expired
    match crate::db::get_session_expiry(&state.db, token) {
        Ok(Some(expires_at)) => expires_at > chrono::Utc::now().to_rfc3339(),
        _ => false,
    }
func (a *App) loginGetHandler(w http.ResponseWriter, r *http.Request) {
	web.Render(a.Templates, w, "login.html", loginPageData{Error: r.URL.Query().Get("error")}, a.Log)
}
```

**Usage in handlers** — use `andromeda_auth` functions directly for login/logout:
func (a *App) loginPostHandler(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseForm(); err != nil {
		web.RedirectWithError(w, r, "/login", "Invalid request")
		return
	}
	if !auth.SecureEqual(r.FormValue("password"), a.Password) {
		web.RedirectWithError(w, r, "/login", "Invalid password")
		return
	}
	token, err := a.Sessions.Create()
	if err != nil {
		a.Log.Error("create session failed", "err", err)
		web.RedirectWithError(w, r, "/login", "Server error")
		return
	}
	http.SetCookie(w, a.Sessions.SessionCookie(token))
	http.Redirect(w, r, "/", http.StatusSeeOther)
}

```rust
use andromeda_auth;

// POST /login — verify password, create session, set cookie
async fn post_login(State(state): State<Arc<AppState>>, Form(form): Form<LoginForm>) -> Response {
    if andromeda_auth::verify_password(&form.password, &state.app_password) {
        let token = andromeda_auth::generate_session_token();
        // Store token in DB with expiry...
        let cookie = andromeda_auth::build_session_cookie(&token, state.cookie_secure);
        // Set cookie header and redirect to /
    } else {
        // Redirect to /login?error=Invalid+password
    }
func (a *App) logoutHandler(w http.ResponseWriter, r *http.Request) {
	if c, err := r.Cookie(a.Sessions.CookieName); err == nil && c.Value != "" {
		a.Sessions.Delete(c.Value)
	}
	http.SetCookie(w, a.Sessions.ClearCookie())
	http.Redirect(w, r, "/login", http.StatusSeeOther)
}

// GET /logout — clear session
async fn get_logout(headers: HeaderMap, State(state): State<Arc<AppState>>) -> Response {
    if let Some(token) = andromeda_auth::extract_session_cookie(&headers) {
        let _ = crate::db::delete_session(&state.db, &token);
    }
    let cookie = andromeda_auth::clear_session_cookie();
    // Set cookie header and redirect to /login
func (a *App) createItemHandler(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseForm(); err != nil {
		web.RedirectWithError(w, r, "/items/new", "Invalid request")
		return
	}
	title := strings.TrimSpace(r.FormValue("title"))
	if title == "" {
		web.RedirectWithError(w, r, "/items/new", "Title is required")
		return
	}
	it, err := createItem(a.DB, title, r.FormValue("content"))
	if err != nil {
		a.Log.Error("create item failed", "err", err)
		web.RedirectWithError(w, r, "/items/new", "Failed to create item")
		return
	}
	http.Redirect(w, r, "/items/"+it.ShortID, http.StatusSeeOther)
}
```

**Protect routes** — add `_session: auth::AuthSession` as a parameter:
Patterns:
- Always `auth.SecureEqual` for password compare (constant-time).
- Use `http.StatusSeeOther` (303) for POST-redirect-GET.
- Pre-rendered HTML (e.g. markdown) goes through `template.HTML` in the
  page-data struct, not via `|safe`-style filters.

## handlers_api.go

JSON API handlers. Use `web.WriteJSON`, `web.WriteError`, `web.DecodeJSON`.

```go
package main

import (
	"net/http"

	"github.com/stevedylandev/andromeda/crates-go/web"
)

```rust
async fn get_index(_session: auth::AuthSession, State(state): State<Arc<AppState>>) -> Response {
    // only reachable if session is valid
func (a *App) apiListItems(w http.ResponseWriter, r *http.Request) {
	items, err := listItems(a.DB)
	if err != nil {
		a.Log.Error("list items failed", "err", err)
		web.WriteError(w, http.StatusInternalServerError, "internal error")
		return
	}
	web.WriteJSON(w, http.StatusOK, items)
}
```

**AppState for session auth:**
func (a *App) apiCreateItem(w http.ResponseWriter, r *http.Request) {
	var in ItemInput
	if !web.DecodeJSON(w, r, &in) {
		return
	}
	if in.Title == "" {
		web.WriteError(w, http.StatusBadRequest, "title is required")
		return
	}
	it, err := createItem(a.DB, in.Title, in.Content)
	if err != nil {
		a.Log.Error("create item failed", "err", err)
		web.WriteError(w, http.StatusInternalServerError, "internal error")
		return
	}
	web.WriteJSON(w, http.StatusCreated, it)
}

```rust
pub struct AppState {
    pub db: Db,
    pub app_password: String,
    pub cookie_secure: bool,
func (a *App) apiGetItem(w http.ResponseWriter, r *http.Request) {
	it, err := getItemByShortID(a.DB, r.PathValue("short_id"))
	if err != nil {
		web.WriteError(w, http.StatusInternalServerError, "internal error")
		return
	}
	if it == nil {
		web.WriteError(w, http.StatusNotFound, "not found")
		return
	}
	web.WriteJSON(w, http.StatusOK, it)
}
```

### API key auth (alternative — for API-only apps)
## Authentication

`crates-go/auth` provides three middleware patterns. Pick based on app shape:

### Session/cookie auth (web-facing apps)

For apps that don't need a login page (e.g., sipp), use API key middleware instead of session auth. This pattern does NOT use `andromeda-auth` — it's self-contained in `server.rs`:
Use `*auth.Store` for password-login web apps (jotts, feeds, bookmarks, etc).
Sessions stored in the same SQLite DB via `EnsureSchema()`. Routes guarded
with `store.RequireSession("/login", handler)`.

```rust
#[derive(Clone)]
struct ServerConfig {
    api_key: Option<String>,
    auth_endpoints: HashSet<String>,
}
```
Key API:
- `store.Create() (token, err)` — issue new session row.
- `store.SessionCookie(token) *http.Cookie` — `HttpOnly`, `SameSite=Strict`,
  7-day MaxAge.
- `store.ClearCookie()` — `MaxAge=-1` cookie for logout.
- `store.HasValid(r)` — check the incoming request's cookie.
- `store.PruneExpired()` — call at boot to GC stale rows.

### API key auth (header-based)

`auth.RequireAPIKey(expectedKey, next)`. Reads `X-API-Key` header,
`SecureEqual` compare. Returns 403 if `expectedKey` is empty (auth disabled by
config), 401 on mismatch. Use this for `/api/*` routes when there's also a
session-cookie web UI.

See `apps/sipp` for the full API key middleware pattern.
### Bearer-or-Session (mixed surfaces)

### Environment variables
`auth.RequireBearerOrSession(store, expectedBearer, next)` — accepts either
`Authorization: Bearer <token>` or a valid session cookie. Used by apps that
expose the same endpoint to a CLI client AND a logged-in browser user (e.g.
`sipp`, `jotts upload`).

Prefix app-specific env vars with the app name (e.g., `JOTTS_`, `SIPP_`). Shared vars like `HOST`, `PORT`, `COOKIE_SECURE` don't need a prefix:
### Env vars

| Variable | Purpose | Default |
|----------|---------|---------|
| `HOST` | Bind address | `127.0.0.1` (set to `0.0.0.0` in Docker) |
| `PORT` | Listen port | `3000` |
| `APP_DB_PATH` | SQLite file path | `app.sqlite` |
| `APP_PASSWORD` | Single password for session auth (web apps) | None |
| `COOKIE_SECURE` | Set `true` for HTTPS-only cookies | `false` |
| `APP_API_KEY` | API key for API-key auth pattern | None (auth disabled) |
| `APP_AUTH_ENDPOINTS` | Comma-separated endpoint names, "all", or "none" | `api_delete,api_list,api_update` |
| `HOST` | bind address | `127.0.0.1` (set `0.0.0.0` in Docker) |
| `PORT` | listen port | `3000` |
| `<APP>_DB_PATH` | SQLite path | `<app>.sqlite` |
| `<APP>_PASSWORD` | session login password | none → "changeme" warning |
| `<APP>_API_KEY` | API key for `/api/*` | none → 403 |
| `COOKIE_SECURE` | HTTPS-only cookie flag | `false` |

## Templates (Askama)

HTML templates live in `templates/` and use Askama syntax. Key patterns:
App-specific env vars are prefixed with the uppercase app name
(`JOTTS_PASSWORD`, `FEEDS_API_KEY`). `HOST`, `PORT`, `COOKIE_SECURE` are not
prefixed.

- Link CSS via `/static/styles.css`
- Link assets via `/assets/filename`
- Include `<meta name="theme-color" content="#121113" />`
- Forms POST to web routes (not API routes)
- Use `{{ variable }}` for template interpolation
- Use `{{ variable|safe }}` for pre-rendered HTML (e.g., syntax highlighted content)
## Templates (html/template)

### Template inheritance
Templates live in `templates/`, parsed once at startup via
`template.ParseFS(appFS, "templates/*.html")` and rendered with
`web.Render(t, w, "name.html", data, log)`.

Use a `base.html` with block sections. All pages extend it:
Use `{{ define "..." }}` / `{{ template "..." . }}` for layout composition.
The base file defines block names; pages define the content blocks.

**templates/base.html:**

```html
{{ define "base" }}
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>{% block title %}APP_NAME{% endblock %}</title>
  <title>{{ template "title" . }}</title>
  <meta name="theme-color" content="#121113" />
  <style>
    /* base styles here */
  </style>
  <link rel="stylesheet" href="/assets/darkmatter.css">
  <link rel="stylesheet" href="/static/styles.css">
</head>
<body>
  <div class="container">
    {% block content %}{% endblock %}
    {{ template "content" . }}
  </div>
</body>
</html>
{{ end }}
```

**templates/index.html:**
```html
{% extends "base.html" %}
{% block title %}Items{% endblock %}
{% block content %}
  {% if let Some(error) = error %}
    <p class="error">{{ error }}</p>
  {% endif %}
  {% for item in items %}
    <div>{{ item.name }}</div>
  {% endfor %}
{% endblock %}
```

### Flash messages via query params

Pass transient error/success messages through redirects using query parameters. No session flash needed.

**Query param struct:**
```rust
#[derive(Deserialize, Default)]
pub struct FlashQuery {
    pub error: Option<String>,
}
```

**In handlers** — redirect with message:
```rust
Redirect::to("/items/add?error=Name+is+required.").into_response()
```

**In receiving handler** — extract and pass to template:
```rust
async fn get_add(Query(q): Query<FlashQuery>) -> Response {
    render(AddTemplate { error: q.error })
}
```

**In template** — conditionally render:
```html
{% if let Some(error) = error %}
  <p class="error">{{ error }}</p>
{% endif %}
{{ define "title" }}Items{{ end }}
{{ define "content" }}
  {{ range .Items }}
    <a href="/items/{{ .ShortID }}">{{ .Title }}</a>
  {{ end }}
{{ end }}
{{ template "base" . }}
```

## Logging (tracing)

Always initialize tracing in `main()` before anything else:

```rust
tracing_subscriber::fmt::init();
```
Notes:
- Link CSS via `/static/styles.css` (app-local) and `/assets/darkmatter.css`
  (shared theme served by `darkmatter.Mount`).
- Forms POST to web routes, not `/api/*`.
- Pass pre-rendered HTML as `template.HTML(...)`; `html/template` auto-escapes
  everything else.
- Flash errors via `?error=...` query param + `web.RedirectWithError` /
  `RedirectWithSuccess`.

Use throughout the app:
- `tracing::error!("DB error: {}", e)` — unrecoverable failures
- `tracing::warn!("Non-critical issue: {}", e)` — degraded but functional
- `tracing::info!("Listening on {}", addr)` — startup/lifecycle events
## Static assets

## main.rs
Embedded via `//go:embed templates/*.html static/*` on a single `appFS`.
Serve under `/static/` via `web.EmbeddedHandler(appFS, "static")`. Shared
theme files (CSS + fonts) come from `darkmatter.Mount(mux, "/assets")`.

Minimal — just loads env and starts the server:
## Logging (slog)

```rust
mod auth;
mod db;
mod server;
Standard library `log/slog`. Build once in `main`:

#[tokio::main]
async fn main() {
    dotenvy::dotenv().ok();
    tracing_subscriber::fmt::init();
    let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
    let port: u16 = std::env::var("PORT")
        .ok()
        .and_then(|v| v.parse().ok())
        .unwrap_or(3000);
    server::run(host, port).await;
}
```go
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}))
```

Keep main.rs minimal — all logic lives in `server.rs`, `db.rs`, and `auth.rs`.
Pass it into `App` and pass it to `web.Render` (it logs template errors).
Use `logger.Error("msg", "err", err)`, `logger.Warn(...)`, `logger.Info(...)`.

## Dockerfile

Multi-stage workspace build using `cargo-chef` for dep caching. Built from repo root with `docker build -f apps/APP_NAME/Dockerfile .`:
Multi-stage, built from the repo root so `crates-go/` is available for the
`replace` directives. Pure Go (`CGO_ENABLED=0`) because the SQLite driver is
`modernc.org/sqlite`.

```dockerfile
# Build from repo root: docker build -t APP_NAME -f apps/APP_NAME/Dockerfile .
FROM lukemathwalker/cargo-chef:latest-rust-1-slim-bookworm AS chef
FROM golang:1.25-bookworm AS builder
WORKDIR /app

FROM chef AS planner
COPY . .
RUN cargo chef prepare --recipe-path recipe.json

FROM chef AS builder
RUN apt-get update && apt-get install -y pkg-config libssl-dev && rm -rf /var/lib/apt/lists/*
COPY --from=planner /app/recipe.json recipe.json
RUN cargo chef cook --release --recipe-path recipe.json -p APP_NAME
COPY . .
RUN cargo build --release -p APP_NAME
COPY crates-go/ ./crates-go/
COPY apps/APP_NAME/go.mod apps/APP_NAME/go.sum ./apps/APP_NAME/
WORKDIR /app/apps/APP_NAME
RUN go mod download
COPY apps/APP_NAME/ ./
RUN CGO_ENABLED=0 go build -o /APP_NAME .

FROM debian:bookworm-slim
COPY --from=builder /app/target/release/APP_NAME /usr/local/bin/APP_NAME
COPY --from=builder /APP_NAME /usr/local/bin/APP_NAME
WORKDIR /data
EXPOSE 3000
ENV HOST=0.0.0.0
ENV PORT=3000
EXPOSE 3000
CMD ["APP_NAME"]
```

Replace all `APP_NAME` with actual binary/package name. If app makes HTTPS requests (uses reqwest etc.), add `RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*` to final stage.
If the app makes outbound HTTPS requests, add to the final stage:
```dockerfile
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
```

If the app has CLI subcommands (jotts), set `CMD ["APP_NAME", "server"]`.

## docker-compose.yml
## App-local docker-compose.yml

```yaml
services:

    ports:
      - "${PORT:-3000}:${PORT:-3000}"
    environment:
      - APP_PASSWORD=${APP_PASSWORD:-changeme}
      - APP_DB_PATH=/data/APP_NAME.sqlite
      - APP_NAME_PASSWORD=${APP_NAME_PASSWORD:-changeme}
      - APP_NAME_DB_PATH=/data/APP_NAME.sqlite
      - COOKIE_SECURE=false
      - HOST=0.0.0.0
      - PORT=${PORT:-3000}
    volumes:
      - app-data:/data
      - APP_NAME-data:/data
    restart: unless-stopped

volumes:
  app-data:
  APP_NAME-data:
```

Key points:
- `context: ../..` builds from the workspace root
- Named volume persists the SQLite database across container restarts
- ENV vars use app-specific prefixes (e.g., `JOTTS_PASSWORD`, `SIPP_API_KEY`)

## .env.example

Always create one with all configurable env vars and sensible comments.
Always ship one listing every var the app reads, with short comments.

## Wiring up a new app

A new app is not done when `cargo run -p APP_NAME` works. Several workspace-level files list every app explicitly and must be updated, or CI/release/deploy break silently.
A new app is not done when `go run .` works. Several workspace-level files
list every app explicitly and must be updated, or CI / Docker images / deploy
break silently.

### 1. Workspace root `Cargo.toml`
### 1. Root `docker-compose.yml` (production)

Add to `[workspace] members`:
Pulls images from GHCR. Add a service + named volume:

```toml
[workspace]
members = [
    "apps/sipp",
    # ...
    "apps/APP_NAME",
    "crates/auth",
    "crates/db",
    "crates/darkmatter-css",
]
```yaml
services:
  APP_NAME:
    image: ghcr.io/stevedylandev/andromeda/APP_NAME:latest
    restart: unless-stopped
    ports:
      - "PORT:3000"
    volumes:
      - APP_NAME_data:/data
    env_file: apps/APP_NAME/.env
```

### 2. `dist-workspace.toml`

Add to `[workspace] members` so `cargo dist` builds release binaries + Homebrew formula:
Pick a unique host port (existing: 3000 sipp, 3030 jotts, 3456 og, 3535 posts,
3565 shrink, 4555 feeds, 4646 library, 6754 cellar). Drop the `volumes` /
`env_file` lines if stateless (see `shrink`, `og`).

```toml
[workspace]
members = [
    "cargo:apps/sipp",
    # ...
    "cargo:apps/APP_NAME",
]
```
If the app holds data worth backing up, mount its volume read-only into the
`backup` service.

### 3. `.github/workflows/docker.yml`
### 2. `.github/workflows/docker.yml`

Two spots — both list every app:

```yaml
ALL='["cellar","sipp","feeds","parcels","jotts","og","shrink","backup","posts","library","APP_NAME"]'
ALL='["backup","bookmarks","cellar","easel","feeds","jotts","library","og","posts","shrink","sipp","APP_NAME"]'
```

```yaml
for app in cellar sipp feeds parcels jotts og shrink backup posts library APP_NAME; do
for app in backup bookmarks cellar easel feeds jotts library og posts shrink sipp APP_NAME; do
```

If the cargo package name differs from directory name, add a case to `pkg_to_dir()`:
### 3. `.github/workflows/docker-test.yml`

```bash
pkg_to_dir() {
  case "$1" in
    sipp-so) echo "sipp" ;;
    APP_PKG) echo "APP_NAME" ;;
    *) echo "$1" ;;
  esac
}
```
Same two lists — keep in lockstep with `docker.yml`.

### 4. `.github/workflows/docker-test.yml`
### 4. App-local `docker-compose.yml`

Same two lists — keep in sync with `docker.yml`:
Per-app dev compose (see above).

```yaml
ALL='["cellar","sipp","feeds","parcels","jotts","og","shrink","backup","posts","library","APP_NAME"]'
```
## Useful commands

```yaml
for app in cellar sipp feeds parcels jotts og shrink backup posts library APP_NAME; do
```
Per-app (from `apps/<app>/`):

### 5. Root `docker-compose.yml`

Production compose at repo root pulls images from GHCR. Add a service + volume:

```yaml
services:
  APP_NAME:
    image: ghcr.io/stevedylandev/andromeda/APP_NAME:latest
    restart: unless-stopped
    ports:
      - "PORT:3000"
    volumes:
      - APP_NAME_data:/data
    env_file: apps/APP_NAME/.env

volumes:
  APP_NAME_data:
    external: true
    name: APP_NAME_APP_NAME-data
```bash
go mod tidy
go build ./...
go vet ./...
go test ./...
go run .                # or: go run . server  for apps with subcommands
```

Pick a unique host port (existing: 3000 sipp, 3030 jotts, 3456 og, 3535 posts, 3565 shrink, 4555 feeds, 4646 library, 6754 cellar). Drop `volumes`/`env_file` if app is stateless (see `shrink`, `og`).

If the app holds data worth backing up, add a read-only mount to the `backup` service:
Repo-wide (from root):

```yaml
backup:
  volumes:
    - APP_NAME_data:/data/APP_NAME:ro
```bash
make go-check                       # fmt + test + vet across all Go modules
make go-test
make go-vet
make go-fmt
make go-app-test APP=APP_NAME
make go-app-vet  APP=APP_NAME
make go-app-fmt  APP=APP_NAME
```

### 6. App-local `docker-compose.yml`

Per-app compose for local dev — builds from source:

```yaml
services:
  app:
    build:
      context: ../..
      dockerfile: apps/APP_NAME/Dockerfile
    ports:
      - "${PORT:-3000}:${PORT:-3000}"
    environment:
      - APP_PASSWORD=${APP_PASSWORD:-changeme}
      - APP_DB_PATH=/data/APP_NAME.sqlite
      - COOKIE_SECURE=false
      - HOST=0.0.0.0
      - PORT=${PORT:-3000}
    volumes:
      - APP_NAME-data:/data
    restart: unless-stopped

volumes:
  APP_NAME-data:
```
The shared crates (`crates-go/web`, `crates-go/auth`, `crates-go/config`,
`crates-go/sqlite`, `crates-go/darkmatter`) are each their own module — run
`go build ./...` inside any to check in isolation.

## Checklist

When scaffolding a new app:

1. Create `apps/APP_NAME/` with `cargo init`
2. Set up `apps/APP_NAME/Cargo.toml` with workspace deps + `andromeda-auth` (and `andromeda-db`, `andromeda-darkmatter-css` if used)
3. Register app in workspace root `Cargo.toml` under `[workspace] members`
4. Register app in `dist-workspace.toml` under `[workspace] members` (with `cargo:` prefix)
5. Add app to `ALL` array + `for app in ...` loop in `.github/workflows/docker.yml`
6. Add app to `ALL` array + `for app in ...` loop in `.github/workflows/docker-test.yml`
7. Write `db.rs` — schema, model, CRUD, session table if needed
8. Write `auth.rs` — wrap `andromeda-auth` with `AuthSession` extractor (if auth needed)
9. Write `server.rs` — config, state, templates, handlers, routes
10. Write `main.rs` — minimal entry point
11. Create `templates/` with `base.html` + index page
12. Create `static/styles.css`
13. Create `.env.example`
14. Create `Dockerfile` (cargo-chef multi-stage) + app-local `docker-compose.yml`
15. Add service entry + volume to root `docker-compose.yml` (and `backup` mount if stateful)
16. Test: `cargo run -p APP_NAME`, hit routes
17. Test: `docker build -f apps/APP_NAME/Dockerfile .` from repo root
1. `mkdir apps/APP_NAME && cd apps/APP_NAME && go mod init github.com/stevedylandev/andromeda/apps/APP_NAME`
2. Add shared-crate `require` + `replace` directives to `go.mod` (auth, config, sqlite, web, darkmatter).
3. `main.go` — env load, DB open, sessions bootstrap, `App` build, `ListenAndServe`.
4. `app.go` — `App` struct, `//go:embed`, page-data structs.
5. `routes.go` — mux wiring, middleware, `/static/` + `darkmatter.Mount`.
6. `db.go` — schema, model, CRUD via `crates-go/sqlite.Open`.
7. `handlers_web.go` — login/logout + HTML CRUD pages.
8. `handlers_api.go` — JSON CRUD endpoints behind `RequireAPIKey`.
9. `templates/base.html` + per-page templates using `{{ define }}` blocks.
10. `static/styles.css` + any app-specific assets.
11. `.env.example` listing every env var.
12. `Dockerfile` (multi-stage, `CGO_ENABLED=0`) + app-local `docker-compose.yml`.
13. Add service + volume to root `docker-compose.yml` (+ `backup` mount if stateful).
14. Add app name to both `ALL` array + `for app in ...` loops in
    `.github/workflows/docker.yml` AND `.github/workflows/docker-test.yml`.
15. `go mod tidy`, then `make go-app-vet APP=APP_NAME` and `make go-app-test APP=APP_NAME`.
16. `docker build -f apps/APP_NAME/Dockerfile .` from repo root to verify image.

## What NOT to include

- No external CSS frameworks unless specified 
- No ORMs — use raw rusqlite
- No connection pools — `Arc<Mutex<Connection>>` is sufficient for SQLite
- No async database drivers — rusqlite is synchronous and that's fine
- No web frameworks (gin, echo, chi, fiber) — stdlib `net/http` mux is enough.
- No ORMs — raw `database/sql` + `?` placeholders.
- No connection pools — `sqlite.Open` sets `MaxOpenConns(1)` on purpose.
- No cgo SQLite drivers — use `modernc.org/sqlite` via `crates-go/sqlite`.
- No external CSS frameworks unless specified — use `crates-go/darkmatter`.
- No JS frontend / build step — `html/template` rendered server-side.
- No CLI / TUI deps (cobra, bubbletea) unless the app actually needs them.
- No `replace` directives for anything outside `crates-go/`.

8	8
9	9		The canonical CSS and fonts live in the [`crates-go/darkmatter`](https://github.com/stevedylandev/andromeda/tree/main/crates-go/darkmatter) module. Mount its handler set and link `/assets/darkmatter.css` from your templates — the skill guides style decisions while the module serves the actual bytes.
10	10
	11	+	## andromeda-stack
	12	+
	13	+	[`andromeda-stack`](https://github.com/stevedylandev/andromeda/tree/main/skills/andromeda-stack/SKILL.md) scaffolds a new Go CRUD app in the monorepo using the standard project layout: `net/http` mux, `html/template`, `modernc.org/sqlite`, and the `crates-go/{auth,web,config,sqlite,darkmatter}` packages wired in via `replace` directives.
	14	+
	15	+	It covers the full app shape — `main.go` / `app.go` / `routes.go` / `db.go` / `handlers_.go` / `templates/` / `static/` — plus session vs. API-key vs. bearer auth, the multi-stage `CGO_ENABLED=0` Dockerfile, and the workspace files that need updating (root `docker-compose.yml`, both `.github/workflows/docker.yml` lists) so a new app actually ships.
	16	+
11	17		## Installing
12	18
13	19		Use [`npx skills add`](https://github.com/vercel-labs/skills) to pull the skill directly from the repo:

45	45		Provides session-based password authentication used across apps that require login. It handles:
46	46
47	47		- Constant-time password verification (bcrypt + plain)
48		-	- Session cookie management with an in-memory store
	48	+	- Session cookie management backed by a `sessions` table in the app's SQLite DB
	49	+	- `RequireSession`, `RequireAPIKey`, and `RequireBearerOrSession` middleware
49	50		- Short-id and session-token generators
	51	+
	52	+	### crates-go/sqlite
	53	+
	54	+	Thin bootstrap around `database/sql` + `modernc.org/sqlite`. `Open(path, schema)` opens the DB with the project defaults (`PRAGMA foreign_keys=ON`, single open connection) and applies an optional schema string on first open.
50	55
51	56		### crates-go/web
52	57

73	78		import "github.com/stevedylandev/andromeda/crates-go/darkmatter"
74	79
75	80		mux := http.NewServeMux()
76		-	darkmatter.Mount(mux)
	81	+	darkmatter.Mount(mux, "/assets")
77	82		```
78	83
79	84		Then reference `/assets/darkmatter.css` from your templates instead of duplicating the styles per app.