Developer Guide
Onboarding guide for engineers working on the XPrivate Education dashboard monorepo.
Monorepo Layout
Section titled “Monorepo Layout”apps/web/ TanStack Start (React SSR) + oRPC API — CF Workersapps/cron-*/ CF Cron Workers (one per job)packages/db/ Drizzle schema + createDB(env) factorypackages/auth/ RBAC resolution + permission middleware + AccountState machinepackages/service/ Business logic (auth-agnostic)packages/contract/ oRPC contract + Zod base I/O schemasplans/ Locked planning docs (ARCHITECTURE, scope, RESUME)Dependency direction: apps → {service, contract}, service → {db, auth, contract}, auth → db. contract is a leaf (no internal deps). Never reverse.
Tech Stack
Section titled “Tech Stack”| Layer | Technology |
|---|---|
| Frontend / SSR | TanStack Start (React) on Cloudflare Workers |
| API | oRPC (contract-first) |
| Database | Drizzle ORM + Neon Postgres via Hyperdrive |
| Auth | Better Auth + custom RBAC |
| Secrets | Infisical (no secrets in wrangler config or env files) |
| Runtime | Bun |
Key Commands
Section titled “Key Commands”Run from the repo root:
bun install # install deps + lefthook pre-commit hooksbun run typecheck # tsc -b (project references)bun run lint # biome checkbun run test # vitest unit (no DB)bun run test:integration # vitest integration (needs NEON_DATABASE_URL)bun run dev # apps/web dev serverbun run db:generate # generate Drizzle migrationbun run db:migrate # apply migrationsbun run db:studio # open Drizzle StudioPre-commit hooks (lefthook): biome auto-fix + re-stage, secretlint on staged files. Escape hatch: LEFTHOOK=0 git commit.
Architecture Pointers
Section titled “Architecture Pointers”Full architecture is locked in plans/ARCHITECTURE.md (22 sections). Key conventions:
- Business logic lives in
packages/service, not in route handlers. Handlers are thin: validate → authorize → call service. - DB client is per-request via
createDB(env)— no module-level singleton. - Service functions are auth-agnostic; permission checks happen in the Hono route handler before the service call.
- CF Workers: never cache per-request I/O (db/auth) in module scope.
See the Reference section for auto-generated architecture docs.