create-tigra 2.4.0 → 2.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-tigra",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "type": "module",
   "description": "Create a production-ready full-stack app with Next.js 16 + Fastify 5 + Prisma + Redis",
   "bin": {

package/template/client/.dockerignore

@@ -0,0 +1,63 @@
+# Dependencies (will be installed fresh in Docker)
+node_modules
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Build output (will be built fresh in Docker)
+.next
+out
+*.tsbuildinfo
+
+# Environment files (use Docker env vars instead)
+.env
+.env.local
+.env.*.local
+.env.development
+.env.test
+
+# Git
+.git
+.gitignore
+.gitattributes
+
+# IDE
+.vscode
+.idea
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Testing
+coverage
+.nyc_output
+**/__tests__
+**/*.test.ts
+**/*.test.tsx
+**/*.spec.ts
+**/*.spec.tsx
+vitest.config.ts
+jest.config.ts
+
+# Documentation
+docs
+CHANGELOG.md
+LICENSE
+
+# Docker
+Dockerfile
+.dockerignore
+docker-compose.yml
+
+# CI/CD
+.github
+.gitlab-ci.yml
+.circleci
+
+# Misc
+.prettierrc
+.eslintrc
+.eslintignore
+.editorconfig

package/template/client/Dockerfile

@@ -0,0 +1,98 @@
+# ===================================================================
+# Multi-stage Dockerfile for Next.js Production Deployment
+# Optimized for Coolify, Docker Compose, and Kubernetes
+# Requires `output: "standalone"` in next.config.ts
+# ===================================================================
+
+# ===================================================================
+# Stage 1: Dependencies (cached layer)
+# ===================================================================
+FROM node:20-alpine AS dependencies
+
+WORKDIR /app
+
+# Copy package files
+COPY package.json package-lock.json* pnpm-lock.yaml* yarn.lock* ./
+
+# Install dependencies (use the lockfile that exists)
+RUN if [ -f pnpm-lock.yaml ]; then \
+      npm install -g pnpm && pnpm install --frozen-lockfile; \
+    elif [ -f yarn.lock ]; then \
+      yarn install --frozen-lockfile; \
+    else \
+      npm ci; \
+    fi
+
+# ===================================================================
+# Stage 2: Build (compile Next.js)
+# ===================================================================
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Copy dependencies from previous stage
+COPY --from=dependencies /app/node_modules ./node_modules
+
+# Copy source code
+COPY . .
+
+# Build arguments for env vars needed at build time
+# Next.js inlines NEXT_PUBLIC_* values during build, so they must
+# be available here. Pass them via --build-arg in Coolify/Docker.
+ARG NEXT_PUBLIC_API_BASE_URL
+ARG NEXT_PUBLIC_APP_NAME
+
+ENV NEXT_PUBLIC_API_BASE_URL=$NEXT_PUBLIC_API_BASE_URL
+ENV NEXT_PUBLIC_APP_NAME=$NEXT_PUBLIC_APP_NAME
+
+# Disable Next.js telemetry during build
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Build the application (outputs to .next/standalone)
+RUN npm run build
+
+# ===================================================================
+# Stage 3: Production Runtime
+# ===================================================================
+FROM node:20-alpine AS production
+
+# Install dumb-init for proper signal handling
+RUN apk add --no-cache dumb-init
+
+# Create non-root user for security
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
+WORKDIR /app
+
+# Copy the standalone server (includes only required node_modules)
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+
+# Copy static assets (not included in standalone output)
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+# Copy public folder (favicon, images, etc.)
+COPY --from=builder --chown=nextjs:nodejs /app/public ./public
+
+# Switch to non-root user
+USER nextjs
+
+# Disable telemetry at runtime
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Set hostname to listen on all interfaces (required in containers)
+ENV HOSTNAME="0.0.0.0"
+
+# Default port (override via PORT env var in Coolify)
+ENV PORT=3000
+EXPOSE 3000
+
+# Health check for container orchestration
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+  CMD node -e "const p=process.env.PORT||3000;require('http').get('http://localhost:'+p,(r)=>{process.exit(r.statusCode===200?0:1)})"
+
+# Use dumb-init to handle signals properly
+ENTRYPOINT ["dumb-init", "--"]
+
+# Start the standalone Next.js server
+CMD ["node", "server.js"]

package/template/client/next.config.ts

@@ -10,6 +10,7 @@ const apiOrigin = (() => {
 })();
 
 const nextConfig: NextConfig = {
+  output: "standalone",
   async headers() {
     return [
       {

package/template/client/src/app/layout.tsx

@@ -27,7 +27,7 @@ export default function RootLayout({
   children: React.ReactNode;
 }>): React.ReactElement {
   return (
-    <html lang="en" suppressHydrationWarning>
+    <html lang="en" className="dark" suppressHydrationWarning>
       <body className={`${geistSans.variable} ${geistMono.variable} font-sans antialiased`}>
         <Providers>{children}</Providers>
       </body>

package/template/client/src/app/providers.tsx

@@ -29,7 +29,7 @@ export function Providers({ children }: { children: React.ReactNode }): React.Re
   return (
     <ReduxProvider store={store}>
       <QueryClientProvider client={queryClient}>
-        <ThemeProvider attribute="class" defaultTheme="system" enableSystem disableTransitionOnChange>
+        <ThemeProvider attribute="class" defaultTheme="dark" disableTransitionOnChange>
           <AuthInitializer>
             {children}
           </AuthInitializer>

package/template/client/src/features/auth/components/AuthInitializer.tsx

@@ -10,12 +10,16 @@ import { ROUTES } from '@/lib/constants/routes';
 import { authService } from '../services/auth.service';
 import { setUser, setInitialized } from '../store/authSlice';
 
-const AUTH_PAGES: string[] = [ROUTES.LOGIN, ROUTES.REGISTER];
+const PROTECTED_PATHS: string[] = [ROUTES.DASHBOARD, ROUTES.PROFILE];
 
 interface AuthInitializerProps {
   children: React.ReactNode;
 }
 
+function isProtectedPath(pathname: string): boolean {
+  return PROTECTED_PATHS.some((path) => pathname.startsWith(path));
+}
+
 export const AuthInitializer = ({ children }: AuthInitializerProps): React.ReactElement => {
   const dispatch = useAppDispatch();
   const pathname = usePathname();
@@ -23,10 +27,12 @@ export const AuthInitializer = ({ children }: AuthInitializerProps): React.React
   const { isAuthenticated, isLoggingOut } = useAppSelector((state) => state.auth);
 
   useEffect(() => {
-    if (AUTH_PAGES.includes(pathname)) {
+    // On public pages, skip auth hydration — just mark as initialized
+    if (!isProtectedPath(pathname)) {
       dispatch(setInitialized());
       return;
     }
+
     if (isAuthenticated || isLoggingOut) return;
 
     let cancelled = false;

package/template/client/src/lib/api/axios.config.ts

@@ -45,7 +45,7 @@ apiClient.interceptors.response.use(
 
     // Don't retry auth endpoints that don't use tokens —
     // a 401 here means wrong credentials, not an expired token.
-    const noRetryEndpoints = [
+    const noRetryEndpoints: string[] = [
       API_ENDPOINTS.AUTH.LOGIN,
       API_ENDPOINTS.AUTH.REGISTER,
       API_ENDPOINTS.AUTH.REFRESH,

package/template/server/.dockerignore

@@ -63,4 +63,3 @@ postman/
 .eslintrc
 .eslintignore
 .editorconfig
-tsconfig.json

package/template/server/.env.example

@@ -1,8 +1,18 @@
 # ===================================================================
 # APPLICATION CONFIGURATION
 # ===================================================================
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# All variables below are RUNTIME-ONLY unless marked otherwise.
+#
+# ===================================================================
 
 # Environment: development | production | test
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
 NODE_ENV=development
 
 # Server port (default: 8000)
@@ -17,6 +27,7 @@ HOST=0.0.0.0
 
 # Database connection string
 # Format: mysql://username:password@host:port/database
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
 DATABASE_URL="mysql://root:rootpassword@localhost:{{MYSQL_PORT}}/{{DATABASE_NAME}}"
 
 # Connection pool settings (for high-traffic production)
@@ -31,6 +42,7 @@ DATABASE_POOL_MAX=10
 
 # Redis connection URL
 # Format: redis://[:password@]host:port[/database]
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
 REDIS_URL="redis://localhost:{{REDIS_PORT}}"
 
 # Max retry attempts for failed Redis operations
@@ -62,6 +74,13 @@ RATE_LIMIT_MULTIPLIER=1
 # Maximum file upload size in MB (default: 10)
 MAX_FILE_SIZE_MB=10
 
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
 # ===================================================================
 # DOCKER PORTS (auto-generated, unique per project)
 # ===================================================================
@@ -79,6 +98,7 @@ REDIS_COMMANDER_PORT={{REDIS_COMMANDER_PORT}}
 # JWT secret key (MUST be at least 32 characters)
 # CRITICAL: Generate a strong random secret for production!
 # Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
 JWT_SECRET="{{JWT_SECRET}}"
 
 # Access token expiry (short-lived)
@@ -92,6 +112,7 @@ JWT_REFRESH_EXPIRY="7d"
 # Cookie signing secret (separate from JWT for defense-in-depth)
 # Optional: defaults to JWT_SECRET if not set
 # For production: generate a separate secret: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
 # COOKIE_SECRET="change-this-to-a-different-secret-at-least-32-chars"
 
 # Cookie domain for cross-origin deployments

package/template/server/.env.example.production

@@ -3,12 +3,22 @@
 # ===================================================================
 # This file contains production-optimized settings for high-traffic
 # deployments (10K-100K users/day). Copy to .env and customize.
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# Secrets (DATABASE_URL, JWT_SECRET, COOKIE_SECRET, REDIS_URL) must
+# NEVER be available at buildtime — they get baked into the image layer.
+#
 # ===================================================================
 
 # ===================================================================
 # APPLICATION
 # ===================================================================
 
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
 NODE_ENV=production
 PORT=3000
 HOST=0.0.0.0
@@ -19,6 +29,7 @@ HOST=0.0.0.0
 
 # Production database connection
 # CRITICAL: Use secure credentials, SSL/TLS, and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
 DATABASE_URL="mysql://prod_user:SECURE_PASSWORD@db.internal:3306/prod_db?ssl=true"
 
 # Connection pool for high traffic (10K-100K users/day)
@@ -33,6 +44,7 @@ DATABASE_POOL_MAX=50
 
 # Production Redis instance
 # CRITICAL: Use authentication and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
 REDIS_URL="redis://:REDIS_PASSWORD@redis.internal:6379"
 
 # Production retry settings
@@ -60,18 +72,30 @@ RATE_LIMIT_AUTH_REGISTER_MAX=5
 # Maximum file upload size in MB
 MAX_FILE_SIZE_MB=10
 
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
 # ===================================================================
 # JWT AUTHENTICATION
 # ===================================================================
 
 # CRITICAL: Generate a cryptographically secure secret
 # Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
 JWT_SECRET="YOUR_PRODUCTION_JWT_SECRET_MUST_BE_AT_LEAST_32_CHARS_LONG"
 
 # Production token expiry (tighter security)
 JWT_ACCESS_EXPIRY="15m"
 JWT_REFRESH_EXPIRY="7d"
 
+# Cookie signing secret (separate from JWT for defense-in-depth)
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+COOKIE_SECRET="YOUR_PRODUCTION_COOKIE_SECRET_MUST_BE_AT_LEAST_32_CHARS"
+
 # ===================================================================
 # CORS
 # ===================================================================
@@ -118,3 +142,5 @@ SENTRY_DSN="https://YOUR_PUBLIC_KEY@o0.ingest.sentry.io/YOUR_PROJECT_ID"
 # [ ] All secrets are stored in environment variables, not in code
 # [ ] SSL/TLS certificates are configured
 # [ ] Firewall rules restrict access to database and Redis
+# [ ] In Coolify: NO secrets have "Available at Buildtime" checked
+# [ ] In Coolify: NODE_ENV does NOT have "Available at Buildtime" checked

package/template/server/Dockerfile

@@ -28,6 +28,11 @@ RUN if [ -f pnpm-lock.yaml ]; then \
 # ===================================================================
 FROM node:20-alpine AS builder
 
+# Override NODE_ENV to ensure devDependencies are installed.
+# Coolify may inject NODE_ENV=production as a build arg, which causes npm ci
+# to skip devDependencies (typescript, @types/node, etc.) and break the build.
+ENV NODE_ENV=development
+
 WORKDIR /app
 
 # Copy package files and install ALL dependencies (including dev)
@@ -77,6 +82,9 @@ COPY --from=builder --chown=nodejs:nodejs /app/package.json ./package.json
 # Copy Prisma files (needed for migrations)
 COPY --from=builder --chown=nodejs:nodejs /app/prisma ./prisma
 
+# Create uploads directory with correct ownership (must be before USER nodejs)
+RUN mkdir -p /app/uploads && chown nodejs:nodejs /app/uploads
+
 # Switch to non-root user
 USER nodejs
 

package/template/server/package.json

@@ -6,7 +6,7 @@
   "main": "dist/server.js",
   "scripts": {
     "dev": "tsx watch src/server.ts",
-    "build": "tsc && tsc-alias",
+    "build": "tsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json",
     "start": "node dist/server.js",
     "test": "vitest run",
     "test:watch": "vitest",

package/template/server/src/server.ts

@@ -13,7 +13,7 @@ async function start(): Promise<void> {
     if (isShuttingDown) return; // Prevent multiple shutdown attempts
     isShuttingDown = true;
 
-    logger.info(`[SERVER] Received ${signal} — shutting down gracefully`);
+    logger.info(`[SERVER] Received ${signal} - shutting down gracefully`);
     try {
       if (app) {
         await app.close();

package/template/server/tsconfig.build.json

@@ -0,0 +1,4 @@
+{
+  "extends": "./tsconfig.json",
+  "exclude": ["node_modules", "dist", "src/test", "src/**/*.test.ts", "src/**/*.spec.ts"]
+}

package/template/server/tsconfig.json

@@ -14,6 +14,7 @@
     "outDir": "dist",
     "rootDir": "src",
     "baseUrl": ".",
+    "types": ["node"],
     "paths": {
       "@/*": ["./src/*"],
       "@modules/*": ["./src/modules/*"],