create-tigra 2.8.0 → 3.0.0

package/template/client/package.json

@@ -7,6 +7,7 @@
     "build": "next build",
     "start": "next start",
     "lint": "eslint src/",
+    "typecheck": "tsc --noEmit",
     "generate:env": "node -e \"import('fs').then(f=>{if(f.existsSync('.env'))console.log('.env already exists, skipping');else{f.copyFileSync('.env.example','.env');console.log('.env created from .env.example')}})\""
   },
   "dependencies": {
@@ -17,7 +18,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "lucide-react": "^0.563.0",
-    "next": "16.1.6",
+    "next": "16.2.9",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",
     "react": "19.2.3",
@@ -38,7 +39,7 @@
     "@types/react": "^19",
     "@types/react-dom": "^19",
     "eslint": "^9",
-    "eslint-config-next": "16.1.6",
+    "eslint-config-next": "16.2.9",
     "shadcn": "^3.8.4",
     "tailwindcss": "^4",
     "tw-animate-css": "^1.4.0",

package/template/client/src/components/common/SafeImage.tsx

@@ -36,12 +36,13 @@ function isLoopbackUrl(src: ImageProps['src']): boolean {
   }
 }
 
-export const SafeImage = (props: ImageProps): React.ReactElement => {
+export const SafeImage = ({ alt, ...props }: ImageProps): React.ReactElement => {
   const shouldSkipOptimization = isLoopbackUrl(props.src);
 
   return (
     <Image
       {...props}
+      alt={alt}
       unoptimized={props.unoptimized || shouldSkipOptimization}
     />
   );

package/template/client/src/lib/api/axios.config.ts

@@ -108,15 +108,30 @@ apiClient.interceptors.response.use(
         refreshError.response.status < 500;
 
       if (isAuthFailure) {
-        // Trip the circuit breaker FIRST — prevents any subsequent 401s
-        // from re-entering this flow while the redirect is pending.
-        isSessionDead = true;
+        // The bootstrap probe (AuthInitializer's getMe) runs on EVERY page,
+        // including public ones. For an anonymous visitor, getMe 401 →
+        // refresh 401 is the NORMAL "not logged in" outcome — not a dead
+        // session. The probe must fail silently to "anonymous": clear any
+        // stale Redux state, but never trip the circuit breaker, clear the
+        // session cookie, or hard-redirect a visitor off a public page.
+        // (On protected pages, AuthInitializer handles the redirect itself.)
+        // Note: a genuine request queued behind a probe-initiated refresh is
+        // rejected via processQueue without tripping the breaker or
+        // redirecting — AuthInitializer covers the redirect on protected pages.
+        const isBootstrapProbe = originalRequest.url === API_ENDPOINTS.AUTH.ME;
+
+        if (!isBootstrapProbe) {
+          // A genuine authenticated action failed mid-session — the session
+          // is dead. Trip the circuit breaker FIRST — prevents any subsequent
+          // 401s from re-entering this flow while the redirect is pending.
+          isSessionDead = true;
+        }
 
         const { logout } = await import('@/features/auth/store/authSlice');
         const { store } = await import('@/store');
         store.dispatch(logout());
 
-        if (typeof window !== 'undefined') {
+        if (!isBootstrapProbe && typeof window !== 'undefined') {
           // Clear session indicator so middleware won't let user through
           // to protected pages — prevents redirect loops
           document.cookie = 'auth_session=; Max-Age=0; path=/; SameSite=Strict';

package/template/client/src/middleware.ts

@@ -16,6 +16,13 @@ function isTokenExpired(token: string): boolean {
 
 export function middleware(request: NextRequest): NextResponse {
   const { pathname } = request.nextUrl;
+
+  // NOTE: This middleware only checks COOKIE PRESENCE (and a best-effort,
+  // unverified exp claim) for UX-level routing — redirecting users who are
+  // obviously logged out away from protected pages. It does NOT verify the
+  // JWT signature and is NOT a security boundary. Real authorization happens
+  // server-side on every API call; a forged cookie gets past this middleware
+  // but every API request it makes will be rejected with 401/403.
   const accessToken = request.cookies.get('access_token')?.value;
   const authSession = request.cookies.get('auth_session')?.value;
 

package/template/gitignore

@@ -5,6 +5,7 @@ node_modules/
 dist/
 .next/
 out/
+*.tsbuildinfo
 
 # Environment files
 .env

package/template/server/.env.example

@@ -21,6 +21,19 @@ PORT=8000
 # Server host (0.0.0.0 = listen on all interfaces)
 HOST=0.0.0.0
 
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# IMPORTANT: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
 # ===================================================================
 # DATABASE CONFIGURATION (MySQL 8.0+)
 # ===================================================================
@@ -67,6 +80,25 @@ RATE_LIMIT_MULTIPLIER=1
 # RATE_LIMIT_AUTH_LOGIN_MAX=10
 # RATE_LIMIT_AUTH_REGISTER_MAX=5
 
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+#
+# An IP that exceeds rate limits IP_AUTO_BLOCK_THRESHOLD times within
+# IP_AUTO_BLOCK_WINDOW_SECONDS is blocked for IP_AUTO_BLOCK_DURATION_SECONDS.
+# The threshold targets SUSTAINED abuse — keep it high enough that a
+# retry-looping legitimate client or a NAT'd office sharing one IP cannot
+# self-ban. See src/config/rate-limit.config.ts for the interaction notes.
+
+# Rate-limit violations before an IP is auto-blocked (default: 20)
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (default: 300 = 5 min)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (default: 3600 = 1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
 # ===================================================================
 # ACCOUNT ACTIVATION
 # ===================================================================
@@ -183,6 +215,16 @@ CLIENT_URL="http://localhost:3000"
 # Staging: info
 LOG_LEVEL=info
 
+# ===================================================================
+# DATABASE SEEDING (npm run prisma:seed — dev/test only)
+# ===================================================================
+
+# Passwords for the seeded demo accounts (admin@example.com / user@example.com).
+# Optional in development — well-known dev defaults (Admin123! / User123!) are
+# used when unset. The seed script REFUSES to run when NODE_ENV=production.
+# SEED_ADMIN_PASSWORD="choose-a-dev-admin-password"
+# SEED_USER_PASSWORD="choose-a-dev-user-password"
+
 # ===================================================================
 # ERROR TRACKING (Optional)
 # ===================================================================

package/template/server/.env.example.production

@@ -23,6 +23,19 @@ NODE_ENV=production
 PORT=3000
 HOST=0.0.0.0
 
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# CRITICAL: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
 # ===================================================================
 # DATABASE (MySQL 8.0+)
 # ===================================================================
@@ -65,6 +78,22 @@ RATE_LIMIT_MULTIPLIER=1
 RATE_LIMIT_AUTH_LOGIN_MAX=10
 RATE_LIMIT_AUTH_REGISTER_MAX=5
 
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+
+# Rate-limit violations before an IP is auto-blocked for every route.
+# Keep HIGH enough that a retry-looping legitimate client or a NAT'd
+# office sharing one egress IP cannot self-ban (sustained abuse only).
+# See src/config/rate-limit.config.ts before lowering.
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (5 minutes)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
 # ===================================================================
 # ACCOUNT ACTIVATION
 # ===================================================================
@@ -142,6 +171,17 @@ CLIENT_URL="https://yourdomain.com"
 # Use warn to reduce costs in high-traffic scenarios
 LOG_LEVEL=info
 
+# ===================================================================
+# DATABASE SEEDING
+# ===================================================================
+
+# DO NOT SEED PRODUCTION. The seed script (npm run prisma:seed) creates
+# well-known demo accounts (admin@example.com) and hard-refuses to run when
+# NODE_ENV=production. These variables exist only to keep .env files in sync
+# across environments — leave them commented out in production.
+# SEED_ADMIN_PASSWORD=
+# SEED_USER_PASSWORD=
+
 # ===================================================================
 # ERROR TRACKING
 # ===================================================================

package/template/server/Dockerfile

@@ -23,6 +23,18 @@ RUN if [ -f pnpm-lock.yaml ]; then \
       npm ci --omit=dev; \
     fi
 
+# Add the Prisma CLI to the production node_modules so the runtime image can
+# run `npx prisma migrate deploy` at container start (see CMD in stage 3).
+# `prisma` is a devDependency (correct for local dev), so the prod-only install
+# above does NOT include it — without this step, npx would try to download the
+# CLI from the registry on every container boot. Pinned to the exact
+# @prisma/client version the lockfile installed, so CLI and client never drift.
+# --no-save keeps package.json and the lockfile untouched. Because this stage
+# runs on the same Alpine (musl) base as the runtime stage, the engine binaries
+# downloaded here are the correct ones for production.
+RUN npm install --no-save --no-audit --no-fund \
+      "prisma@$(node -p "require('@prisma/client/package.json').version")"
+
 # ===================================================================
 # Stage 2: Build (compile TypeScript)
 # ===================================================================
@@ -69,7 +81,9 @@ RUN addgroup -g 1001 -S nodejs && \
 
 WORKDIR /app
 
-# Copy production dependencies from dependencies stage
+# Copy production dependencies from dependencies stage.
+# Includes the Prisma CLI (+ its engines) installed in stage 1, which the
+# CMD below needs for `npx prisma migrate deploy`.
 COPY --from=dependencies --chown=nodejs:nodejs /app/node_modules ./node_modules
 
 # Copy generated Prisma client from builder stage (not present in prod deps)
@@ -91,12 +105,22 @@ USER nodejs
 # Expose port (matches default PORT in env.ts; override via PORT env var)
 EXPOSE 8000
 
-# Health check for container orchestration
-HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+# Health check for container orchestration.
+# start-period is 60s because CMD runs `prisma migrate deploy` BEFORE the server
+# starts listening — a slow migration must not be counted as unhealthy, or
+# Coolify restart-loops the container mid-migration.
+HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
   CMD node -e "const p=process.env.PORT||8000;require('http').get('http://localhost:'+p+'/api/v1/live',(r)=>{process.exit(r.statusCode===200?0:1)})"
 
 # Use dumb-init to handle signals properly
 ENTRYPOINT ["dumb-init", "--"]
 
-# Start the application
-CMD ["node", "dist/server.js"]
+# Start the application — apply any pending Prisma migrations first, then boot.
+# Runs inside Coolify on every container start, where DATABASE_URL is reachable
+# (it isn't from CI, which is why migrations belong here and not in a workflow).
+# `migrate deploy` is idempotent: it applies only pending migrations and exits 0
+# when there is nothing to do. Requirements, all satisfied above:
+#   - prisma CLI in ./node_modules (installed in stage 1, copied with node_modules)
+#   - ./prisma/schema.prisma + ./prisma/migrations (copied from builder)
+# `exec` replaces the shell so node receives signals from dumb-init directly.
+CMD ["sh", "-c", "npx prisma migrate deploy && exec node dist/server.js"]

package/template/server/docker-compose.yml

@@ -1,5 +1,14 @@
 # WARNING: These credentials are for LOCAL DEVELOPMENT ONLY.
 # Change all passwords and secrets before using in any shared or production environment.
+#
+# Security posture:
+# - All published ports are bound to 127.0.0.1 — nothing is reachable from the
+#   network (an unpassworded Redis or root-password MySQL on 0.0.0.0 is an open
+#   door on shared networks/VPS dev boxes). Don't remove the 127.0.0.1 prefix.
+# - The admin UIs (phpMyAdmin, Redis Commander) are behind the "tools" profile
+#   and do NOT start by default:
+#     docker compose up -d                  → MySQL + Redis only
+#     docker compose --profile tools up -d  → also phpMyAdmin + Redis Commander
 
 name: {{PROJECT_NAME}}
 
@@ -9,7 +18,7 @@ services:
     container_name: {{PROJECT_NAME}}-mysql
     restart: unless-stopped
     ports:
-      - '${MYSQL_PORT:-{{MYSQL_PORT}}}:3306'
+      - '127.0.0.1:${MYSQL_PORT:-{{MYSQL_PORT}}}:3306'
     environment:
       MYSQL_ROOT_PASSWORD: rootpassword
       MYSQL_DATABASE: {{DATABASE_NAME}}
@@ -27,8 +36,9 @@ services:
     image: phpmyadmin:latest
     container_name: {{PROJECT_NAME}}-phpmyadmin
     restart: unless-stopped
+    profiles: ["tools"]
     ports:
-      - '${PHPMYADMIN_PORT:-{{PHPMYADMIN_PORT}}}:80'
+      - '127.0.0.1:${PHPMYADMIN_PORT:-{{PHPMYADMIN_PORT}}}:80'
     environment:
       PMA_HOST: mysql
       PMA_PORT: 3306
@@ -48,7 +58,7 @@ services:
     container_name: {{PROJECT_NAME}}-redis
     restart: unless-stopped
     ports:
-      - '${REDIS_PORT:-{{REDIS_PORT}}}:6379'
+      - '127.0.0.1:${REDIS_PORT:-{{REDIS_PORT}}}:6379'
     volumes:
       - redis_data:/data
     networks:
@@ -63,8 +73,9 @@ services:
     image: rediscommander/redis-commander:latest
     container_name: {{PROJECT_NAME}}-redis-commander
     restart: unless-stopped
+    profiles: ["tools"]
     ports:
-      - '${REDIS_COMMANDER_PORT:-{{REDIS_COMMANDER_PORT}}}:8081'
+      - '127.0.0.1:${REDIS_COMMANDER_PORT:-{{REDIS_COMMANDER_PORT}}}:8081'
     environment:
       REDIS_HOSTS: local:redis:6379
     depends_on: