pikkujs/pikku-services
packages/cli/skills/pikku-services/SKILL.md
Use when setting up dependency injection, creating custom services, or configuring the service layer in a Pikku app. Covers pikkuServices (singleton), pikkuWireServices (per-request), service typing, built-in services, and tree-shaking. TRIGGER when: code uses pikkuServices/pikkuWireServices, user asks about services.ts, dependency injection, service factories, or built-in services (ConsoleLogger, JoseJWTService). DO NOT TRIGGER when: user asks about auth middleware (use pikku-security) or secrets/variables (use pikku-config).
$ install --global
skillsauthnpx skillsauth add pikkujs/pikku pikku-servicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 13, 2026, 4:47 AM35.6s1 file scanned
SKILL.md
- name:
- pikku-services
- description:
- Use when setting up dependency injection, creating custom services, or configuring the service layer in a Pikku app. Covers pikkuServices (singleton), pikkuWireServices (per-request), service typing, built-in services, and tree-shaking.
- TRIGGER when:
- code uses pikkuServices/pikkuWireServices, user asks about services.ts, dependency injection, service factories, or built-in services (ConsoleLogger, JoseJWTService).
- DO NOT TRIGGER when:
- user asks about auth middleware (use pikku-security) or secrets/variables (use pikku-config).
- installGroups:
- [core]
Pikku Services (Dependency Injection)
Agent Operating Procedure
Use this skill as an execution checklist, not reference material.
- Discover before editing. Prefer OpenCode tools such as
pikku-metawhen available; otherwise run the relevantpikku meta ... --jsoncommand and inspect only the focused output you need. - Identify the source files that own the behavior. Do not start by reading generated output,
.pikku,node_modules, vendored packages, or broad build artifacts. - Make the smallest source change that satisfies the task. Keep generated files generated, and avoid hand-editing SDKs, schema output, or typegen.
- Validate with the narrowest relevant command first, then run
pikku-verifyorpikku allwhen functions, wirings, schemas, or generated clients may have changed. - If validation fails, fix the source cause and rerun validation. Do not paper over generated errors by editing generated files.
Pikku uses factory functions for dependency injection. Singleton services are created once at startup. Wire services are created fresh per request/job/command.
Before You Start
pikku info functions --verbose # See which services existing functions use
pikku info tags --verbose # Understand project organization
See pikku-concepts for the core mental model.
API Reference
pikkuServices(factory)
Create singleton services — instantiated once at server startup.
import { pikkuServices } from '#pikku'
const createSingletonServices = pikkuServices(
async (config, existingServices?) => {
// config: your CoreConfig object
// existingServices: optional, for chaining factories
return {
config,
logger: Logger,
jwt: JWTService,
database: DatabasePool,
// ...any custom services
}
}
)
pikkuWireServices(factory)
Create per-request services — fresh instance for each HTTP request, queue job, CLI command, etc.
import { pikkuWireServices } from '#pikku'
const createWireServices = pikkuWireServices(
async (singletonServices, wire) => {
// singletonServices: all singleton services
// wire: transport context (session, channel, etc.)
// Pikku merges these with singleton services automatically
return {
userSession: UserSessionService,
dbTransaction: DatabaseTransaction,
}
}
)
Auto-Generated Service Manifest
After npx pikku prebuild, Pikku generates a manifest of which services are actually used:
// .pikku/pikku-services.gen.ts (auto-generated)
export const requiredSingletonServices = {
database: true, // used by getUser, deleteUser
audit: true, // used by deleteUser
cache: false, // not used by any wired function
jwt: true, // used by auth middleware
} as const
export type RequiredSingletonServices = Pick<
SingletonServices,
'database' | 'audit' | 'jwt'
> &
Partial<Omit<SingletonServices, 'database' | 'audit' | 'jwt'>>
Usage Patterns
Basic Singleton Services
const createSingletonServices = pikkuServices(
async (config, existingServices) => {
const logger = new ConsoleLogger()
const database = new DatabasePool(config.database)
await database.connect()
const jwt = new JoseJWTService(
async () => [{ id: 'my-key', value: JWT_SECRET }],
logger
)
return {
config,
logger,
database,
jwt,
books: new BookService(),
}
}
)
Per-Request Wire Services
const createWireServices = pikkuWireServices(
async (singletonServices, wire) => {
return {
userSession: createUserSessionService(wire),
dbTransaction: new DatabaseTransaction(singletonServices.database),
}
}
)
Using Services in Functions
Functions destructure services from the first parameter:
const getUser = pikkuFunc({
title: 'Get User',
func: async ({ db, logger, jwt }, { userId }) => {
logger.info('Fetching user', { userId })
const user = await db.getUser(userId)
return { user }
},
})
Dynamic Import Optimization
Use the generated manifest to conditionally import heavy dependencies:
import { requiredSingletonServices } from '.pikku/pikku-services.gen.js'
const createSingletonServices = pikkuServices(async (config) => {
const logger = new ConsoleLogger()
let jwt: JWTService | undefined
if (requiredSingletonServices.jwt) {
const { JoseJWTService } = await import('@pikku/jose')
jwt = new JoseJWTService(keys, logger)
}
let database: Database | undefined
if (requiredSingletonServices.database) {
database = await createDatabase(config.databaseUrl)
}
return { config, logger, jwt, database }
})
Audit Wire Service
createInvocationAudit creates a per-request InvocationAuditLog that buffers audit events in memory and flushes them as a batch when the function-runner calls closeWireServices at the end of the request. If singletonServices.audit is not configured (local dev without Fabric), it returns a no-op DisabledInvocationAudit — no crash, events are silently dropped.
Pair with createAuditedKysely to auto-capture every Kysely query as an audit event.
// services.ts
import { createInvocationAudit } from '@pikku/core/services'
import { createAuditedKysely } from '@pikku/kysely'
export const createWireServices = pikkuWireServices(async (singletonServices, wire) => {
const audit = createInvocationAudit(singletonServices.audit, wire)
const kysely = singletonServices.kysely
? createAuditedKysely(singletonServices.kysely, { audit })
: undefined
return { audit, ...(kysely ? { kysely } : {}) }
})
The audit wire service is typed as AuditLog (from @pikku/core). Functions that emit custom events use it directly:
const deleteUser = pikkuFunc({
func: async ({ audit }, { userId }) => {
await audit.audit({ type: 'user.deleted', actor_user_id: userId })
// ...
},
})
closeWireServices (called automatically by the function-runner) invokes audit.close() → singletonServices.audit.write(batch) → platform-specific flush (e.g. CF Queue, libsql INSERT). No manual flushing needed.
Fabric note: Fabric provisions the audit queue and consumer worker automatically. The audit table schema is in
db/sqlite/0003-audit.sql(starter-template). Runpikku fabric validateto confirm the migration is in place.
Built-in Services
| Service | Package | Purpose |
| -------------------------- | ---------------------- | -------------------------------- |
| ConsoleLogger | @pikku/core/services | Console-based logging |
| JoseJWTService | @pikku/jose | JWT sign/verify via jose |
| LocalSecretService | @pikku/core/services | Local development secrets |
| LocalVariablesService | @pikku/core/services | Local environment variables |
| PinoLogger | @pikku/pino | Structured logging via Pino |
| createInvocationAudit | @pikku/core/services | Per-request audit buffer |
| createAuditedKysely | @pikku/kysely | Auto-capture DB queries as audit events |
Complete Example
// services.ts
import { pikkuServices, pikkuWireServices } from '#pikku'
import { ConsoleLogger } from '@pikku/core/services'
import { JoseJWTService } from '@pikku/jose'
// Custom service
class TodoStore {
private todos: Map<string, Todo> = new Map()
async create(title: string, priority: string) {
const todo = { id: crypto.randomUUID(), title, priority, completed: false }
this.todos.set(todo.id, todo)
return todo
}
async get(id: string) {
return this.todos.get(id)
}
async list() {
return [...this.todos.values()]
}
async delete(id: string) {
this.todos.delete(id)
}
}
export const createSingletonServices = pikkuServices(async (config) => {
const logger = new ConsoleLogger()
const jwt = new JoseJWTService(
async () => [{ id: 'my-key', value: config.jwtSecret }],
logger
)
return {
config,
logger,
jwt,
secrets: new LocalSecretService(),
variables: new LocalVariablesService(),
todoStore: new TodoStore(),
}
})
export const createWireServices = pikkuWireServices(
async (singletonServices, wire) => ({
scopedLogger: new ScopedLogger(wire.session?.initial?.userId),
})
)
// functions/todos.functions.ts — services are auto-injected
export const createTodo = pikkuFunc({
title: 'Create Todo',
func: async ({ todoStore, logger }, { title, priority }) => {
const todo = await todoStore.create(title, priority)
logger.info('Created todo', { id: todo.id })
return { todo }
},
})
Related Skills
pikkujs/pikku-tag-middleware
documentation
VerifiedTrustedCommunity
Deprecated — use pikku-middleware instead. Tag middleware (addTagMiddleware) is now documented as a section within the pikku-middleware skill, alongside global HTTP middleware, execution order, and the service-to-service bearer auth pattern.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-permissions
testing
VerifiedTrustedCommunity
Use when adding authorization checks to Pikku functions or routes — pikkuPermission, pikkuAuth, per-function permissions, pattern-based permissions, or understanding OR/AND permission logic. TRIGGER when: user wants to restrict who can call a function, check resource ownership, add role-based access, or understand where permission checks belong. DO NOT TRIGGER when: user asks about middleware or request interception (use pikku-middleware), authentication strategies (use pikku-security), or session management.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-middleware
testing
VerifiedTrustedCommunity
Use when adding any middleware to a Pikku app — global HTTP middleware, tag-scoped middleware (including service-to-service bearer auth), per-route middleware, session-setting middleware, or understanding middleware execution order and priority. TRIGGER when: user wants middleware on some or all routes, machine-to-machine auth, tag-scoped cross-cutting concerns, global interceptors, or middleware priority/order questions. DO NOT TRIGGER when: user asks about permissions/authorization checks (use pikku-permissions), auth strategies like authBearer/authCookie (use pikku-security), or deployment.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-template-clone
documentation
VerifiedTrustedCommunity
Standard cleanup to run right after a Pikku template is cloned or scaffolded into a new project. TRIGGER when: a Pikku template was just cloned/scaffolded (via `pikku create`, `git clone <template>`, or the user says "I cloned the kanban template / starter / template"), or the working tree still looks like an untouched template (template README, placeholder `@project/*` name in package.json). DO NOT TRIGGER when: working in an established project mid-feature, or editing the template repo itself.
56SKILL.mdUpdated Jun 4, 2026