create-tigra 2.8.0 → 3.0.2

package/template/server/.env.example.production

@@ -1,168 +1,221 @@
-# ===================================================================
-# PRODUCTION ENVIRONMENT CONFIGURATION
-# ===================================================================
-# This file contains production-optimized settings for high-traffic
-# deployments (10K-100K users/day). Copy to .env and customize.
-#
-# COOLIFY DEPLOYMENT NOTE:
-# When adding environment variables in Coolify, do NOT check
-# "Available at Buildtime" for any variable unless explicitly noted.
-# The server Dockerfile handles build-time config internally.
-# Secrets (DATABASE_URL, JWT_SECRET, COOKIE_SECRET, REDIS_URL) must
-# NEVER be available at buildtime — they get baked into the image layer.
-#
-# ===================================================================
-
-# ===================================================================
-# APPLICATION
-# ===================================================================
-
-# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
-# sets NODE_ENV=development during build to ensure devDependencies install.
-NODE_ENV=production
-PORT=3000
-HOST=0.0.0.0
-
-# ===================================================================
-# DATABASE (MySQL 8.0+)
-# ===================================================================
-
-# Production database connection
-# CRITICAL: Use secure credentials, SSL/TLS, and private network
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-DATABASE_URL="mysql://prod_user:SECURE_PASSWORD@db.internal:3306/prod_db?ssl=true"
-
-# Connection pool for high traffic (10K-100K users/day)
-# Recommended: 20-50 connections for production
-# Monitor and adjust based on load testing results
-DATABASE_POOL_MIN=10
-DATABASE_POOL_MAX=50
-
-# ===================================================================
-# REDIS
-# ===================================================================
-
-# Production Redis instance
-# CRITICAL: Use authentication and private network
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-REDIS_URL="redis://:REDIS_PASSWORD@redis.internal:6379"
-
-# Production retry settings
-REDIS_MAX_RETRIES=5
-REDIS_CONNECT_TIMEOUT=5000
-
-# ===================================================================
-# RATE LIMITING
-# ===================================================================
-
-# Always enabled in production
-RATE_LIMIT_ENABLED=true
-
-# Production: keep at 1 (default limits are tuned for production)
-RATE_LIMIT_MULTIPLIER=1
-
-# Tight limits for sensitive auth routes in production
-RATE_LIMIT_AUTH_LOGIN_MAX=10
-RATE_LIMIT_AUTH_REGISTER_MAX=5
-
-# ===================================================================
-# ACCOUNT ACTIVATION
-# ===================================================================
-
-# Require account verification before users can log in
-# Set to true in production for security
-REQUIRE_USER_VERIFICATION=true
-
-# ===================================================================
-# FILE UPLOAD
-# ===================================================================
-
-# Maximum file upload size in MB
-MAX_FILE_SIZE_MB=10
-
-# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
-# Go to your service in Coolify → Storages → Add Volume Mount:
-#   Name:             uploads (or <project-name>-uploads)
-#   Source Path:      (leave empty — Coolify manages the Docker volume)
-#   Destination Path: /app/uploads
-# Without this, all uploaded files are lost on every redeployment.
-
-# ===================================================================
-# JWT AUTHENTICATION
-# ===================================================================
-
-# CRITICAL: Generate a cryptographically secure secret
-# Example: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-JWT_SECRET="YOUR_PRODUCTION_JWT_SECRET_MUST_BE_AT_LEAST_32_CHARS_LONG"
-
-# Production token expiry (tighter security)
-JWT_ACCESS_EXPIRY="15m"
-JWT_REFRESH_EXPIRY="7d"
-
-# Cookie signing secret (separate from JWT for defense-in-depth)
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-COOKIE_SECRET="YOUR_PRODUCTION_COOKIE_SECRET_MUST_BE_AT_LEAST_32_CHARS"
-
-# ===================================================================
-# CORS
-# ===================================================================
-
-# REQUIRED in production - your frontend domain(s)
-# Multiple origins separated by commas
-CORS_ORIGIN="https://yourdomain.com,https://app.yourdomain.com"
-
-# Cookie domain for cross-origin deployments
-# REQUIRED when client and API are on different subdomains:
-#   Client: https://app.example.com  |  API: https://api.example.com
-#   → Set COOKIE_DOMAIN=".example.com" (leading dot = all subdomains)
-# This enables cookies to be shared between client and API subdomains.
-# Without it, login will silently fail (server returns 200 but browser drops cookies).
-COOKIE_DOMAIN=".yourdomain.com"
-
-# ===================================================================
-# EMAIL (Resend)
-# ===================================================================
-
-# Resend API key for transactional emails
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-# Sender email — must be from a verified domain in Resend
-RESEND_FROM_EMAIL="noreply@yourdomain.com"
-
-# Frontend URL for email links (password reset, verification, etc.)
-CLIENT_URL="https://yourdomain.com"
-
-# ===================================================================
-# LOGGING
-# ===================================================================
-
-# Production: info or warn (reduces log volume)
-# Use warn to reduce costs in high-traffic scenarios
-LOG_LEVEL=info
-
-# ===================================================================
-# ERROR TRACKING
-# ===================================================================
-
-# Sentry for production error monitoring
-# Get your DSN from: https://sentry.io/settings/projects/
-SENTRY_DSN="https://YOUR_PUBLIC_KEY@o0.ingest.sentry.io/YOUR_PROJECT_ID"
-
-# ===================================================================
-# PRODUCTION CHECKLIST
-# ===================================================================
-# [ ] DATABASE_URL uses secure credentials and SSL
-# [ ] JWT_SECRET is a strong random string (48+ chars)
-# [ ] CORS_ORIGIN is set to your exact frontend URL(s)
-# [ ] COOKIE_DOMAIN is set if client and API are on different subdomains
-# [ ] REDIS_URL uses authentication if Redis is exposed
-# [ ] LOG_LEVEL is set to info or warn
-# [ ] SENTRY_DSN is configured for error tracking
-# [ ] Database connection pool tested under load
-# [ ] All secrets are stored in environment variables, not in code
-# [ ] SSL/TLS certificates are configured
-# [ ] Firewall rules restrict access to database and Redis
-# [ ] In Coolify: NO secrets have "Available at Buildtime" checked
-# [ ] In Coolify: NODE_ENV does NOT have "Available at Buildtime" checked
+# ===================================================================
+# PRODUCTION ENVIRONMENT CONFIGURATION
+# ===================================================================
+# This file contains production-optimized settings for high-traffic
+# deployments (10K-100K users/day). Copy to .env and customize.
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# Secrets (DATABASE_URL, JWT_SECRET, COOKIE_SECRET, REDIS_URL) must
+# NEVER be available at buildtime — they get baked into the image layer.
+#
+# ===================================================================
+
+# ===================================================================
+# APPLICATION
+# ===================================================================
+
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
+NODE_ENV=production
+PORT=3000
+HOST=0.0.0.0
+
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# CRITICAL: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
+# ===================================================================
+# DATABASE (MySQL 8.0+)
+# ===================================================================
+
+# Production database connection
+# CRITICAL: Use secure credentials, SSL/TLS, and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+DATABASE_URL="mysql://prod_user:SECURE_PASSWORD@db.internal:3306/prod_db?ssl=true"
+
+# Connection pool for high traffic (10K-100K users/day)
+# Recommended: 20-50 connections for production
+# Monitor and adjust based on load testing results
+DATABASE_POOL_MIN=10
+DATABASE_POOL_MAX=50
+
+# ===================================================================
+# REDIS
+# ===================================================================
+
+# Production Redis instance
+# CRITICAL: Use authentication and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+REDIS_URL="redis://:REDIS_PASSWORD@redis.internal:6379"
+
+# Production retry settings
+REDIS_MAX_RETRIES=5
+REDIS_CONNECT_TIMEOUT=5000
+
+# ===================================================================
+# RATE LIMITING
+# ===================================================================
+
+# Always enabled in production
+RATE_LIMIT_ENABLED=true
+
+# Production: keep at 1 (default limits are tuned for production)
+RATE_LIMIT_MULTIPLIER=1
+
+# Tight limits for sensitive auth routes in production
+RATE_LIMIT_AUTH_LOGIN_MAX=10
+RATE_LIMIT_AUTH_REGISTER_MAX=5
+
+# Trust Cloudflare's CF-Connecting-IP header for the real client IP (default: false)
+# Used ONLY for rate-limiting and IP auto-block decisions. Behind Cloudflare,
+# request.ip is a CF edge IP — without this, all users behind one edge collapse
+# onto a single IP and can rate-limit or auto-ban each other.
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+# SECURITY: the header is client-spoofable. Set true ONLY when this origin
+# accepts traffic exclusively via Cloudflare (direct origin access is blocked
+# at the firewall/network so clients cannot reach it bypassing CF).
+# Note: the left-most X-Forwarded-For entry is now trusted as the client IP
+# regardless of this flag (covers grey-cloud / DNS-only), so the origin must be
+# proxy-locked (firewall direct access) in production either way.
+TRUST_CLOUDFLARE=false
+
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+
+# Rate-limit violations before an IP is auto-blocked for every route.
+# Keep HIGH enough that a retry-looping legitimate client or a NAT'd
+# office sharing one egress IP cannot self-ban (sustained abuse only).
+# See src/config/rate-limit.config.ts before lowering.
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (5 minutes)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# Require account verification before users can log in
+# Set to true in production for security
+REQUIRE_USER_VERIFICATION=true
+
+# ===================================================================
+# FILE UPLOAD
+# ===================================================================
+
+# Maximum file upload size in MB
+MAX_FILE_SIZE_MB=10
+
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
+# ===================================================================
+# JWT AUTHENTICATION
+# ===================================================================
+
+# CRITICAL: Generate a cryptographically secure secret
+# Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+JWT_SECRET="YOUR_PRODUCTION_JWT_SECRET_MUST_BE_AT_LEAST_32_CHARS_LONG"
+
+# Production token expiry (tighter security)
+JWT_ACCESS_EXPIRY="15m"
+JWT_REFRESH_EXPIRY="7d"
+
+# Cookie signing secret (separate from JWT for defense-in-depth)
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+COOKIE_SECRET="YOUR_PRODUCTION_COOKIE_SECRET_MUST_BE_AT_LEAST_32_CHARS"
+
+# ===================================================================
+# CORS
+# ===================================================================
+
+# REQUIRED in production - your frontend domain(s)
+# Multiple origins separated by commas
+CORS_ORIGIN="https://yourdomain.com,https://app.yourdomain.com"
+
+# Cookie domain for cross-origin deployments
+# REQUIRED when client and API are on different subdomains:
+#   Client: https://app.example.com  |  API: https://api.example.com
+#   → Set COOKIE_DOMAIN=".example.com" (leading dot = all subdomains)
+# This enables cookies to be shared between client and API subdomains.
+# Without it, login will silently fail (server returns 200 but browser drops cookies).
+COOKIE_DOMAIN=".yourdomain.com"
+
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email — must be from a verified domain in Resend
+RESEND_FROM_EMAIL="noreply@yourdomain.com"
+
+# Frontend URL for email links (password reset, verification, etc.)
+CLIENT_URL="https://yourdomain.com"
+
+# ===================================================================
+# LOGGING
+# ===================================================================
+
+# Production: info or warn (reduces log volume)
+# Use warn to reduce costs in high-traffic scenarios
+LOG_LEVEL=info
+
+# ===================================================================
+# DATABASE SEEDING
+# ===================================================================
+
+# DO NOT SEED PRODUCTION. The seed script (npm run prisma:seed) creates
+# well-known demo accounts (admin@example.com) and hard-refuses to run when
+# NODE_ENV=production. These variables exist only to keep .env files in sync
+# across environments — leave them commented out in production.
+# SEED_ADMIN_PASSWORD=
+# SEED_USER_PASSWORD=
+
+# ===================================================================
+# ERROR TRACKING
+# ===================================================================
+
+# Sentry for production error monitoring
+# Get your DSN from: https://sentry.io/settings/projects/
+SENTRY_DSN="https://YOUR_PUBLIC_KEY@o0.ingest.sentry.io/YOUR_PROJECT_ID"
+
+# ===================================================================
+# PRODUCTION CHECKLIST
+# ===================================================================
+# [ ] DATABASE_URL uses secure credentials and SSL
+# [ ] JWT_SECRET is a strong random string (48+ chars)
+# [ ] CORS_ORIGIN is set to your exact frontend URL(s)
+# [ ] COOKIE_DOMAIN is set if client and API are on different subdomains
+# [ ] REDIS_URL uses authentication if Redis is exposed
+# [ ] LOG_LEVEL is set to info or warn
+# [ ] SENTRY_DSN is configured for error tracking
+# [ ] Database connection pool tested under load
+# [ ] All secrets are stored in environment variables, not in code
+# [ ] SSL/TLS certificates are configured
+# [ ] Firewall rules restrict access to database and Redis
+# [ ] In Coolify: NO secrets have "Available at Buildtime" checked
+# [ ] In Coolify: NODE_ENV does NOT have "Available at Buildtime" checked

package/template/server/Dockerfile

@@ -23,6 +23,18 @@ RUN if [ -f pnpm-lock.yaml ]; then \
       npm ci --omit=dev; \
     fi
 
+# Add the Prisma CLI to the production node_modules so the runtime image can
+# run `npx prisma migrate deploy` at container start (see CMD in stage 3).
+# `prisma` is a devDependency (correct for local dev), so the prod-only install
+# above does NOT include it — without this step, npx would try to download the
+# CLI from the registry on every container boot. Pinned to the exact
+# @prisma/client version the lockfile installed, so CLI and client never drift.
+# --no-save keeps package.json and the lockfile untouched. Because this stage
+# runs on the same Alpine (musl) base as the runtime stage, the engine binaries
+# downloaded here are the correct ones for production.
+RUN npm install --no-save --no-audit --no-fund \
+      "prisma@$(node -p "require('@prisma/client/package.json').version")"
+
 # ===================================================================
 # Stage 2: Build (compile TypeScript)
 # ===================================================================
@@ -69,7 +81,9 @@ RUN addgroup -g 1001 -S nodejs && \
 
 WORKDIR /app
 
-# Copy production dependencies from dependencies stage
+# Copy production dependencies from dependencies stage.
+# Includes the Prisma CLI (+ its engines) installed in stage 1, which the
+# CMD below needs for `npx prisma migrate deploy`.
 COPY --from=dependencies --chown=nodejs:nodejs /app/node_modules ./node_modules
 
 # Copy generated Prisma client from builder stage (not present in prod deps)
@@ -91,12 +105,22 @@ USER nodejs
 # Expose port (matches default PORT in env.ts; override via PORT env var)
 EXPOSE 8000
 
-# Health check for container orchestration
-HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+# Health check for container orchestration.
+# start-period is 60s because CMD runs `prisma migrate deploy` BEFORE the server
+# starts listening — a slow migration must not be counted as unhealthy, or
+# Coolify restart-loops the container mid-migration.
+HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
   CMD node -e "const p=process.env.PORT||8000;require('http').get('http://localhost:'+p+'/api/v1/live',(r)=>{process.exit(r.statusCode===200?0:1)})"
 
 # Use dumb-init to handle signals properly
 ENTRYPOINT ["dumb-init", "--"]
 
-# Start the application
-CMD ["node", "dist/server.js"]
+# Start the application — apply any pending Prisma migrations first, then boot.
+# Runs inside Coolify on every container start, where DATABASE_URL is reachable
+# (it isn't from CI, which is why migrations belong here and not in a workflow).
+# `migrate deploy` is idempotent: it applies only pending migrations and exits 0
+# when there is nothing to do. Requirements, all satisfied above:
+#   - prisma CLI in ./node_modules (installed in stage 1, copied with node_modules)
+#   - ./prisma/schema.prisma + ./prisma/migrations (copied from builder)
+# `exec` replaces the shell so node receives signals from dumb-init directly.
+CMD ["sh", "-c", "npx prisma migrate deploy && exec node dist/server.js"]

package/template/server/docker-compose.yml

@@ -1,5 +1,14 @@
 # WARNING: These credentials are for LOCAL DEVELOPMENT ONLY.
 # Change all passwords and secrets before using in any shared or production environment.
+#
+# Security posture:
+# - All published ports are bound to 127.0.0.1 — nothing is reachable from the
+#   network (an unpassworded Redis or root-password MySQL on 0.0.0.0 is an open
+#   door on shared networks/VPS dev boxes). Don't remove the 127.0.0.1 prefix.
+# - The admin UIs (phpMyAdmin, Redis Commander) are behind the "tools" profile
+#   and do NOT start by default:
+#     docker compose up -d                  → MySQL + Redis only
+#     docker compose --profile tools up -d  → also phpMyAdmin + Redis Commander
 
 name: {{PROJECT_NAME}}
 
@@ -8,8 +17,19 @@ services:
     image: mysql:8.0
     container_name: {{PROJECT_NAME}}-mysql
     restart: unless-stopped
+    # Local-dev resource bounds. mem_limit is a cgroup ceiling (a runaway container is
+    # OOM-killed in isolation instead of wedging the whole WSL2/Docker engine); the flags
+    # dev-tune MySQL 8 to a small, fast-warming footprint. Production reaches MySQL as a
+    # separate Coolify resource via DATABASE_URL — none of this touches prod.
+    mem_limit: 900m
+    command:
+      - --innodb-buffer-pool-size=128M    # default is fine for dev; keeps RSS small
+      - --performance-schema=OFF          # saves ~hundreds of MB on its own
+      - --skip-name-resolve               # no reverse-DNS per connection (faster, leaner)
+      - --max-connections=60              # well above DATABASE_POOL_MAX (10) + headroom
+      - --innodb-flush-log-at-trx-commit=2 # dev durability/throughput trade — not for prod
     ports:
-      - '${MYSQL_PORT:-{{MYSQL_PORT}}}:3306'
+      - '127.0.0.1:${MYSQL_PORT:-{{MYSQL_PORT}}}:3306'
     environment:
       MYSQL_ROOT_PASSWORD: rootpassword
       MYSQL_DATABASE: {{DATABASE_NAME}}
@@ -27,8 +47,9 @@ services:
     image: phpmyadmin:latest
     container_name: {{PROJECT_NAME}}-phpmyadmin
     restart: unless-stopped
+    profiles: ["tools"]
     ports:
-      - '${PHPMYADMIN_PORT:-{{PHPMYADMIN_PORT}}}:80'
+      - '127.0.0.1:${PHPMYADMIN_PORT:-{{PHPMYADMIN_PORT}}}:80'
     environment:
       PMA_HOST: mysql
       PMA_PORT: 3306
@@ -47,8 +68,14 @@ services:
     image: redis:7-alpine
     container_name: {{PROJECT_NAME}}-redis
     restart: unless-stopped
+    # Local-dev resource bounds. Layer two ceilings: Redis's own --maxmemory (150mb) trips
+    # FIRST and refuses writes loudly (noeviction — create-tigra also keeps rate-limit/queue
+    # keys in Redis, so silent LRU eviction would be a dev data-loss trap), while the 200m
+    # cgroup mem_limit sits above it as a hard backstop. --save "" drops RDB snapshot fork/IO.
+    mem_limit: 200m
+    command: ['redis-server', '--maxmemory', '150mb', '--maxmemory-policy', 'noeviction', '--save', '']
     ports:
-      - '${REDIS_PORT:-{{REDIS_PORT}}}:6379'
+      - '127.0.0.1:${REDIS_PORT:-{{REDIS_PORT}}}:6379'
     volumes:
       - redis_data:/data
     networks:
@@ -63,8 +90,9 @@ services:
     image: rediscommander/redis-commander:latest
     container_name: {{PROJECT_NAME}}-redis-commander
     restart: unless-stopped
+    profiles: ["tools"]
     ports:
-      - '${REDIS_COMMANDER_PORT:-{{REDIS_COMMANDER_PORT}}}:8081'
+      - '127.0.0.1:${REDIS_COMMANDER_PORT:-{{REDIS_COMMANDER_PORT}}}:8081'
     environment:
       REDIS_HOSTS: local:redis:6379
     depends_on: