create-tigra 2.0.3 → 2.1.0

package/bin/create-tigra.js

@@ -124,11 +124,11 @@ async function main() {
   program
     .name('create-tigra')
     .description('Create a production-ready full-stack app with Next.js + Fastify + Prisma + Redis')
-    .version('2.0.2')
+    .version('2.1.0')
     .argument('[project-name]', 'Name for your new project')
     .action(async (projectNameArg) => {
       console.log();
-      console.log(chalk.bold('  Create Tigra') + chalk.dim(' v2.0.2'));
+      console.log(chalk.bold('  Create Tigra') + chalk.dim(' v2.1.0'));
       console.log();
 
       let projectName = projectNameArg;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-tigra",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "type": "module",
   "description": "Create a production-ready full-stack app with Next.js 16 + Fastify 5 + Prisma + Redis",
   "bin": {

package/template/_claude/hooks/restrict-paths.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# Restrict Claude's WRITE access based on the .developer-role file.
+# Claude can always READ any file for full project context.
+# Only Edit/Write operations are blocked on the other side's directory.
+#
+# To switch roles, either:
+#   1. Edit .developer-role and type: frontend, backend, or fullstack
+#   2. Use /role command in Claude
+#
+# fullstack (or empty/missing file) = no restrictions
+
+ROLE_FILE="$CLAUDE_PROJECT_DIR/.developer-role"
+
+# Read role from file, trim whitespace
+if [ -f "$ROLE_FILE" ]; then
+  ROLE=$(tr -d '[:space:]' < "$ROLE_FILE")
+else
+  ROLE=""
+fi
+
+# No file, empty, or fullstack = full access
+if [ -z "$ROLE" ] || [ "$ROLE" = "fullstack" ]; then
+  exit 0
+fi
+
+# Read stdin (JSON from Claude Code)
+INPUT=$(cat)
+
+# Extract tool_name from JSON
+TOOL_NAME=$(echo "$INPUT" | grep -oP '"tool_name"\s*:\s*"[^"]*"' | head -1 | sed 's/.*:.*"\(.*\)"/\1/')
+
+# Only block write operations (Edit, Write). Allow Read, Glob, Grep.
+if [ "$TOOL_NAME" != "Edit" ] && [ "$TOOL_NAME" != "Write" ]; then
+  exit 0
+fi
+
+# Extract file_path or path from JSON
+FILE_PATH=""
+for field in file_path path; do
+  value=$(echo "$INPUT" | grep -oP "\"${field}\"\s*:\s*\"[^\"]*\"" | head -1 | sed 's/.*:.*"\(.*\)"/\1/')
+  if [ -n "$value" ]; then
+    FILE_PATH="$value"
+    break
+  fi
+done
+
+# No file path found = allow
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+deny_with_reason() {
+  cat <<DENY_EOF
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"$1"}}
+DENY_EOF
+  exit 0
+}
+
+if [ "$ROLE" = "frontend" ]; then
+  if echo "$FILE_PATH" | grep -qiE "(^|/|\\\\)server(/|\\\\|$)"; then
+    deny_with_reason "BLOCKED: Role is set to frontend. You can read server/ files but cannot modify them. Only the backend developer can edit server/ code."
+  fi
+elif [ "$ROLE" = "backend" ]; then
+  if echo "$FILE_PATH" | grep -qiE "(^|/|\\\\)client(/|\\\\|$)"; then
+    deny_with_reason "BLOCKED: Role is set to backend. You can read client/ files but cannot modify them. Only the frontend developer can edit client/ code."
+  fi
+fi
+
+exit 0

package/template/_claude/settings.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/restrict-paths.sh\""
+          }
+        ]
+      }
+    ]
+  }
+}

package/template/_claude/skills/role/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: role
+description: Switch developer role to restrict Claude's access to frontend-only, backend-only, or full access
+argument-hint: "[frontend | backend | fullstack]"
+disable-model-invocation: true
+allowed-tools: Read, Write
+---
+
+The user wants to switch their developer role. The argument is: $ARGUMENTS
+
+Read the file `.developer-role` in the project root to see the current role.
+
+## Rules
+
+- If the argument is `frontend`, `backend`, or `fullstack` — write that word to `.developer-role` and confirm the switch.
+- If no argument is given — read `.developer-role` and tell the user their current role, then ask which role they want.
+- If the argument is not one of the three valid roles — tell the user the valid options.
+
+## What each role does
+
+| Role | Access |
+|------|--------|
+| `frontend` | Can only work in `client/`. Blocked from `server/`. |
+| `backend` | Can only work in `server/`. Blocked from `client/`. |
+| `fullstack` | Full access to everything. No restrictions. |
+
+## Response format
+
+After switching, confirm like this:
+
+```
+Role switched to **{role}**.
+
+- frontend → client/ only
+- backend → server/ only
+- fullstack → full access
+```

package/template/client/next.config.ts

@@ -1,5 +1,14 @@
 import type { NextConfig } from "next";
 
+const apiBaseUrl = process.env.NEXT_PUBLIC_API_BASE_URL || "http://localhost:8000";
+const apiOrigin = (() => {
+  try {
+    return new URL(apiBaseUrl).origin;
+  } catch {
+    return "http://localhost:8000";
+  }
+})();
+
 const nextConfig: NextConfig = {
   async headers() {
     return [
@@ -22,7 +31,7 @@ const nextConfig: NextConfig = {
               "base-uri 'self'",
               "form-action 'self'",
               "frame-ancestors 'none'",
-              `connect-src 'self' ${process.env.NEXT_PUBLIC_API_BASE_URL || "http://localhost:8000"}`,
+              `connect-src 'self' ${apiOrigin}`,
             ].join("; "),
           },
         ],

package/template/client/src/lib/api/axios.config.ts

@@ -80,12 +80,22 @@ apiClient.interceptors.response.use(
     } catch (refreshError) {
       processQueue(refreshError);
 
-      const { logout } = await import('@/features/auth/store/authSlice');
-      const { store } = await import('@/store');
-      store.dispatch(logout());
-
-      if (typeof window !== 'undefined') {
-        window.location.href = ROUTES.LOGIN;
+      // Only logout on definitive auth failures (server responded with 4xx).
+      // Network errors (server unreachable, timeout) should NOT destroy the session.
+      const isAuthFailure =
+        axios.isAxiosError(refreshError) &&
+        refreshError.response != null &&
+        refreshError.response.status >= 400 &&
+        refreshError.response.status < 500;
+
+      if (isAuthFailure) {
+        const { logout } = await import('@/features/auth/store/authSlice');
+        const { store } = await import('@/store');
+        store.dispatch(logout());
+
+        if (typeof window !== 'undefined') {
+          window.location.href = ROUTES.LOGIN;
+        }
       }
 
       return Promise.reject(refreshError);

package/template/client/src/middleware.ts

@@ -23,12 +23,21 @@ export function middleware(request: NextRequest): NextResponse {
     path === '/' ? pathname === '/' : pathname.startsWith(path)
   );
 
-  if (isProtectedPath && (!token || isTokenExpired(token))) {
+  // No token at all — user is not logged in, redirect to login
+  if (isProtectedPath && !token) {
     const loginUrl = new URL('/login', request.url);
     loginUrl.searchParams.set('from', pathname);
     return NextResponse.redirect(loginUrl);
   }
 
+  // Expired token on protected path — allow through so client-side can attempt refresh.
+  // Delete the stale access_token so AuthInitializer starts fresh: getMe() → 401 → refresh.
+  if (isProtectedPath && token && isTokenExpired(token)) {
+    const response = NextResponse.next();
+    response.cookies.delete('access_token');
+    return response;
+  }
+
   const isAuthPath = authPaths.some((path) => pathname.startsWith(path));
 
   if (isAuthPath && token) {

package/template/gitignore

@@ -22,6 +22,9 @@ Thumbs.db
 # Claude Code local settings
 .claude/settings.local.json
 
+# Developer role (personal per developer)
+.developer-role
+
 # Playwright MCP artifacts
 .playwright-mcp/
 

package/template/server/src/libs/auth.ts

@@ -1,6 +1,7 @@
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import { v4 as uuidv4 } from 'uuid';
 import { env } from '@config/env.js';
+import { prisma } from '@libs/prisma.js';
 import { UnauthorizedError, ForbiddenError } from '@shared/errors/errors.js';
 import type { JwtPayload, UserRole } from '@shared/types/index.js';
 
@@ -58,6 +59,16 @@ export async function authenticate(
   } catch {
     throw new UnauthorizedError('Invalid or expired token');
   }
+
+  // Verify user still exists, is active, and not soft-deleted
+  const user = await prisma.user.findUnique({
+    where: { id: request.user.userId },
+    select: { isActive: true, deletedAt: true },
+  });
+
+  if (!user || !user.isActive || user.deletedAt) {
+    throw new UnauthorizedError('Account is deactivated or deleted');
+  }
 }
 
 export async function optionalAuth(

package/template/server/src/modules/auth/auth.service.ts

@@ -54,15 +54,17 @@ function sanitizeUser(user: {
   isActive: boolean;
   createdAt: Date;
   updatedAt: Date;
-  password: string;
 }): SanitizedUser {
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  const { password: _password, createdAt, updatedAt, avatarUrl, ...rest } = user;
   return {
-    ...rest,
-    avatarUrl: avatarUrl ?? null,
-    createdAt: createdAt.toISOString(),
-    updatedAt: updatedAt.toISOString(),
+    id: user.id,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    avatarUrl: user.avatarUrl ?? null,
+    role: user.role,
+    isActive: user.isActive,
+    createdAt: user.createdAt.toISOString(),
+    updatedAt: user.updatedAt.toISOString(),
   };
 }