create-tigra 3.0.0 → 3.0.2

package/template/server/.env.example.production

@@ -1,208 +1,221 @@
-# ===================================================================
-# PRODUCTION ENVIRONMENT CONFIGURATION
-# ===================================================================
-# This file contains production-optimized settings for high-traffic
-# deployments (10K-100K users/day). Copy to .env and customize.
-#
-# COOLIFY DEPLOYMENT NOTE:
-# When adding environment variables in Coolify, do NOT check
-# "Available at Buildtime" for any variable unless explicitly noted.
-# The server Dockerfile handles build-time config internally.
-# Secrets (DATABASE_URL, JWT_SECRET, COOKIE_SECRET, REDIS_URL) must
-# NEVER be available at buildtime — they get baked into the image layer.
-#
-# ===================================================================
-
-# ===================================================================
-# APPLICATION
-# ===================================================================
-
-# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
-# sets NODE_ENV=development during build to ensure devDependencies install.
-NODE_ENV=production
-PORT=3000
-HOST=0.0.0.0
-
-# ===================================================================
-# SERVER TIMEOUTS
-# ===================================================================
-
-# Fastify request timeout in milliseconds (default: 30000 = 30s)
-# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
-# CRITICAL: the reverse proxy (Nginx/Coolify) timeout must be raised to
-# match, or the proxy cuts the connection before the server does.
-REQUEST_TIMEOUT_MS=30000
-
-# Fastify connection timeout in milliseconds (default: 60000 = 60s)
-CONNECTION_TIMEOUT_MS=60000
-
-# ===================================================================
-# DATABASE (MySQL 8.0+)
-# ===================================================================
-
-# Production database connection
-# CRITICAL: Use secure credentials, SSL/TLS, and private network
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-DATABASE_URL="mysql://prod_user:SECURE_PASSWORD@db.internal:3306/prod_db?ssl=true"
-
-# Connection pool for high traffic (10K-100K users/day)
-# Recommended: 20-50 connections for production
-# Monitor and adjust based on load testing results
-DATABASE_POOL_MIN=10
-DATABASE_POOL_MAX=50
-
-# ===================================================================
-# REDIS
-# ===================================================================
-
-# Production Redis instance
-# CRITICAL: Use authentication and private network
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
-REDIS_URL="redis://:REDIS_PASSWORD@redis.internal:6379"
-
-# Production retry settings
-REDIS_MAX_RETRIES=5
-REDIS_CONNECT_TIMEOUT=5000
-
-# ===================================================================
-# RATE LIMITING
-# ===================================================================
-
-# Always enabled in production
-RATE_LIMIT_ENABLED=true
-
-# Production: keep at 1 (default limits are tuned for production)
-RATE_LIMIT_MULTIPLIER=1
-
-# Tight limits for sensitive auth routes in production
-RATE_LIMIT_AUTH_LOGIN_MAX=10
-RATE_LIMIT_AUTH_REGISTER_MAX=5
-
-# ===================================================================
-# IP AUTO-BLOCK
-# ===================================================================
-
-# Rate-limit violations before an IP is auto-blocked for every route.
-# Keep HIGH enough that a retry-looping legitimate client or a NAT'd
-# office sharing one egress IP cannot self-ban (sustained abuse only).
-# See src/config/rate-limit.config.ts before lowering.
-IP_AUTO_BLOCK_THRESHOLD=20
-
-# Sliding window for counting violations, in seconds (5 minutes)
-IP_AUTO_BLOCK_WINDOW_SECONDS=300
-
-# How long an auto-blocked IP stays blocked, in seconds (1 hour)
-IP_AUTO_BLOCK_DURATION_SECONDS=3600
-
-# ===================================================================
-# ACCOUNT ACTIVATION
-# ===================================================================
-
-# Require account verification before users can log in
-# Set to true in production for security
-REQUIRE_USER_VERIFICATION=true
-
-# ===================================================================
-# FILE UPLOAD
-# ===================================================================
-
-# Maximum file upload size in MB
-MAX_FILE_SIZE_MB=10
-
-# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
-# Go to your service in Coolify → Storages → Add Volume Mount:
-#   Name:             uploads (or <project-name>-uploads)
-#   Source Path:      (leave empty — Coolify manages the Docker volume)
-#   Destination Path: /app/uploads
-# Without this, all uploaded files are lost on every redeployment.
-
-# ===================================================================
-# JWT AUTHENTICATION
-# ===================================================================
-
-# CRITICAL: Generate a cryptographically secure secret
-# Example: openssl rand -base64 48
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-JWT_SECRET="YOUR_PRODUCTION_JWT_SECRET_MUST_BE_AT_LEAST_32_CHARS_LONG"
-
-# Production token expiry (tighter security)
-JWT_ACCESS_EXPIRY="15m"
-JWT_REFRESH_EXPIRY="7d"
-
-# Cookie signing secret (separate from JWT for defense-in-depth)
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-COOKIE_SECRET="YOUR_PRODUCTION_COOKIE_SECRET_MUST_BE_AT_LEAST_32_CHARS"
-
-# ===================================================================
-# CORS
-# ===================================================================
-
-# REQUIRED in production - your frontend domain(s)
-# Multiple origins separated by commas
-CORS_ORIGIN="https://yourdomain.com,https://app.yourdomain.com"
-
-# Cookie domain for cross-origin deployments
-# REQUIRED when client and API are on different subdomains:
-#   Client: https://app.example.com  |  API: https://api.example.com
-#   → Set COOKIE_DOMAIN=".example.com" (leading dot = all subdomains)
-# This enables cookies to be shared between client and API subdomains.
-# Without it, login will silently fail (server returns 200 but browser drops cookies).
-COOKIE_DOMAIN=".yourdomain.com"
-
-# ===================================================================
-# EMAIL (Resend)
-# ===================================================================
-
-# Resend API key for transactional emails
-# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
-RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-# Sender email — must be from a verified domain in Resend
-RESEND_FROM_EMAIL="noreply@yourdomain.com"
-
-# Frontend URL for email links (password reset, verification, etc.)
-CLIENT_URL="https://yourdomain.com"
-
-# ===================================================================
-# LOGGING
-# ===================================================================
-
-# Production: info or warn (reduces log volume)
-# Use warn to reduce costs in high-traffic scenarios
-LOG_LEVEL=info
-
-# ===================================================================
-# DATABASE SEEDING
-# ===================================================================
-
-# DO NOT SEED PRODUCTION. The seed script (npm run prisma:seed) creates
-# well-known demo accounts (admin@example.com) and hard-refuses to run when
-# NODE_ENV=production. These variables exist only to keep .env files in sync
-# across environments — leave them commented out in production.
-# SEED_ADMIN_PASSWORD=
-# SEED_USER_PASSWORD=
-
-# ===================================================================
-# ERROR TRACKING
-# ===================================================================
-
-# Sentry for production error monitoring
-# Get your DSN from: https://sentry.io/settings/projects/
-SENTRY_DSN="https://YOUR_PUBLIC_KEY@o0.ingest.sentry.io/YOUR_PROJECT_ID"
-
-# ===================================================================
-# PRODUCTION CHECKLIST
-# ===================================================================
-# [ ] DATABASE_URL uses secure credentials and SSL
-# [ ] JWT_SECRET is a strong random string (48+ chars)
-# [ ] CORS_ORIGIN is set to your exact frontend URL(s)
-# [ ] COOKIE_DOMAIN is set if client and API are on different subdomains
-# [ ] REDIS_URL uses authentication if Redis is exposed
-# [ ] LOG_LEVEL is set to info or warn
-# [ ] SENTRY_DSN is configured for error tracking
-# [ ] Database connection pool tested under load
-# [ ] All secrets are stored in environment variables, not in code
-# [ ] SSL/TLS certificates are configured
-# [ ] Firewall rules restrict access to database and Redis
-# [ ] In Coolify: NO secrets have "Available at Buildtime" checked
-# [ ] In Coolify: NODE_ENV does NOT have "Available at Buildtime" checked
+# ===================================================================
+# PRODUCTION ENVIRONMENT CONFIGURATION
+# ===================================================================
+# This file contains production-optimized settings for high-traffic
+# deployments (10K-100K users/day). Copy to .env and customize.
+#
+# COOLIFY DEPLOYMENT NOTE:
+# When adding environment variables in Coolify, do NOT check
+# "Available at Buildtime" for any variable unless explicitly noted.
+# The server Dockerfile handles build-time config internally.
+# Secrets (DATABASE_URL, JWT_SECRET, COOKIE_SECRET, REDIS_URL) must
+# NEVER be available at buildtime — they get baked into the image layer.
+#
+# ===================================================================
+
+# ===================================================================
+# APPLICATION
+# ===================================================================
+
+# COOLIFY: Do NOT check "Available at Buildtime" — the Dockerfile
+# sets NODE_ENV=development during build to ensure devDependencies install.
+NODE_ENV=production
+PORT=3000
+HOST=0.0.0.0
+
+# ===================================================================
+# SERVER TIMEOUTS
+# ===================================================================
+
+# Fastify request timeout in milliseconds (default: 30000 = 30s)
+# Long-running routes (LLM calls, big exports) may need 180000+ (180s).
+# CRITICAL: the reverse proxy (Nginx/Coolify) timeout must be raised to
+# match, or the proxy cuts the connection before the server does.
+REQUEST_TIMEOUT_MS=30000
+
+# Fastify connection timeout in milliseconds (default: 60000 = 60s)
+CONNECTION_TIMEOUT_MS=60000
+
+# ===================================================================
+# DATABASE (MySQL 8.0+)
+# ===================================================================
+
+# Production database connection
+# CRITICAL: Use secure credentials, SSL/TLS, and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+DATABASE_URL="mysql://prod_user:SECURE_PASSWORD@db.internal:3306/prod_db?ssl=true"
+
+# Connection pool for high traffic (10K-100K users/day)
+# Recommended: 20-50 connections for production
+# Monitor and adjust based on load testing results
+DATABASE_POOL_MIN=10
+DATABASE_POOL_MAX=50
+
+# ===================================================================
+# REDIS
+# ===================================================================
+
+# Production Redis instance
+# CRITICAL: Use authentication and private network
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+REDIS_URL="redis://:REDIS_PASSWORD@redis.internal:6379"
+
+# Production retry settings
+REDIS_MAX_RETRIES=5
+REDIS_CONNECT_TIMEOUT=5000
+
+# ===================================================================
+# RATE LIMITING
+# ===================================================================
+
+# Always enabled in production
+RATE_LIMIT_ENABLED=true
+
+# Production: keep at 1 (default limits are tuned for production)
+RATE_LIMIT_MULTIPLIER=1
+
+# Tight limits for sensitive auth routes in production
+RATE_LIMIT_AUTH_LOGIN_MAX=10
+RATE_LIMIT_AUTH_REGISTER_MAX=5
+
+# Trust Cloudflare's CF-Connecting-IP header for the real client IP (default: false)
+# Used ONLY for rate-limiting and IP auto-block decisions. Behind Cloudflare,
+# request.ip is a CF edge IP — without this, all users behind one edge collapse
+# onto a single IP and can rate-limit or auto-ban each other.
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime".
+# SECURITY: the header is client-spoofable. Set true ONLY when this origin
+# accepts traffic exclusively via Cloudflare (direct origin access is blocked
+# at the firewall/network so clients cannot reach it bypassing CF).
+# Note: the left-most X-Forwarded-For entry is now trusted as the client IP
+# regardless of this flag (covers grey-cloud / DNS-only), so the origin must be
+# proxy-locked (firewall direct access) in production either way.
+TRUST_CLOUDFLARE=false
+
+# ===================================================================
+# IP AUTO-BLOCK
+# ===================================================================
+
+# Rate-limit violations before an IP is auto-blocked for every route.
+# Keep HIGH enough that a retry-looping legitimate client or a NAT'd
+# office sharing one egress IP cannot self-ban (sustained abuse only).
+# See src/config/rate-limit.config.ts before lowering.
+IP_AUTO_BLOCK_THRESHOLD=20
+
+# Sliding window for counting violations, in seconds (5 minutes)
+IP_AUTO_BLOCK_WINDOW_SECONDS=300
+
+# How long an auto-blocked IP stays blocked, in seconds (1 hour)
+IP_AUTO_BLOCK_DURATION_SECONDS=3600
+
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# Require account verification before users can log in
+# Set to true in production for security
+REQUIRE_USER_VERIFICATION=true
+
+# ===================================================================
+# FILE UPLOAD
+# ===================================================================
+
+# Maximum file upload size in MB
+MAX_FILE_SIZE_MB=10
+
+# COOLIFY PERSISTENT STORAGE (required for uploads to survive redeployments):
+# Go to your service in Coolify → Storages → Add Volume Mount:
+#   Name:             uploads (or <project-name>-uploads)
+#   Source Path:      (leave empty — Coolify manages the Docker volume)
+#   Destination Path: /app/uploads
+# Without this, all uploaded files are lost on every redeployment.
+
+# ===================================================================
+# JWT AUTHENTICATION
+# ===================================================================
+
+# CRITICAL: Generate a cryptographically secure secret
+# Example: openssl rand -base64 48
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+JWT_SECRET="YOUR_PRODUCTION_JWT_SECRET_MUST_BE_AT_LEAST_32_CHARS_LONG"
+
+# Production token expiry (tighter security)
+JWT_ACCESS_EXPIRY="15m"
+JWT_REFRESH_EXPIRY="7d"
+
+# Cookie signing secret (separate from JWT for defense-in-depth)
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+COOKIE_SECRET="YOUR_PRODUCTION_COOKIE_SECRET_MUST_BE_AT_LEAST_32_CHARS"
+
+# ===================================================================
+# CORS
+# ===================================================================
+
+# REQUIRED in production - your frontend domain(s)
+# Multiple origins separated by commas
+CORS_ORIGIN="https://yourdomain.com,https://app.yourdomain.com"
+
+# Cookie domain for cross-origin deployments
+# REQUIRED when client and API are on different subdomains:
+#   Client: https://app.example.com  |  API: https://api.example.com
+#   → Set COOKIE_DOMAIN=".example.com" (leading dot = all subdomains)
+# This enables cookies to be shared between client and API subdomains.
+# Without it, login will silently fail (server returns 200 but browser drops cookies).
+COOKIE_DOMAIN=".yourdomain.com"
+
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email — must be from a verified domain in Resend
+RESEND_FROM_EMAIL="noreply@yourdomain.com"
+
+# Frontend URL for email links (password reset, verification, etc.)
+CLIENT_URL="https://yourdomain.com"
+
+# ===================================================================
+# LOGGING
+# ===================================================================
+
+# Production: info or warn (reduces log volume)
+# Use warn to reduce costs in high-traffic scenarios
+LOG_LEVEL=info
+
+# ===================================================================
+# DATABASE SEEDING
+# ===================================================================
+
+# DO NOT SEED PRODUCTION. The seed script (npm run prisma:seed) creates
+# well-known demo accounts (admin@example.com) and hard-refuses to run when
+# NODE_ENV=production. These variables exist only to keep .env files in sync
+# across environments — leave them commented out in production.
+# SEED_ADMIN_PASSWORD=
+# SEED_USER_PASSWORD=
+
+# ===================================================================
+# ERROR TRACKING
+# ===================================================================
+
+# Sentry for production error monitoring
+# Get your DSN from: https://sentry.io/settings/projects/
+SENTRY_DSN="https://YOUR_PUBLIC_KEY@o0.ingest.sentry.io/YOUR_PROJECT_ID"
+
+# ===================================================================
+# PRODUCTION CHECKLIST
+# ===================================================================
+# [ ] DATABASE_URL uses secure credentials and SSL
+# [ ] JWT_SECRET is a strong random string (48+ chars)
+# [ ] CORS_ORIGIN is set to your exact frontend URL(s)
+# [ ] COOKIE_DOMAIN is set if client and API are on different subdomains
+# [ ] REDIS_URL uses authentication if Redis is exposed
+# [ ] LOG_LEVEL is set to info or warn
+# [ ] SENTRY_DSN is configured for error tracking
+# [ ] Database connection pool tested under load
+# [ ] All secrets are stored in environment variables, not in code
+# [ ] SSL/TLS certificates are configured
+# [ ] Firewall rules restrict access to database and Redis
+# [ ] In Coolify: NO secrets have "Available at Buildtime" checked
+# [ ] In Coolify: NODE_ENV does NOT have "Available at Buildtime" checked

package/template/server/docker-compose.yml

@@ -17,6 +17,17 @@ services:
     image: mysql:8.0
     container_name: {{PROJECT_NAME}}-mysql
     restart: unless-stopped
+    # Local-dev resource bounds. mem_limit is a cgroup ceiling (a runaway container is
+    # OOM-killed in isolation instead of wedging the whole WSL2/Docker engine); the flags
+    # dev-tune MySQL 8 to a small, fast-warming footprint. Production reaches MySQL as a
+    # separate Coolify resource via DATABASE_URL — none of this touches prod.
+    mem_limit: 900m
+    command:
+      - --innodb-buffer-pool-size=128M    # default is fine for dev; keeps RSS small
+      - --performance-schema=OFF          # saves ~hundreds of MB on its own
+      - --skip-name-resolve               # no reverse-DNS per connection (faster, leaner)
+      - --max-connections=60              # well above DATABASE_POOL_MAX (10) + headroom
+      - --innodb-flush-log-at-trx-commit=2 # dev durability/throughput trade — not for prod
     ports:
       - '127.0.0.1:${MYSQL_PORT:-{{MYSQL_PORT}}}:3306'
     environment:
@@ -57,6 +68,12 @@ services:
     image: redis:7-alpine
     container_name: {{PROJECT_NAME}}-redis
     restart: unless-stopped
+    # Local-dev resource bounds. Layer two ceilings: Redis's own --maxmemory (150mb) trips
+    # FIRST and refuses writes loudly (noeviction — create-tigra also keeps rate-limit/queue
+    # keys in Redis, so silent LRU eviction would be a dev data-loss trap), while the 200m
+    # cgroup mem_limit sits above it as a hard backstop. --save "" drops RDB snapshot fork/IO.
+    mem_limit: 200m
+    command: ['redis-server', '--maxmemory', '150mb', '--maxmemory-policy', 'noeviction', '--save', '']
     ports:
       - '127.0.0.1:${REDIS_PORT:-{{REDIS_PORT}}}:6379'
     volumes: