CMS Nova is a reusable CMS platform built with Next.js, Prisma, and Better Auth.
It combines three goals in one repository:
- a headless CMS core with dynamic content types and entries,
- vertical packs for domain-specific products such as tourism and experiences,
- a research-grade case study on security and structural integrity in AI-assisted software development.
- Commercial overview: README.commercial.md
- Academic overview: README.academic.md
- Developer guide: docs/dev/README.md
- Research guide: docs/research/README.md
- Docs index: docs/README.md
- Security audit: docs/security/security-audit.md
- Vibe-Guard protocol: docs/vibe-guard/protocol-overview.md
- CLI: cli/README.md
Choose one path:
- Building/using the CMS: start with README.commercial.md
- Reading the case study: start with README.academic.md
CMS Nova is not just an admin panel.
It is a platform-oriented codebase designed to support:
- custom CMS deployments,
- multi-project reuse,
- public headless routes,
- plugin-based behavior,
- media management,
- and vertical product layers such as travel or destination platforms.
The repository is also used as the main case study for Vibe-Guard, a structural auditing proposal focused on the security risks of AI-generated code.
- Dynamic content types with field builders
- Content entries with public headless routes
- Better Auth integration and admin access control
- Media library and S3-related workflows
- Plugin configuration and feature gating
- Vertical packs for tourism and experiences
- CLI support for productization and reuse
The codebase is being organized around explicit ownership boundaries:
src/
app/ # route registration and composition
server/ # privileged runtime behavior
modules/ # reusable CMS capabilities
shared/ # cross-project helpers and UI
verticals/ # domain-specific product packs
Current examples:
src/server/auth/src/server/observability/src/modules/auth/src/modules/plugins/src/modules/content/src/verticals/tourism/src/verticals/experiences/
This structure supports both product reuse and research on architectural integrity.
CMS Nova is the primary artifact for an ongoing investigation into AI-assisted coding security.
The research focuses on:
Naming BiasMinimum Viable Understanding (MVU)- lack of global context in coding models
- route exposure and authorization drift
- centralized policy enforcement through
Vibe-Guard
Key research documents:
- docs/research/executive-summary.md
- docs/research/case-study-cms-nova.md
- docs/research/architecture-evolution.md
- docs/research/findings-matrix.md
- docs/research/portfolio-statement.md
The repository has already gone through a substantial security-focused refactor.
Major improvements include:
- tighter public route gating,
- restored publication-state checks,
- reduced plugin secret exposure,
- sanitized centralized logging,
- restricted admin-only API surfaces,
- hardened first-admin bootstrap,
- thinner route and action layers.
Security documentation:
- docs/security/security-audit.md
- docs/security/vulnerability-catalog.md
- docs/security/fix-vs-regression-analysis.md
- docs/security/error-log.md
- docs/security/remediation-log.md
Requirements:
- Node.js 20.19+
- npm
- a supported database configured through Prisma
Setup:
npm install
npm run generate
npm run db:push
npm run devThen open http://localhost:3000.
npm run dev
npm run build
npm run start
npm run type-check
npm run lint
npm run security:check-api
npm run generate
npm run db:push
npm run migrate
npm run db:studioTypical variables include:
DATABASE_URL=
BETTER_AUTH_SECRET=
BETTER_AUTH_URL=http://localhost:3000
NEXT_PUBLIC_APP_URL=http://localhost:3000
# Optional
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=us-east-1
AWS_S3_BUCKET=
ENCRYPTION_KEY=
NOVA_SETUP_TOKEN=Use .env.example as the base reference when available in your local copy.
CMS Nova supports public type-path routing through content types.
/{typePath}lists published entries for a content type/{typePath}/{slug}renders a published entry- exposure is controlled by the
public-typepathsplugin
Dynamic navigation can also be enabled through the dynamic-nav plugin.
- docs/README.md
- docs/dev/README.md
- docs/architecture/folder-structure.md
- docs/architecture/core-vs-verticals.md
- docs/architecture/dead-code-audit.md
- docs/vibe-guard/protocol-overview.md
The repository is in active architectural consolidation.
It already functions as:
- a working CMS platform,
- a reusable base for downstream projects,
- and a documented research artifact.
Some migration bridges still remain, but the structure is now significantly clearer than the original organically grown version.
MIT