KIS-TOiR/general-prompt.md

ROLE

You are a Staff-level Fullstack Platform Engineer.

Your task is to generate a fully runnable fullstack CRUD application from the DSL context of this repository.

Use context7.

Follow official best practices from:

NestJS documentation

Prisma documentation

React Admin documentation

Vite documentation

Keycloak documentation

Docker documentation

The generated application must run without manual fixes.

PROJECT CONTEXT

You must read the project documentation in the following strict order:

domain/dsl-spec.md

domain/*.dsl

If present, read optional overrides after the domain DSL:

overrides/api-overrides.dsl overrides/ui-overrides.dsl

backend/architecture.md

backend/prisma-rules.md

backend/prisma-service.md

backend/service-rules.md

backend/runtime-rules.md

backend/database-runtime.md

backend/seed-rules.md

frontend/architecture.md

frontend/react-admin-rules.md

auth/keycloak-architecture.md

auth/frontend-auth-rules.md

auth/backend-auth-rules.md

auth/keycloak-realm-template-rules.md

generation/scaffolding-rules.md

generation/backend-generation.md

generation/frontend-generation.md

generation/runtime-bootstrap.md

generation/post-generation-validation.md

Do not ignore any rules defined in these documents.

INPUT CONTRACT

Required DSL input:

domain/*.dsl

Optional override inputs:

overrides/api-overrides.dsl overrides/ui-overrides.dsl

Rules:

• Domain DSL is the single source of truth for entities, attributes, primary keys, foreign keys, and enums.
• DTO, API, and UI must be derived from the domain DSL.
• Optional overrides must not duplicate or redefine the domain model.
• Generation must work without override files.
• Ignore deprecated multi-DSL inputs if they are present in the repository; they are not authoritative generation inputs.
• Do not require standalone DTO, API, or UI DSL inputs.

GOAL

Generate a domain-DSL-driven fullstack CRUD system with default Keycloak authentication and authorization.

Repository-specific defaults and examples may use names such as toir, toir-frontend, toir-backend, toir-realm.json, and *.greact.ru, but the generator must parameterize realm name, client IDs, production URLs, and realm-artifact filename for other generated projects.

Stack:

Backend

Node.js

NestJS

Prisma ORM

PostgreSQL

jose

Frontend

React

Vite

React Admin

MUI

shadcn/ui

Keycloak JS

PROJECT STRUCTURE

Root .gitignore docker-compose.yml root-level Keycloak realm import artifact (default example filename: toir-realm.json) server/ client/

Backend server/ src/ auth/ config/ modules/{entity}/ prisma/schema.prisma prisma/seed.ts .gitignore .env .env.example

Frontend client/ .gitignore src/ auth/ config/ resources/{entity}/ App.tsx main.tsx dataProvider.ts .env.example

STEP 1 — Parse Domain DSL

Parse domain/*.dsl and extract:

Entities Attributes Primary keys Foreign keys Enums

If present, read optional override files only after the domain model has been parsed. Overrides may refine derived API or UI behavior but must never redefine entities, attributes, primary keys, foreign keys, or enums. Do not consult any supplemental DTO/API/UI DSL source when deriving backend or frontend artifacts.

Respect the DSL specification.

STEP 2 — CLI scaffolding

Use official CLIs.

Backend npx @nestjs/cli@10.3.2 new server --package-manager npm --skip-git

Frontend npm create vite@5.2.0 client -- --template react-ts

STEP 3 — Install dependencies

Backend

@prisma/client prisma @nestjs/config jose

Frontend

react-admin ra-data-simple-rest @mui/material @emotion/react @emotion/styled keycloak-js

STEP 4 — Generate Prisma schema

From DSL domain generate:

models

enums

relations

primary keys

Type mapping

decimal → Decimal date → DateTime

DTO mapping

decimal → string date → ISO string

STEP 5 — Generate NestJS CRUD modules and derived DTOs

Per entity generate:

module controller service dto

Controller routes

GET /resource GET /resource/:pk POST /resource PATCH /resource/:pk DELETE /resource/:pk

Path parameter must match the DSL primary key name.

Examples

/equipment/:id /equipment-types/:code /repair-orders/:id

STEP 6 — Generate backend auth infrastructure

Generate:

AuthModule JWT guard roles guard @Public() @Roles() typed authenticated principal typed env validation

Rules:

• /health must remain public
• CRUD routes must be protected by default
• RBAC source must be realm_access.roles
• JWT verification must use issuer + audience + JWKS
• JWKS resolution priority must be:
  1. explicit KEYCLOAK_JWKS_URL
  2. OIDC discovery
  3. ${issuer}/protocol/openid-connect/certs
• Do not use deprecated Keycloak-specific Node adapters

STEP 7 — Generate Service Layer

Service layer must follow backend/service-rules.md.

Important rule:

React Admin sends the id field in update payloads even when the primary key is not named id.

Therefore update payload must be sanitized before passing data to Prisma.

Services MUST NOT pass raw request DTO directly into Prisma.

Incorrect:

prisma.entity.update({ where, data: dto })

Correct pattern:

const { id, , ...data } = dto

return prisma.entity.update({ where, data })

Example (PK = code)

const { id, code, ...data } = dto

return prisma.equipmentType.update({ where: { code }, data })

Example (PK = id)

const { id: _pk, ...data } = dto

return prisma.entity.update({ where: { id }, data })

Rules

Update payload passed to Prisma must not contain:

id primary key attribute readonly attributes

STEP 8 — Generate frontend auth integration

Generate:

client/src/config/env.ts client/src/auth/keycloak.ts client/src/auth/authProvider.ts

Rules:

• Keycloak login must be redirect-based only
• Use Authorization Code + PKCE (S256)
• Initialize Keycloak before rendering the SPA
• Attach Authorization: Bearer <access_token> through the shared request seam in client/src/dataProvider.ts
• authProvider.getIdentity() must derive identity from parsed token claims such as sub, preferred_username, email, and name
• Do not call keycloak.loadUserProfile() by default
• Do not rely on the Keycloak /account endpoint for baseline CRUD/admin generation
• Avoid the /account request entirely by default rather than broadening Keycloak CORS behavior
• 401 must force re-authentication
• 403 must surface access denied without forcing re-authentication
• Token refresh must be concurrency-safe
• Do not store tokens in localStorage or sessionStorage
• Frontend auth config must fail fast if required auth vars are missing

STEP 9 — Generate runtime infrastructure

Create:

server/.env server/.env.example client/.env.example root/.gitignore server/.gitignore client/.gitignore root-level Keycloak realm import artifact (default example filename: toir-realm.json)

Backend env examples must include:

PORT DATABASE_URL CORS_ALLOWED_ORIGINS KEYCLOAK_ISSUER_URL KEYCLOAK_AUDIENCE KEYCLOAK_JWKS_URL (optional)

Frontend env examples must include:

VITE_API_URL VITE_KEYCLOAK_URL VITE_KEYCLOAK_REALM VITE_KEYCLOAK_CLIENT_ID

Add to package.json:

postinstall: prisma generate

Generated .gitignore files must prevent local-only artifacts from entering git, including:

node_modules dist dist-ssr coverage .tsbuildinfo .env .env.local .env..local

STEP 10 — Database runtime

Generate root:

docker-compose.yml

PostgreSQL container

postgres:16 port 5432

STEP 11 — Generate seed

Create:

server/prisma/seed.ts

Seed minimal data for:

EquipmentType Equipment RepairOrder

Add to package.json:

prisma.seed

STEP 12 — Generate React Admin resources

Generate React Admin resources automatically from the domain DSL.

For each entity generate:

Field mapping

string → TextInput number → NumberInput date → DateInput enum → SelectInput FK → ReferenceInput

API responses MUST contain:

If PK ≠ id, map primary key to id.

If PK ≠ id, backend list/query logic must map React Admin _sort=id to the real primary key field before constructing ORM sorting.

Example

{ id: record.code, code: record.code }

STEP 13 — Validation

Verify:

docker-compose.yml exists database container starts prisma migrate dev works prisma db seed works API responds /health React Admin receives id update services sanitize payload before Prisma frontend auth files exist backend auth files exist auth env examples exist root/server/client .gitignore files exist gitignore rules exclude local dependency, build, env, coverage, and tsbuildinfo artifacts frontend auth code does not call keycloak.loadUserProfile() frontend getIdentity() is token-claim based and does not rely on /account public /health is preserved unauthenticated protected route returns 401 insufficient role returns 403 natural-key entities map React Admin _sort=id to the real primary key field generated realm import artifact is self-contained and guarantees sub, aud, and realm_access.roles

OUTPUT

Provide:

FULLSTACK GENERATION REPORT

Include:

1 Parsed DSL 2 Prisma models 3 Backend modules 4 API endpoints 5 React Admin resources 6 Authentication and authorization 7 Runtime configuration 8 Validation results

RUN INSTRUCTIONS

The generated application must run successfully with:

Import the generated root-level Keycloak realm artifact (for example toir-realm.json) into the external Keycloak server

docker compose up -d

cd server npm install npx prisma migrate dev npm run start

cd client npm install npm run dev