create-tigra 3.0.0 → 3.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-tigra",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "type": "module",
   "description": "Create a production-ready full-stack app with Next.js 16 + Fastify 5 + Prisma + Redis",
   "bin": {

package/template/server/.env.example

@@ -1,236 +1,248 @@
-# ===================================================================
-# APPLICATION CONFIGURATION
-# ===================================================================
-#
-# COOLIFY DEPLOYMENT NOTE:
-# When adding environment variables in Coolify, do NOT check
-# "Available at Buildtime" for any variable unless explicitly noted.
-# The server Dockerfile handles build-time config internally.
-# All variables below are RUNTIME-ONLY unless marked otherwise.
-#
-# ===================================================================
-
-# Environment: development | production | test
-# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
-# sets NODE_ENV=development during build to ensure devDependencies install.
-NODE_ENV=development
-
-# Server port (default: 8000)
-PORT=8000
-
-# Server host (0.0.0.0 = listen on all interfaces)
-HOST=0.0.0.0
-
-# ===================================================================
-# SERVER TIMEOUTS
-# ===================================================================
-
-# Fastify request timeout in milliseconds (default: 30000 = 30s)
-# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
-# IMPORTANT: the reverse proxy (Nginx/Coolify) timeout must be raised to
-# match, or the proxy cuts the connection before the server does.
-REQUEST_TIMEOUT_MS=30000
-
-# Fastify connection timeout in milliseconds (default: 60000 = 60s)
-CONNECTION_TIMEOUT_MS=60000
-
-# ===================================================================
-# DATABASE CONFIGURATION (MySQL 8.0+)
-# ===================================================================
-
-# Database connection string
-# Format: mysql://username:password@host:port/database
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-DATABASE_URL="mysql://root:rootpassword@localhost:{{MYSQL_PORT}}/{{DATABASE_NAME}}"
-
-# Connection pool settings (for high-traffic production)
-# Min connections: 2-5 for low traffic, 5-10 for medium, 10-20 for high
-# Max connections: 10 for dev, 20-50 for production (10K-100K users/day)
-DATABASE_POOL_MIN=2
-DATABASE_POOL_MAX=10
-
-# ===================================================================
-# REDIS CONFIGURATION
-# ===================================================================
-
-# Redis connection URL
-# Format: redis://[:password@]host:port[/database]
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-REDIS_URL="redis://localhost:{{REDIS_PORT}}"
-
-# Max retry attempts for failed Redis operations
-REDIS_MAX_RETRIES=3
-
-# Connection timeout in milliseconds
-REDIS_CONNECT_TIMEOUT=10000
-
-# ===================================================================
-# RATE LIMITING
-# ===================================================================
-
-# Master switch to enable/disable rate limiting (default: true)
-# Set to false in development to disable all rate limits
-RATE_LIMIT_ENABLED=true
-
-# Multiply all rate limit max values by this factor (default: 1)
-# Set to 10 in development for 10x headroom, or 0.5 for tighter limits
-RATE_LIMIT_MULTIPLIER=1
-
-# Optional: Override specific critical route limits (uses defaults if not set)
-# RATE_LIMIT_AUTH_LOGIN_MAX=10
-# RATE_LIMIT_AUTH_REGISTER_MAX=5
-
-# ===================================================================
-# IP AUTO-BLOCK
-# ===================================================================
-#
-# An IP that exceeds rate limits IP_AUTO_BLOCK_THRESHOLD times within
-# IP_AUTO_BLOCK_WINDOW_SECONDS is blocked for IP_AUTO_BLOCK_DURATION_SECONDS.
-# The threshold targets SUSTAINED abuse — keep it high enough that a
-# retry-looping legitimate client or a NAT'd office sharing one IP cannot
-# self-ban. See src/config/rate-limit.config.ts for the interaction notes.
-
-# Rate-limit violations before an IP is auto-blocked (default: 20)
-IP_AUTO_BLOCK_THRESHOLD=20
-
-# Sliding window for counting violations, in seconds (default: 300 = 5 min)
-IP_AUTO_BLOCK_WINDOW_SECONDS=300
-
-# How long an auto-blocked IP stays blocked, in seconds (default: 3600 = 1 hour)
-IP_AUTO_BLOCK_DURATION_SECONDS=3600
-
-# ===================================================================
-# ACCOUNT ACTIVATION
-# ===================================================================
-
-# When true (default), new users are created as inactive and must
-# verify their account before they can log in.
-# When false, users are active immediately after registration.
-# NOTE: When this variable is not provided, users are NOT activated
-# by default — you must explicitly set it to false to skip verification.
-REQUIRE_USER_VERIFICATION=true
-
-# ===================================================================
-# FILE UPLOAD
-# ===================================================================
-
-# Maximum file upload size in MB (default: 10)
-MAX_FILE_SIZE_MB=10
-
-# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
-# Go to your service in Coolify → Storages → Add Volume Mount:
-#   Name:             uploads (or <project-name>-uploads)
-#   Source Path:      (leave empty — Coolify manages the Docker volume)
-#   Destination Path: /app/uploads
-# Without this, all uploaded files are lost on every redeployment.
-
-# ===================================================================
-# DOCKER PORTS — LOCAL DEVELOPMENT ONLY
-# ===================================================================
-#
-# These ports are used by docker-compose to expose MySQL, Redis, and
-# their admin UIs on your local machine. They are NOT needed in
-# production — production connects via DATABASE_URL and REDIS_URL
-# (typically over a private network), not through exposed ports.
-#
-# Change these if they conflict with other services on your machine.
-
-MYSQL_PORT={{MYSQL_PORT}}
-PHPMYADMIN_PORT={{PHPMYADMIN_PORT}}
-REDIS_PORT={{REDIS_PORT}}
-REDIS_COMMANDER_PORT={{REDIS_COMMANDER_PORT}}
-
-# ===================================================================
-# JWT AUTHENTICATION
-# ===================================================================
-
-# JWT secret key (MUST be at least 32 characters)
-# CRITICAL: Generate a strong random secret for production!
-# Example: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-JWT_SECRET="{{JWT_SECRET}}"
-
-# Access token expiry (short-lived)
-# Format: 1s, 1m, 1h, 1d (default: 15m)
-JWT_ACCESS_EXPIRY="15m"
-
-# Refresh token expiry (long-lived)
-# Format: 1s, 1m, 1h, 1d (default: 7d)
-JWT_REFRESH_EXPIRY="7d"
-
-# Cookie signing secret (separate from JWT for defense-in-depth)
-# Optional: defaults to JWT_SECRET if not set
-# For production: generate a separate secret: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-# COOKIE_SECRET="change-this-to-a-different-secret-at-least-32-chars"
-
-# Cookie domain for cross-origin deployments
-# REQUIRED when client and API are on different subdomains:
-#   Client: https://app.example.com  |  API: https://api.example.com
-#   → Set COOKIE_DOMAIN=".example.com" (note the leading dot)
-# NOT needed when client and API share the same hostname (local dev, same-origin prod)
-# Without this, cookies are scoped to the API hostname only and the browser
-# will silently reject them on cross-origin requests (login appears to do nothing).
-# COOKIE_DOMAIN=".example.com"
-
-# ===================================================================
-# CORS (Cross-Origin Resource Sharing)
-# ===================================================================
-
-# Allowed origins for CORS
-# Development: Optional (allows all origins for easier local dev)
-# Production: REQUIRED (must be your frontend URL for security)
-# Multiple origins: Separate with commas
-# Examples:
-#   Single origin: CORS_ORIGIN="https://myapp.com"
-#   Multiple origins: CORS_ORIGIN="https://myapp.com,https://app.myapp.com"
-#   Local dev: CORS_ORIGIN="http://localhost:3001"
-# CORS_ORIGIN="http://localhost:3001"
-
-# ===================================================================
-# EMAIL (Resend)
-# ===================================================================
-
-# Resend API key for transactional emails (password reset, verification, etc.)
-# Get your API key from: https://resend.com/api-keys
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-# Sender email address
-# Development: Use Resend's test address (onboarding@resend.dev) — delivers to your Resend dashboard
-# Production: Use a verified domain email (e.g., noreply@yourdomain.com)
-RESEND_FROM_EMAIL="onboarding@resend.dev"
-
-# Frontend URL used to build links in emails (e.g., password reset links)
-# Must match the URL where your Next.js client is running
-CLIENT_URL="http://localhost:3000"
-
-# ===================================================================
-# LOGGING
-# ===================================================================
-
-# Log level: fatal | error | warn | info | debug | trace
-# Production: info or warn (reduces noise)
-# Development: debug (verbose logging)
-# Staging: info
-LOG_LEVEL=info
-
-# ===================================================================
-# DATABASE SEEDING (npm run prisma:seed — dev/test only)
-# ===================================================================
-
-# Passwords for the seeded demo accounts (admin@example.com / user@example.com).
-# Optional in development — well-known dev defaults (Admin123! / User123!) are
-# used when unset. The seed script REFUSES to run when NODE_ENV=production.
-# SEED_ADMIN_PASSWORD="choose-a-dev-admin-password"
-# SEED_USER_PASSWORD="choose-a-dev-user-password"
-
-# ===================================================================
-# ERROR TRACKING (Optional)
-# ===================================================================
-
-# Sentry DSN for error tracking and monitoring
-# Get your DSN from: https://sentry.io/settings/projects/
-# Leave empty to disable Sentry
-# Example: SENTRY_DSN="https://examplePublicKey@o0.ingest.sentry.io/0"
-# SENTRY_DSN=""
+# ===================================================================
+# APPLICATION CONFIGURATION
+# ===================================================================
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# All variables below are RUNTIME-ONLY unless marked otherwise.
+#
+# ===================================================================
+
+# Environment: development | production | test
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
+NODE_ENV=development
+
+# Server port (default: 8000)
+PORT=8000
+
+# Server host (0.0.0.0 = listen on all interfaces)
+HOST=0.0.0.0
+
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# IMPORTANT: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
+# ===================================================================
+# DATABASE CONFIGURATION (MySQL 8.0+)
+# ===================================================================
+
+# Database connection string
+# Format: mysql://username:password@host:port/database
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+DATABASE_URL="mysql://root:rootpassword@localhost:{{MYSQL_PORT}}/{{DATABASE_NAME}}"
+
+# Connection pool settings (for high-traffic production)
+# Min connections: 2-5 for low traffic, 5-10 for medium, 10-20 for high
+# Max connections: 10 for dev, 20-50 for production (10K-100K users/day)
+DATABASE_POOL_MIN=2
+DATABASE_POOL_MAX=10
+
+# ===================================================================
+# REDIS CONFIGURATION
+# ===================================================================
+
+# Redis connection URL
+# Format: redis://[:password@]host:port[/database]
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+REDIS_URL="redis://localhost:{{REDIS_PORT}}"
+
+# Max retry attempts for failed Redis operations
+REDIS_MAX_RETRIES=3
+
+# Connection timeout in milliseconds
+REDIS_CONNECT_TIMEOUT=10000
+
+# ===================================================================
+# RATE LIMITING
+# ===================================================================
+
+# Master switch to enable/disable rate limiting (default: true)
+# Set to false in development to disable all rate limits
+RATE_LIMIT_ENABLED=true
+
+# Multiply all rate limit max values by this factor (default: 1)
+# Set to 10 in development for 10x headroom, or 0.5 for tighter limits
+RATE_LIMIT_MULTIPLIER=1
+
+# Optional: Override specific critical route limits (uses defaults if not set)
+# RATE_LIMIT_AUTH_LOGIN_MAX=10
+# RATE_LIMIT_AUTH_REGISTER_MAX=5
+
+# Trust Cloudflare's CF-Connecting-IP header for the real client IP (default: false)
+# Used ONLY for rate-limiting and IP auto-block decisions. Behind Cloudflare,
+# request.ip is a CF edge IP — without this, all users behind one edge collapse
+# onto a single IP and can rate-limit or auto-ban each other.
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+# SECURITY: the header is client-spoofable. Set true ONLY when the origin
+# accepts traffic exclusively via Cloudflare (direct origin access is blocked).
+# Note: the left-most X-Forwarded-For entry is now trusted as the client IP
+# regardless of this flag (covers grey-cloud / DNS-only), so the origin must be
+# proxy-locked (firewall direct access) in production either way.
+TRUST_CLOUDFLARE=false
+
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+#
+# An IP that exceeds rate limits IP_AUTO_BLOCK_THRESHOLD times within
+# IP_AUTO_BLOCK_WINDOW_SECONDS is blocked for IP_AUTO_BLOCK_DURATION_SECONDS.
+# The threshold targets SUSTAINED abuse — keep it high enough that a
+# retry-looping legitimate client or a NAT'd office sharing one IP cannot
+# self-ban. See src/config/rate-limit.config.ts for the interaction notes.
+
+# Rate-limit violations before an IP is auto-blocked (default: 20)
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (default: 300 = 5 min)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (default: 3600 = 1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# When true (default), new users are created as inactive and must
+# verify their account before they can log in.
+# When false, users are active immediately after registration.
+# NOTE: When this variable is not provided, users are NOT activated
+# by default — you must explicitly set it to false to skip verification.
+REQUIRE_USER_VERIFICATION=true
+
+# ===================================================================
+# FILE UPLOAD
+# ===================================================================
+
+# Maximum file upload size in MB (default: 10)
+MAX_FILE_SIZE_MB=10
+
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
+# ===================================================================
+# DOCKER PORTS — LOCAL DEVELOPMENT ONLY
+# ===================================================================
+#
+# These ports are used by docker-compose to expose MySQL, Redis, and
+# their admin UIs on your local machine. They are NOT needed in
+# production — production connects via DATABASE_URL and REDIS_URL
+# (typically over a private network), not through exposed ports.
+#
+# Change these if they conflict with other services on your machine.
+
+MYSQL_PORT={{MYSQL_PORT}}
+PHPMYADMIN_PORT={{PHPMYADMIN_PORT}}
+REDIS_PORT={{REDIS_PORT}}
+REDIS_COMMANDER_PORT={{REDIS_COMMANDER_PORT}}
+
+# ===================================================================
+# JWT AUTHENTICATION
+# ===================================================================
+
+# JWT secret key (MUST be at least 32 characters)
+# CRITICAL: Generate a strong random secret for production!
+# Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+JWT_SECRET="{{JWT_SECRET}}"
+
+# Access token expiry (short-lived)
+# Format: 1s, 1m, 1h, 1d (default: 15m)
+JWT_ACCESS_EXPIRY="15m"
+
+# Refresh token expiry (long-lived)
+# Format: 1s, 1m, 1h, 1d (default: 7d)
+JWT_REFRESH_EXPIRY="7d"
+
+# Cookie signing secret (separate from JWT for defense-in-depth)
+# Optional: defaults to JWT_SECRET if not set
+# For production: generate a separate secret: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+# COOKIE_SECRET="change-this-to-a-different-secret-at-least-32-chars"
+
+# Cookie domain for cross-origin deployments
+# REQUIRED when client and API are on different subdomains:
+#   Client: https://app.example.com  |  API: https://api.example.com
+#   → Set COOKIE_DOMAIN=".example.com" (note the leading dot)
+# NOT needed when client and API share the same hostname (local dev, same-origin prod)
+# Without this, cookies are scoped to the API hostname only and the browser
+# will silently reject them on cross-origin requests (login appears to do nothing).
+# COOKIE_DOMAIN=".example.com"
+
+# ===================================================================
+# CORS (Cross-Origin Resource Sharing)
+# ===================================================================
+
+# Allowed origins for CORS
+# Development: Optional (allows all origins for easier local dev)
+# Production: REQUIRED (must be your frontend URL for security)
+# Multiple origins: Separate with commas
+# Examples:
+#   Single origin: CORS_ORIGIN="https://myapp.com"
+#   Multiple origins: CORS_ORIGIN="https://myapp.com,https://app.myapp.com"
+#   Local dev: CORS_ORIGIN="http://localhost:3001"
+# CORS_ORIGIN="http://localhost:3001"
+
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails (password reset, verification, etc.)
+# Get your API key from: https://resend.com/api-keys
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email address
+# Development: Use Resend's test address (onboarding@resend.dev) — delivers to your Resend dashboard
+# Production: Use a verified domain email (e.g., noreply@yourdomain.com)
+RESEND_FROM_EMAIL="onboarding@resend.dev"
+
+# Frontend URL used to build links in emails (e.g., password reset links)
+# Must match the URL where your Next.js client is running
+CLIENT_URL="http://localhost:3000"
+
+# ===================================================================
+# LOGGING
+# ===================================================================
+
+# Log level: fatal | error | warn | info | debug | trace
+# Production: info or warn (reduces noise)
+# Development: debug (verbose logging)
+# Staging: info
+LOG_LEVEL=info
+
+# ===================================================================
+# DATABASE SEEDING (npm run prisma:seed — dev/test only)
+# ===================================================================
+
+# Passwords for the seeded demo accounts (admin@example.com / user@example.com).
+# Optional in development — well-known dev defaults (Admin123! / User123!) are
+# used when unset. The seed script REFUSES to run when NODE_ENV=production.
+# SEED_ADMIN_PASSWORD="choose-a-dev-admin-password"
+# SEED_USER_PASSWORD="choose-a-dev-user-password"
+
+# ===================================================================
+# ERROR TRACKING (Optional)
+# ===================================================================
+
+# Sentry DSN for error tracking and monitoring
+# Get your DSN from: https://sentry.io/settings/projects/
+# Leave empty to disable Sentry
+# Example: SENTRY_DSN="https://examplePublicKey@o0.ingest.sentry.io/0"
+# SENTRY_DSN=""