orcaqubits/medusa-setup
dist/codex/medusa-commerce/skills/medusa-setup/SKILL.md
Set up a Medusa v2 development environment — CLI, PostgreSQL/Redis prerequisites, project creation, medusa-config.ts, directory structure, environment variables. Use when starting a new Medusa project.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins medusa-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 7:03 AM137.9s1 file scanned
SKILL.md
- name:
- medusa-setup
- description:
- >
Medusa v2 Development Setup
Before writing code
Fetch live docs:
- Fetch
https://docs.medusajs.com/learn/installationfor installation guide - Web-search
site:docs.medusajs.com create medusa starterfor project scaffolding - Web-search
site:docs.medusajs.com medusa-config referencefor configuration options - Web-search
site:docs.medusajs.com project directory structurefor v2 layout
Prerequisites
Required Software
| Software | Minimum Version | Purpose | |----------|----------------|---------| | Node.js | v20+ | Runtime | | PostgreSQL | — (see docs) | Primary database | | Redis | v6+ | Event bus, caching (optional for dev) | | Git | any | Version control | | npm / yarn / pnpm | latest | Package manager |
PostgreSQL Setup
- Create a dedicated database:
CREATE DATABASE medusa_db; - Create a user with full privileges on that database
- Connection string format:
postgres://user:password@localhost:5432/medusa_db
Redis Setup (Optional for Development)
- Default connection:
redis://localhost:6379 - Required in production for the event bus module and caching
- In development, Medusa falls back to an in-memory event bus
Project Creation
CLI Scaffolding
npx create-medusa-app@latest my-store
# Prompts: project name, PostgreSQL credentials
# Creates: backend + Next.js storefront starter
Backend Only
npx create-medusa-app@latest my-store --skip-client
# Fetch live docs for current CLI flags
Project Directory Structure
| Directory | Purpose |
|-----------|---------|
| src/modules/ | Custom modules (DML data models, services) |
| src/workflows/ | Custom workflows and steps |
| src/api/store/, src/api/admin/ | Custom API routes + middlewares.ts |
| src/subscribers/, src/jobs/ | Event subscribers, scheduled jobs |
| src/admin/widgets/, src/admin/routes/ | Admin UI extensions |
| src/links/ | Module link definitions |
| Root | medusa-config.ts, package.json, tsconfig.json, .env |
medusa-config.ts Key Fields
| Field | Purpose |
|-------|---------|
| projectConfig.databaseUrl | PostgreSQL connection string |
| projectConfig.redisUrl | Redis connection (optional) |
| projectConfig.http.adminCors | Allowed origins for admin API |
| projectConfig.http.storeCors | Allowed origins for store API |
| projectConfig.http.authCors | Allowed origins for auth routes |
| projectConfig.workerMode | shared, worker, or server |
| modules | Array of module configurations |
| plugins | Array of plugin configurations |
Minimal Configuration Skeleton
// medusa-config.ts — Fetch live docs for current defineConfig shape
import { defineConfig } from "@medusajs/framework/utils"
export default defineConfig({
projectConfig: { databaseUrl: process.env.DATABASE_URL },
// Fetch live docs for modules, plugins, http config
})
Environment Variables
DATABASE_URL=postgres://user:password@localhost:5432/medusa_db
REDIS_URL=redis://localhost:6379
COOKIE_SECRET=your-cookie-secret
JWT_SECRET=your-jwt-secret
STORE_CORS=http://localhost:8000
ADMIN_CORS=http://localhost:5173
AUTH_CORS=http://localhost:5173
Never hardcode secrets -- always use .env files excluded from version control.
CLI Commands
| Command | Purpose |
|---------|---------|
| npx medusa develop | Start dev server with hot reload |
| npx medusa build | Build for production |
| npx medusa start | Start production server |
| npx medusa worker | Start background worker process |
| npx medusa db:migrate | Run database migrations |
| npx medusa db:generate | Generate migration files |
| npx medusa db:rollback | Rollback last migration |
| npx medusa user --email [email protected] | Create admin user |
| npx medusa exec ./src/scripts/seed.ts | Run seed script |
Worker Mode
Medusa supports three worker modes for handling background jobs:
| Mode | Description |
|------|-------------|
| shared | Single process handles HTTP and background jobs (default) |
| worker | Dedicated process for background jobs only |
| server | HTTP-only, no background job processing |
In production, run one server instance and one or more worker instances.
Database Migrations
- Medusa v2 auto-generates migrations from DML model changes
- Run
npx medusa db:generateafter modifying data models - Run
npx medusa db:migrateto apply pending migrations - Always commit migration files to version control
Best Practices
- Use
npx create-medusa-app@latestto scaffold -- do not set up manually - Always run
npx medusa db:migrateafter pulling changes that include new migrations - Keep
.envin.gitignoreand provide.env.templatefor team members - Use
sharedworker mode in development, separateserver+workerin production - Pin your Medusa version in
package.jsonto avoid unexpected breaking changes - Run
npx medusa userto create the first admin user after initial setup
Common Issues
| Issue | Resolution |
|-------|-----------|
| Database connection refused | Verify PostgreSQL is running and DATABASE_URL is correct |
| Migrations fail | Ensure database exists and user has DDL privileges |
| Admin dashboard blank | Check ADMIN_CORS matches the admin URL |
| Store API 403 | Check STORE_CORS matches the storefront URL |
| Redis connection error | Either start Redis or remove redisUrl from config |
Fetch the Medusa installation guide and CLI reference for exact commands, flags, and latest configuration options before setting up.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026