Simulacrum

Every serious Next.js project begins with the same multi-week tax before product work can start. Auth provider selection, OAuth wiring, session management, 2FA. Database adapter choice, schema setup, migrations, seed data. Role-based access control and middleware enforcement. Stripe or Lemon Squeezy integration, webhook handling, billing state reconciliation. Internationalization across locales including RTL. Admin dashboards with real analytics rather than stub pages. Transactional email templates. Observability connectors. E2E test harnesses. SEO scaffolding. Dockerfiles. CI/CD workflows. None of this is novel. All of it is load-bearing. All of it is rebuilt from scratch on every project.

Existing solutions fail in one of two directions. Open-source starters produce minimal skeletons that still require weeks of integration work, and quality varies wildly across template types. Website builders (Wix, Squarespace, Shopify, WordPress) ship faster but impose vendor lock-in, limit customization, and charge recurring fees indefinitely. Hiring a freelancer costs thousands of dollars and two to six months. Hiring an agency costs tens of thousands. The industry average agency project cost is $66,499 (Clutch.co). The gap between "I have an idea" and "I have a production-ready Next.js application" is the single largest inefficiency in modern web development.

A second, quieter problem sits underneath the first. Scaffolding tools themselves are a supply-chain attack surface. A CLI that generates code runs arbitrary logic on the developer's machine and installs dependencies the developer did not audit. Most starters publish with no release signing, no provenance metadata, no pinned dependencies, and no process for responding to upstream advisories. The ecosystem treats scaffolding as disposable while shipping code that will anchor production applications for years.

Simulacrum is a commercial CLI tool distributed through npm as simulacrum-cli. A single command generates a complete, production-ready Next.js application from one of twenty vertical templates: e-commerce, SaaS, blog, portfolio, docs, corporate, landing, telehealth, marketplace, LMS, events, job board, directory, community, booking, newsletter, nonprofit, real estate, restaurant, and fitness. Each template is a fully-realized application shell rather than a generic starter with a vertical label. The telehealth template ships HIPAA-ready consultations, provider profiles, prescriptions, and patient dashboards. The LMS template ships courses, lessons, quizzes, student progress tracking, certificates, and instructor dashboards. The marketplace template ships multi-vendor listings, commission management, vendor dashboards, and review systems. The templates are the product, not the CLI.

Every generated application includes authentication via better-auth with OAuth, magic link, credentials, 2FA, passkeys, and session management; role-based access control with template-specific roles (for SaaS: Super Admin, Owner, Admin, Member, Viewer) enforced at the middleware layer; four database adapter options (Supabase, Drizzle, Prisma, raw PostgreSQL) selectable at generation time; four payment provider integrations (Stripe, Polar, Creem, Dodo); React Email transactional templates with Resend, Postmark, or Nodemailer delivery; internationalization across eight languages (English, Spanish, French, German, Portuguese, Chinese, Japanese, Arabic) with right-to-left support for Arabic; admin dashboards built on Recharts with real database-backed analytics rather than placeholder stubs; Playwright E2E test suites pre-written per template and CI-ready; S3-compatible storage adapters for AWS, Cloudflare R2, DigitalOcean Spaces, MinIO, and Supabase Storage; background task runners via trigger.dev, Upstash QStash, or BullMQ; analytics connectors for Plausible, Google Analytics, Mixpanel, PostHog, Umami, and Vercel Analytics; Sentry error tracking; SEO scaffolding with Open Graph, JSON-LD, sitemap, and robots.txt; Dockerfile and docker-compose for self-hosting; and GitHub Actions workflows for test, lint, and deploy.

The product is tiered commercially rather than gated behind a subscription. Free tier generates a portfolio template with SQLite and a watermark, enough to validate the workflow. Starter ($149 one-time) unlocks all twenty templates with Drizzle, one OAuth provider, one payment provider, and a single seat. Pro ($299 one-time) unlocks all four database adapters, all auth providers plus 2FA, full RBAC and i18n, WCAG 2.2 AA conformance (CPACC-tested, screen reader verified), the full observability connector matrix, over eighty industry sub-variants, and five seats. Agency (forthcoming) extends to ten seats with multi-tenancy, SSO via SAML and OIDC, audit logging, and help desk integrations. Pricing is one-time rather than recurring because the generated code belongs to the customer permanently.

The CLI is executed via npx simulate <project-type> and presents interactive checklists for contextual integrations. E-commerce scaffolds surface payment processors, analytics providers, and inventory management options. SaaS scaffolds surface authentication providers, billing systems, and customer support tooling. Plugin selection at generation time handles dependency installation, configuration file creation, and working integration examples rather than TODO comments.

Templates are TypeScript-strict with zero implicit any and Zod validation on all form boundaries. The folder structure (components, pages, styles, utils, config) scales from prototype to production without reorganization. A CSS variable theme system supports light and dark modes with system preference detection. Every template is AI-agent-ready with AGENTS.md, .cursorrules, and prompt conventions optimized for Cursor, Claude Code, and Codex, treating AI pair programming as a first-class development surface rather than a bolt-on.

Supply-chain integrity is treated as part of the product rather than operational hygiene. CLI and template packages publish from automation that customers can inspect. GitHub releases are signed. npm provenance is enabled where supported, allowing customers to verify that a given package version was built from a specific commit in the public repository. Dependencies in every scaffold are pinned and reviewed, with routine updates when upstream security advisories are published. This posture reduces exposure to dependency confusion attacks, tampering, and malicious injection, all of which are active threats in the npm ecosystem.

The quality metric is time from command execution to functional development environment. Traditional setup ranges from hours for experienced developers on familiar stacks to two to six months for agency engagements. Simulacrum reduces this to approximately one minute.