create-tigra 2.8.0 → 3.0.2

package/template/client/package.json

@@ -7,6 +7,7 @@
     "build": "next build",
     "start": "next start",
     "lint": "eslint src/",
+    "typecheck": "tsc --noEmit",
     "generate:env": "node -e \"import('fs').then(f=>{if(f.existsSync('.env'))console.log('.env already exists, skipping');else{f.copyFileSync('.env.example','.env');console.log('.env created from .env.example')}})\""
   },
   "dependencies": {
@@ -17,7 +18,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "lucide-react": "^0.563.0",
-    "next": "16.1.6",
+    "next": "16.2.9",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",
     "react": "19.2.3",
@@ -38,7 +39,7 @@
     "@types/react": "^19",
     "@types/react-dom": "^19",
     "eslint": "^9",
-    "eslint-config-next": "16.1.6",
+    "eslint-config-next": "16.2.9",
     "shadcn": "^3.8.4",
     "tailwindcss": "^4",
     "tw-animate-css": "^1.4.0",

package/template/client/src/components/common/SafeImage.tsx

@@ -36,12 +36,13 @@ function isLoopbackUrl(src: ImageProps['src']): boolean {
   }
 }
 
-export const SafeImage = (props: ImageProps): React.ReactElement => {
+export const SafeImage = ({ alt, ...props }: ImageProps): React.ReactElement => {
   const shouldSkipOptimization = isLoopbackUrl(props.src);
 
   return (
     <Image
       {...props}
+      alt={alt}
       unoptimized={props.unoptimized || shouldSkipOptimization}
     />
   );

package/template/client/src/lib/api/axios.config.ts

@@ -108,15 +108,30 @@ apiClient.interceptors.response.use(
         refreshError.response.status < 500;
 
       if (isAuthFailure) {
-        // Trip the circuit breaker FIRST — prevents any subsequent 401s
-        // from re-entering this flow while the redirect is pending.
-        isSessionDead = true;
+        // The bootstrap probe (AuthInitializer's getMe) runs on EVERY page,
+        // including public ones. For an anonymous visitor, getMe 401 →
+        // refresh 401 is the NORMAL "not logged in" outcome — not a dead
+        // session. The probe must fail silently to "anonymous": clear any
+        // stale Redux state, but never trip the circuit breaker, clear the
+        // session cookie, or hard-redirect a visitor off a public page.
+        // (On protected pages, AuthInitializer handles the redirect itself.)
+        // Note: a genuine request queued behind a probe-initiated refresh is
+        // rejected via processQueue without tripping the breaker or
+        // redirecting — AuthInitializer covers the redirect on protected pages.
+        const isBootstrapProbe = originalRequest.url === API_ENDPOINTS.AUTH.ME;
+
+        if (!isBootstrapProbe) {
+          // A genuine authenticated action failed mid-session — the session
+          // is dead. Trip the circuit breaker FIRST — prevents any subsequent
+          // 401s from re-entering this flow while the redirect is pending.
+          isSessionDead = true;
+        }
 
         const { logout } = await import('@/features/auth/store/authSlice');
         const { store } = await import('@/store');
         store.dispatch(logout());
 
-        if (typeof window !== 'undefined') {
+        if (!isBootstrapProbe && typeof window !== 'undefined') {
           // Clear session indicator so middleware won't let user through
           // to protected pages — prevents redirect loops
           document.cookie = 'auth_session=; Max-Age=0; path=/; SameSite=Strict';

package/template/client/src/middleware.ts

@@ -16,6 +16,13 @@ function isTokenExpired(token: string): boolean {
 
 export function middleware(request: NextRequest): NextResponse {
   const { pathname } = request.nextUrl;
+
+  // NOTE: This middleware only checks COOKIE PRESENCE (and a best-effort,
+  // unverified exp claim) for UX-level routing — redirecting users who are
+  // obviously logged out away from protected pages. It does NOT verify the
+  // JWT signature and is NOT a security boundary. Real authorization happens
+  // server-side on every API call; a forged cookie gets past this middleware
+  // but every API request it makes will be rejected with 401/403.
   const accessToken = request.cookies.get('access_token')?.value;
   const authSession = request.cookies.get('auth_session')?.value;
 

package/template/gitignore

@@ -5,6 +5,7 @@ node_modules/
 dist/
 .next/
 out/
+*.tsbuildinfo
 
 # Environment files
 .env

package/template/server/.env.example

@@ -1,194 +1,248 @@
-# ===================================================================
-# APPLICATION CONFIGURATION
-# ===================================================================
-#
-# COOLIFY DEPLOYMENT NOTE:
-# When adding environment variables in Coolify, do NOT check
-# "Available at Buildtime" for any variable unless explicitly noted.
-# The server Dockerfile handles build-time config internally.
-# All variables below are RUNTIME-ONLY unless marked otherwise.
-#
-# ===================================================================
-
-# Environment: development | production | test
-# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
-# sets NODE_ENV=development during build to ensure devDependencies install.
-NODE_ENV=development
-
-# Server port (default: 8000)
-PORT=8000
-
-# Server host (0.0.0.0 = listen on all interfaces)
-HOST=0.0.0.0
-
-# ===================================================================
-# DATABASE CONFIGURATION (MySQL 8.0+)
-# ===================================================================
-
-# Database connection string
-# Format: mysql://username:password@host:port/database
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-DATABASE_URL="mysql://root:rootpassword@localhost:{{MYSQL_PORT}}/{{DATABASE_NAME}}"
-
-# Connection pool settings (for high-traffic production)
-# Min connections: 2-5 for low traffic, 5-10 for medium, 10-20 for high
-# Max connections: 10 for dev, 20-50 for production (10K-100K users/day)
-DATABASE_POOL_MIN=2
-DATABASE_POOL_MAX=10
-
-# ===================================================================
-# REDIS CONFIGURATION
-# ===================================================================
-
-# Redis connection URL
-# Format: redis://[:password@]host:port[/database]
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-REDIS_URL="redis://localhost:{{REDIS_PORT}}"
-
-# Max retry attempts for failed Redis operations
-REDIS_MAX_RETRIES=3
-
-# Connection timeout in milliseconds
-REDIS_CONNECT_TIMEOUT=10000
-
-# ===================================================================
-# RATE LIMITING
-# ===================================================================
-
-# Master switch to enable/disable rate limiting (default: true)
-# Set to false in development to disable all rate limits
-RATE_LIMIT_ENABLED=true
-
-# Multiply all rate limit max values by this factor (default: 1)
-# Set to 10 in development for 10x headroom, or 0.5 for tighter limits
-RATE_LIMIT_MULTIPLIER=1
-
-# Optional: Override specific critical route limits (uses defaults if not set)
-# RATE_LIMIT_AUTH_LOGIN_MAX=10
-# RATE_LIMIT_AUTH_REGISTER_MAX=5
-
-# ===================================================================
-# ACCOUNT ACTIVATION
-# ===================================================================
-
-# When true (default), new users are created as inactive and must
-# verify their account before they can log in.
-# When false, users are active immediately after registration.
-# NOTE: When this variable is not provided, users are NOT activated
-# by default — you must explicitly set it to false to skip verification.
-REQUIRE_USER_VERIFICATION=true
-
-# ===================================================================
-# FILE UPLOAD
-# ===================================================================
-
-# Maximum file upload size in MB (default: 10)
-MAX_FILE_SIZE_MB=10
-
-# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
-# Go to your service in Coolify → Storages → Add Volume Mount:
-#   Name:             uploads (or <project-name>-uploads)
-#   Source Path:      (leave empty — Coolify manages the Docker volume)
-#   Destination Path: /app/uploads
-# Without this, all uploaded files are lost on every redeployment.
-
-# ===================================================================
-# DOCKER PORTS — LOCAL DEVELOPMENT ONLY
-# ===================================================================
-#
-# These ports are used by docker-compose to expose MySQL, Redis, and
-# their admin UIs on your local machine. They are NOT needed in
-# production — production connects via DATABASE_URL and REDIS_URL
-# (typically over a private network), not through exposed ports.
-#
-# Change these if they conflict with other services on your machine.
-
-MYSQL_PORT={{MYSQL_PORT}}
-PHPMYADMIN_PORT={{PHPMYADMIN_PORT}}
-REDIS_PORT={{REDIS_PORT}}
-REDIS_COMMANDER_PORT={{REDIS_COMMANDER_PORT}}
-
-# ===================================================================
-# JWT AUTHENTICATION
-# ===================================================================
-
-# JWT secret key (MUST be at least 32 characters)
-# CRITICAL: Generate a strong random secret for production!
-# Example: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-JWT_SECRET="{{JWT_SECRET}}"
-
-# Access token expiry (short-lived)
-# Format: 1s, 1m, 1h, 1d (default: 15m)
-JWT_ACCESS_EXPIRY="15m"
-
-# Refresh token expiry (long-lived)
-# Format: 1s, 1m, 1h, 1d (default: 7d)
-JWT_REFRESH_EXPIRY="7d"
-
-# Cookie signing secret (separate from JWT for defense-in-depth)
-# Optional: defaults to JWT_SECRET if not set
-# For production: generate a separate secret: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-# COOKIE_SECRET="change-this-to-a-different-secret-at-least-32-chars"
-
-# Cookie domain for cross-origin deployments
-# REQUIRED when client and API are on different subdomains:
-#   Client: https://app.example.com  |  API: https://api.example.com
-#   → Set COOKIE_DOMAIN=".example.com" (note the leading dot)
-# NOT needed when client and API share the same hostname (local dev, same-origin prod)
-# Without this, cookies are scoped to the API hostname only and the browser
-# will silently reject them on cross-origin requests (login appears to do nothing).
-# COOKIE_DOMAIN=".example.com"
-
-# ===================================================================
-# CORS (Cross-Origin Resource Sharing)
-# ===================================================================
-
-# Allowed origins for CORS
-# Development: Optional (allows all origins for easier local dev)
-# Production: REQUIRED (must be your frontend URL for security)
-# Multiple origins: Separate with commas
-# Examples:
-#   Single origin: CORS_ORIGIN="https://myapp.com"
-#   Multiple origins: CORS_ORIGIN="https://myapp.com,https://app.myapp.com"
-#   Local dev: CORS_ORIGIN="http://localhost:3001"
-# CORS_ORIGIN="http://localhost:3001"
-
-# ===================================================================
-# EMAIL (Resend)
-# ===================================================================
-
-# Resend API key for transactional emails (password reset, verification, etc.)
-# Get your API key from: https://resend.com/api-keys
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-# Sender email address
-# Development: Use Resend's test address (onboarding@resend.dev) — delivers to your Resend dashboard
-# Production: Use a verified domain email (e.g., noreply@yourdomain.com)
-RESEND_FROM_EMAIL="onboarding@resend.dev"
-
-# Frontend URL used to build links in emails (e.g., password reset links)
-# Must match the URL where your Next.js client is running
-CLIENT_URL="http://localhost:3000"
-
-# ===================================================================
-# LOGGING
-# ===================================================================
-
-# Log level: fatal | error | warn | info | debug | trace
-# Production: info or warn (reduces noise)
-# Development: debug (verbose logging)
-# Staging: info
-LOG_LEVEL=info
-
-# ===================================================================
-# ERROR TRACKING (Optional)
-# ===================================================================
-
-# Sentry DSN for error tracking and monitoring
-# Get your DSN from: https://sentry.io/settings/projects/
-# Leave empty to disable Sentry
-# Example: SENTRY_DSN="https://examplePublicKey@o0.ingest.sentry.io/0"
-# SENTRY_DSN=""
+# ===================================================================
+# APPLICATION CONFIGURATION
+# ===================================================================
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# All variables below are RUNTIME-ONLY unless marked otherwise.
+#
+# ===================================================================
+
+# Environment: development | production | test
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
+NODE_ENV=development
+
+# Server port (default: 8000)
+PORT=8000
+
+# Server host (0.0.0.0 = listen on all interfaces)
+HOST=0.0.0.0
+
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# IMPORTANT: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
+# ===================================================================
+# DATABASE CONFIGURATION (MySQL 8.0+)
+# ===================================================================
+
+# Database connection string
+# Format: mysql://username:password@host:port/database
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+DATABASE_URL="mysql://root:rootpassword@localhost:{{MYSQL_PORT}}/{{DATABASE_NAME}}"
+
+# Connection pool settings (for high-traffic production)
+# Min connections: 2-5 for low traffic, 5-10 for medium, 10-20 for high
+# Max connections: 10 for dev, 20-50 for production (10K-100K users/day)
+DATABASE_POOL_MIN=2
+DATABASE_POOL_MAX=10
+
+# ===================================================================
+# REDIS CONFIGURATION
+# ===================================================================
+
+# Redis connection URL
+# Format: redis://[:password@]host:port[/database]
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+REDIS_URL="redis://localhost:{{REDIS_PORT}}"
+
+# Max retry attempts for failed Redis operations
+REDIS_MAX_RETRIES=3
+
+# Connection timeout in milliseconds
+REDIS_CONNECT_TIMEOUT=10000
+
+# ===================================================================
+# RATE LIMITING
+# ===================================================================
+
+# Master switch to enable/disable rate limiting (default: true)
+# Set to false in development to disable all rate limits
+RATE_LIMIT_ENABLED=true
+
+# Multiply all rate limit max values by this factor (default: 1)
+# Set to 10 in development for 10x headroom, or 0.5 for tighter limits
+RATE_LIMIT_MULTIPLIER=1
+
+# Optional: Override specific critical route limits (uses defaults if not set)
+# RATE_LIMIT_AUTH_LOGIN_MAX=10
+# RATE_LIMIT_AUTH_REGISTER_MAX=5
+
+# Trust Cloudflare's CF-Connecting-IP header for the real client IP (default: false)
+# Used ONLY for rate-limiting and IP auto-block decisions. Behind Cloudflare,
+# request.ip is a CF edge IP — without this, all users behind one edge collapse
+# onto a single IP and can rate-limit or auto-ban each other.
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+# SECURITY: the header is client-spoofable. Set true ONLY when the origin
+# accepts traffic exclusively via Cloudflare (direct origin access is blocked).
+# Note: the left-most X-Forwarded-For entry is now trusted as the client IP
+# regardless of this flag (covers grey-cloud / DNS-only), so the origin must be
+# proxy-locked (firewall direct access) in production either way.
+TRUST_CLOUDFLARE=false
+
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+#
+# An IP that exceeds rate limits IP_AUTO_BLOCK_THRESHOLD times within
+# IP_AUTO_BLOCK_WINDOW_SECONDS is blocked for IP_AUTO_BLOCK_DURATION_SECONDS.
+# The threshold targets SUSTAINED abuse — keep it high enough that a
+# retry-looping legitimate client or a NAT'd office sharing one IP cannot
+# self-ban. See src/config/rate-limit.config.ts for the interaction notes.
+
+# Rate-limit violations before an IP is auto-blocked (default: 20)
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (default: 300 = 5 min)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (default: 3600 = 1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# When true (default), new users are created as inactive and must
+# verify their account before they can log in.
+# When false, users are active immediately after registration.
+# NOTE: When this variable is not provided, users are NOT activated
+# by default — you must explicitly set it to false to skip verification.
+REQUIRE_USER_VERIFICATION=true
+
+# ===================================================================
+# FILE UPLOAD
+# ===================================================================
+
+# Maximum file upload size in MB (default: 10)
+MAX_FILE_SIZE_MB=10
+
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
+# ===================================================================
+# DOCKER PORTS — LOCAL DEVELOPMENT ONLY
+# ===================================================================
+#
+# These ports are used by docker-compose to expose MySQL, Redis, and
+# their admin UIs on your local machine. They are NOT needed in
+# production — production connects via DATABASE_URL and REDIS_URL
+# (typically over a private network), not through exposed ports.
+#
+# Change these if they conflict with other services on your machine.
+
+MYSQL_PORT={{MYSQL_PORT}}
+PHPMYADMIN_PORT={{PHPMYADMIN_PORT}}
+REDIS_PORT={{REDIS_PORT}}
+REDIS_COMMANDER_PORT={{REDIS_COMMANDER_PORT}}
+
+# ===================================================================
+# JWT AUTHENTICATION
+# ===================================================================
+
+# JWT secret key (MUST be at least 32 characters)
+# CRITICAL: Generate a strong random secret for production!
+# Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+JWT_SECRET="{{JWT_SECRET}}"
+
+# Access token expiry (short-lived)
+# Format: 1s, 1m, 1h, 1d (default: 15m)
+JWT_ACCESS_EXPIRY="15m"
+
+# Refresh token expiry (long-lived)
+# Format: 1s, 1m, 1h, 1d (default: 7d)
+JWT_REFRESH_EXPIRY="7d"
+
+# Cookie signing secret (separate from JWT for defense-in-depth)
+# Optional: defaults to JWT_SECRET if not set
+# For production: generate a separate secret: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+# COOKIE_SECRET="change-this-to-a-different-secret-at-least-32-chars"
+
+# Cookie domain for cross-origin deployments
+# REQUIRED when client and API are on different subdomains:
+#   Client: https://app.example.com  |  API: https://api.example.com
+#   → Set COOKIE_DOMAIN=".example.com" (note the leading dot)
+# NOT needed when client and API share the same hostname (local dev, same-origin prod)
+# Without this, cookies are scoped to the API hostname only and the browser
+# will silently reject them on cross-origin requests (login appears to do nothing).
+# COOKIE_DOMAIN=".example.com"
+
+# ===================================================================
+# CORS (Cross-Origin Resource Sharing)
+# ===================================================================
+
+# Allowed origins for CORS
+# Development: Optional (allows all origins for easier local dev)
+# Production: REQUIRED (must be your frontend URL for security)
+# Multiple origins: Separate with commas
+# Examples:
+#   Single origin: CORS_ORIGIN="https://myapp.com"
+#   Multiple origins: CORS_ORIGIN="https://myapp.com,https://app.myapp.com"
+#   Local dev: CORS_ORIGIN="http://localhost:3001"
+# CORS_ORIGIN="http://localhost:3001"
+
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails (password reset, verification, etc.)
+# Get your API key from: https://resend.com/api-keys
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email address
+# Development: Use Resend's test address (onboarding@resend.dev) — delivers to your Resend dashboard
+# Production: Use a verified domain email (e.g., noreply@yourdomain.com)
+RESEND_FROM_EMAIL="onboarding@resend.dev"
+
+# Frontend URL used to build links in emails (e.g., password reset links)
+# Must match the URL where your Next.js client is running
+CLIENT_URL="http://localhost:3000"
+
+# ===================================================================
+# LOGGING
+# ===================================================================
+
+# Log level: fatal | error | warn | info | debug | trace
+# Production: info or warn (reduces noise)
+# Development: debug (verbose logging)
+# Staging: info
+LOG_LEVEL=info
+
+# ===================================================================
+# DATABASE SEEDING (npm run prisma:seed — dev/test only)
+# ===================================================================
+
+# Passwords for the seeded demo accounts (admin@example.com / user@example.com).
+# Optional in development — well-known dev defaults (Admin123! / User123!) are
+# used when unset. The seed script REFUSES to run when NODE_ENV=production.
+# SEED_ADMIN_PASSWORD="choose-a-dev-admin-password"
+# SEED_USER_PASSWORD="choose-a-dev-user-password"
+
+# ===================================================================
+# ERROR TRACKING (Optional)
+# ===================================================================
+
+# Sentry DSN for error tracking and monitoring
+# Get your DSN from: https://sentry.io/settings/projects/
+# Leave empty to disable Sentry
+# Example: SENTRY_DSN="https://examplePublicKey@o0.ingest.sentry.io/0"
+# SENTRY_DSN=""