npm - create-tigra - Versions diffs - 3.0.0 → 3.0.2 - Mend

create-tigra 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/package.json +1 -1
package/template/server/.env.example +248 -236
package/template/server/.env.example.production +221 -208
package/template/server/docker-compose.yml +17 -0
package/template/server/src/app.ts +316 -303
package/template/server/src/config/env.ts +150 -143
package/template/server/src/libs/__tests__/auth-path.test.ts +24 -0
package/template/server/src/libs/__tests__/client-ip.test.ts +121 -0
package/template/server/src/libs/__tests__/ip-block.test.ts +62 -0
package/template/server/src/libs/__tests__/url-safety.test.ts +80 -0
package/template/server/src/libs/auth-path.ts +14 -0
package/template/server/src/libs/client-ip.ts +77 -0
package/template/server/src/libs/ip-block.ts +220 -212
package/template/server/src/libs/query-counter.ts +59 -0
package/template/server/src/libs/url-safety.ts +121 -0
package/template/server/src/modules/auth/auth.controller.ts +128 -127

package/template/server/src/app.ts CHANGED Viewed

@@ -1,303 +1,316 @@
-import Fastify, { type FastifyError, type FastifyInstance, type FastifyRequest } from 'fastify';
-import cors from '@fastify/cors';
-import helmet from '@fastify/helmet';
-import rateLimit from '@fastify/rate-limit';
-import cookie from '@fastify/cookie';
-import jwt from '@fastify/jwt';
-import multipart from '@fastify/multipart';
-import fastifyStatic from '@fastify/static';
-import path from 'path';
-import { fileURLToPath } from 'url';
-import { env } from '@config/env.js';
-import { logger } from '@libs/logger.js';
-import { markRequestStart, logRequestLine } from '@libs/requestLogger.js';
-import { initAuth } from '@libs/auth.js';
-import { isAppError } from '@shared/errors/AppError.js';
-import { successResponse, errorResponse } from '@shared/responses/successResponse.js';
-import { authRoutes } from '@modules/auth/auth.routes.js';
-import { usersRoutes } from '@modules/users/users.routes.js';
-import { adminRoutes } from '@modules/admin/admin.routes.js';
-import { fileStorageService } from '@libs/storage/file-storage.service.js';
-import { registerJobs } from '@jobs/index.js';
-import { RATE_LIMIT_ENABLED, getRateLimitRedisStore } from '@config/rate-limit.config.js';
-import { isIpBlocked, recordRateLimitViolation, syncBlockedIpsToRedis } from '@libs/ip-block.js';
-import { isOriginAllowed } from '@libs/origin-check.js';
-import { ForbiddenError } from '@shared/errors/errors.js';
-import {
-  serializerCompiler,
-  validatorCompiler,
-  type ZodTypeProvider,
-} from 'fastify-type-provider-zod';
-// Import types to register Fastify augmentations
-import type {} from '@shared/types/index.js';
-export async function buildApp(): Promise<FastifyInstance> {
-  const app = Fastify({
-    logger: false,
-    // Trust proxy headers (X-Forwarded-For) for accurate client IP behind Nginx/load balancer
-    trustProxy: env.NODE_ENV === 'production',
-    // Graceful shutdown configuration
-    forceCloseConnections: true, // Force close idle connections on shutdown
-    // Env-configurable timeouts (defaults: 30s request, 60s connection).
-    // Long-running routes (LLM calls, exports) may need 180s+ — raise the
-    // reverse proxy timeout to match. See REQUEST_TIMEOUT_MS in .env.example.
-    requestTimeout: env.REQUEST_TIMEOUT_MS,
-    connectionTimeout: env.CONNECTION_TIMEOUT_MS,
-    keepAliveTimeout: 5000, // 5s keep-alive timeout
-    // Request body size limits (prevent DoS attacks)
-    bodyLimit: 1048576, // 1MB default limit (1024 * 1024)
-  }).withTypeProvider<ZodTypeProvider>();
-  // Set Zod validator and serializer
-  app.setValidatorCompiler(validatorCompiler);
-  app.setSerializerCompiler(serializerCompiler);
-  // --- Plugins ---
-  // CORS: Allow all origins in development, specific origin(s) in production
-  const corsOrigin = env.NODE_ENV === 'development'
-    ? true
-    : env.CORS_ORIGIN?.includes(',')
-      ? env.CORS_ORIGIN.split(',').map((o) => o.trim())
-      : env.CORS_ORIGIN;
-  await app.register(cors, {
-    origin: corsOrigin,
-    credentials: true,
-    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
-  });
-  // Enhanced security headers for production
-  await app.register(helmet, {
-    global: true,
-    crossOriginResourcePolicy: { policy: 'cross-origin' },
-  });
-  // Rate limiting: Redis-backed when available, in-memory fallback
-  if (RATE_LIMIT_ENABLED) {
-    const redisStore = getRateLimitRedisStore();
-    await app.register(rateLimit, {
-      global: false,
-      max: 100,
-      timeWindow: '1 minute',
-      redis: redisStore,
-      nameSpace: 'rl:',
-      skipOnError: true, // Gracefully degrade if Redis fails mid-request
-      onExceeded: (request: { ip: string }) => {
-        recordRateLimitViolation(request.ip);
-      },
-    });
-  } else {
-    // Register with effectively no limit so per-route configs don't error
-    await app.register(rateLimit, {
-      global: false,
-      max: 1_000_000,
-      timeWindow: '1 minute',
-    });
-    logger.warn('[RATE-LIMIT] Rate limiting is DISABLED (RATE_LIMIT_ENABLED=false)');
-  }
-  await app.register(cookie, {
-    secret: env.COOKIE_SECRET || env.JWT_SECRET,
-  });
-  await app.register(jwt, {
-    secret: env.JWT_SECRET,
-    cookie: {
-      cookieName: 'access_token',
-      signed: false,
-    },
-  });
-  // Initialize auth helpers after JWT plugin is registered
-  initAuth(app);
-  // File upload handling (multipart/form-data)
-  await app.register(multipart, {
-    limits: {
-      fileSize: env.MAX_FILE_SIZE_MB * 1024 * 1024, // ENV-configurable (default 10MB)
-      files: 1, // Only one file per request
-    },
-  });
-  // Static file serving for uploads
-  // Get __dirname equivalent in ES modules
-  const __filename = fileURLToPath(import.meta.url);
-  const __dirname = path.dirname(__filename);
-  await app.register(fastifyStatic, {
-    root: path.join(__dirname, '..', 'uploads'),
-    prefix: '/uploads/',
-  });
-  // Initialize file storage (create directories)
-  await fileStorageService.initialize();
-  // --- Sync permanent IP blocks from DB to Redis ---
-  await syncBlockedIpsToRedis();
-  // Monitoring endpoints exempt from IP blocking and request logging.
-  // Health probes (Coolify/Docker/K8s/load balancers) come from infrastructure
-  // IPs that must NEVER be blocked — a blocked probe IP would mark a healthy
-  // container as dead and restart-loop it. Exact match on the path (query
-  // string stripped) so the exemption cannot be widened by crafted URLs.
-  // These paths must match the route registrations below.
-  const monitoringPaths = new Set(['/api/v1/health', '/api/v1/ready', '/api/v1/live']);
-  // --- IP Block Check (runs before everything else) ---
-  app.addHook('onRequest', async (request: FastifyRequest) => {
-    if (monitoringPaths.has(request.url.split('?')[0])) {
-      return; // never block health probes
-    }
-    if (await isIpBlocked(request.ip)) {
-      throw new ForbiddenError('Access denied', 'IP_BLOCKED');
-    }
-  });
-  // --- CSRF defense-in-depth: Origin check on state-changing methods ---
-  // With sameSite=none cookies (cross-origin deployments), the browser attaches
-  // auth cookies to cross-site requests. If a browser sends an Origin header on
-  // a state-changing request, it must be same-origin or a configured CORS
-  // origin. Requests WITHOUT an Origin header (curl, Postman, server-to-server,
-  // health probes) are allowed — they carry no ambient cookies and are not
-  // CSRF vectors. See src/libs/origin-check.ts for the full rationale.
-  const stateChangingMethods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
-  const allowAllOrigins = corsOrigin === true;
-  const allowedOrigins = new Set<string>(
-    Array.isArray(corsOrigin) ? corsOrigin : typeof corsOrigin === 'string' ? [corsOrigin] : [],
-  );
-  app.addHook('onRequest', async (request: FastifyRequest) => {
-    if (!stateChangingMethods.has(request.method)) return;
-    if (isOriginAllowed(request.headers.origin, request.headers.host, allowedOrigins, allowAllOrigins)) return;
-    throw new ForbiddenError('Origin not allowed', 'ORIGIN_NOT_ALLOWED');
-  });
-  // --- Request/Response Logging ---
-  app.addHook('preHandler', async (request) => {
-    const pathname = request.url.split('?')[0];
-    if (!monitoringPaths.has(pathname)) {
-      markRequestStart(request);
-    }
-  });
-  app.addHook('onResponse', async (request, reply) => {
-    const pathname = request.url.split('?')[0];
-    if (!monitoringPaths.has(pathname)) {
-      logRequestLine(request, reply);
-    }
-  });
-  // --- Global Error Handler (must be set before routes) ---
-  app.setErrorHandler((error: FastifyError, request, reply) => {
-    // AppError — our typed errors (use duck-type check to avoid instanceof issues)
-    if (isAppError(error)) {
-      return reply.status(error.statusCode).send(errorResponse(error.code, error.message));
-    }
-    // Zod validation error
-    if (error.name === 'ZodError') {
-      return reply.status(422).send(errorResponse('VALIDATION_FAILED', 'Validation failed'));
-    }
-    // Fastify validation error
-    if (error.validation) {
-      return reply.status(400).send(
-        errorResponse(
-          'BAD_REQUEST',
-          error.message || 'Invalid request',
-        ),
-      );
-    }
-    // Fastify plugin errors (file size, rate limiting, etc.)
-    // These have statusCode properties but aren't AppError instances
-    if (error.statusCode && error.statusCode >= 400 && error.statusCode < 500) {
-      // Map common Fastify error codes to user-friendly messages
-      const errorCodeMap: Record<number, { code: string; message: string }> = {
-        413: { code: 'FILE_TOO_LARGE', message: 'File size exceeds the maximum allowed limit' },
-        429: { code: 'RATE_LIMIT_EXCEEDED', message: 'Too many requests. Please try again later' },
-      };
-      const errorInfo = errorCodeMap[error.statusCode] || {
-        code: 'BAD_REQUEST',
-        message: error.message || 'Bad request',
-      };
-      return reply.status(error.statusCode).send(errorResponse(errorInfo.code, errorInfo.message));
-    }
-    // Unexpected error — log and return generic 500
-    const requestId = request.id || 'unknown';
-    logger.error(
-      {
-        err: error,
-        requestId,
-        url: request.url,
-        method: request.method,
-        stack: error.stack,
-      },
-      `Unhandled error [${requestId}]: ${error.message}`,
-    );
-    return reply.status(500).send(errorResponse('INTERNAL_ERROR', 'Internal server error'));
-  });
-  // --- Monitoring & Health Checks ---
-  const { performHealthCheck, checkReadiness, checkLiveness } = await import('@libs/monitoring.js');
-  // Comprehensive health check (DB + Redis + Memory + Uptime)
-  app.get('/api/v1/health', async (_request, reply) => {
-    const health = await performHealthCheck();
-    const statusCode = health.status === 'healthy' ? 200 : health.status === 'degraded' ? 200 : 503;
-    return reply.status(statusCode).send(
-      successResponse(
-        health.status === 'healthy'
-          ? 'All systems operational'
-          : health.status === 'degraded'
-            ? 'Some systems degraded'
-            : 'System unhealthy',
-        health,
-      ),
-    );
-  });
-  // Readiness probe (for load balancers / K8s)
-  app.get('/api/v1/ready', async (_request, reply) => {
-    const ready = await checkReadiness();
-    const statusCode = ready ? 200 : 503;
-    return reply.status(statusCode).send(
-      successResponse(ready ? 'Service is ready' : 'Service not ready', {
-        ready,
-        timestamp: new Date().toISOString(),
-      })
-    );
-  });
-  // Liveness probe (for container orchestration)
-  app.get('/api/v1/live', (_request, reply) => {
-    const alive = checkLiveness();
-    const statusCode = alive ? 200 : 503;
-    return reply.status(statusCode).send(
-      successResponse(alive ? 'Service is alive' : 'Service not alive', {
-        alive,
-        timestamp: new Date().toISOString(),
-      })
-    );
-  });
-  // --- Routes ---
-  await app.register(authRoutes, { prefix: '/api/v1' });
-  await app.register(usersRoutes, { prefix: '/api/v1' });
-  await app.register(adminRoutes, { prefix: '/api/v1' });
-  // --- Background Jobs ---
-  registerJobs(app);
-  return app;
-}
-export default buildApp;
+import Fastify, { type FastifyError, type FastifyInstance, type FastifyRequest } from 'fastify';
+import cors from '@fastify/cors';
+import helmet from '@fastify/helmet';
+import rateLimit from '@fastify/rate-limit';
+import cookie from '@fastify/cookie';
+import jwt from '@fastify/jwt';
+import multipart from '@fastify/multipart';
+import fastifyStatic from '@fastify/static';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { env } from '@config/env.js';
+import { logger } from '@libs/logger.js';
+import { markRequestStart, logRequestLine } from '@libs/requestLogger.js';
+import { initAuth } from '@libs/auth.js';
+import { registerQueryCounter } from '@libs/query-counter.js';
+import { isAppError } from '@shared/errors/AppError.js';
+import { successResponse, errorResponse } from '@shared/responses/successResponse.js';
+import { authRoutes } from '@modules/auth/auth.routes.js';
+import { usersRoutes } from '@modules/users/users.routes.js';
+import { adminRoutes } from '@modules/admin/admin.routes.js';
+import { fileStorageService } from '@libs/storage/file-storage.service.js';
+import { registerJobs } from '@jobs/index.js';
+import { RATE_LIMIT_ENABLED, getRateLimitRedisStore } from '@config/rate-limit.config.js';
+import { isIpBlocked, recordRateLimitViolation, syncBlockedIpsToRedis } from '@libs/ip-block.js';
+import { getClientIp } from '@libs/client-ip.js';
+import { isAuthPath } from '@libs/auth-path.js';
+import { isOriginAllowed } from '@libs/origin-check.js';
+import { ForbiddenError } from '@shared/errors/errors.js';
+import {
+  serializerCompiler,
+  validatorCompiler,
+  type ZodTypeProvider,
+} from 'fastify-type-provider-zod';
+// Import types to register Fastify augmentations
+import type {} from '@shared/types/index.js';
+export async function buildApp(): Promise<FastifyInstance> {
+  const app = Fastify({
+    logger: false,
+    // Trust proxy headers (X-Forwarded-For) for accurate client IP behind Nginx/load balancer
+    trustProxy: env.NODE_ENV === 'production',
+    // Graceful shutdown configuration
+    forceCloseConnections: true, // Force close idle connections on shutdown
+    // Env-configurable timeouts (defaults: 30s request, 60s connection).
+    // Long-running routes (LLM calls, exports) may need 180s+ — raise the
+    // reverse proxy timeout to match. See REQUEST_TIMEOUT_MS in .env.example.
+    requestTimeout: env.REQUEST_TIMEOUT_MS,
+    connectionTimeout: env.CONNECTION_TIMEOUT_MS,
+    keepAliveTimeout: 5000, // 5s keep-alive timeout
+    // Request body size limits (prevent DoS attacks)
+    bodyLimit: 1048576, // 1MB default limit (1024 * 1024)
+  }).withTypeProvider<ZodTypeProvider>();
+  // Set Zod validator and serializer
+  app.setValidatorCompiler(validatorCompiler);
+  app.setSerializerCompiler(serializerCompiler);
+  // --- Plugins ---
+  // CORS: Allow all origins in development, specific origin(s) in production
+  const corsOrigin = env.NODE_ENV === 'development'
+    ? true
+    : env.CORS_ORIGIN?.includes(',')
+      ? env.CORS_ORIGIN.split(',').map((o) => o.trim())
+      : env.CORS_ORIGIN;
+  await app.register(cors, {
+    origin: corsOrigin,
+    credentials: true,
+    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+  });
+  // Enhanced security headers for production
+  await app.register(helmet, {
+    global: true,
+    crossOriginResourcePolicy: { policy: 'cross-origin' },
+  });
+  // Rate limiting: Redis-backed when available, in-memory fallback
+  if (RATE_LIMIT_ENABLED) {
+    const redisStore = getRateLimitRedisStore();
+    await app.register(rateLimit, {
+      global: false,
+      max: 100,
+      timeWindow: '1 minute',
+      redis: redisStore,
+      nameSpace: 'rl:',
+      skipOnError: true, // Gracefully degrade if Redis fails mid-request
+      // Key the limiter on the real client IP (Cloudflare-aware) so users behind
+      // a shared CF edge IP aren't counted as one — see src/libs/client-ip.ts.
+      keyGenerator: (request: FastifyRequest) => getClientIp(request),
+      onExceeded: (request: FastifyRequest) => {
+        // Auth routes keep their own per-route limit + account lockout; don't let
+        // a mistyped password arm the IP-wide auto-ban.
+        if (isAuthPath(request)) return;
+        recordRateLimitViolation(getClientIp(request));
+      },
+    });
+  } else {
+    // Register with effectively no limit so per-route configs don't error
+    await app.register(rateLimit, {
+      global: false,
+      max: 1_000_000,
+      timeWindow: '1 minute',
+    });
+    logger.warn('[RATE-LIMIT] Rate limiting is DISABLED (RATE_LIMIT_ENABLED=false)');
+  }
+  await app.register(cookie, {
+    secret: env.COOKIE_SECRET || env.JWT_SECRET,
+  });
+  await app.register(jwt, {
+    secret: env.JWT_SECRET,
+    cookie: {
+      cookieName: 'access_token',
+      signed: false,
+    },
+  });
+  // Initialize auth helpers after JWT plugin is registered
+  initAuth(app);
+  // Dev-only: count Prisma queries per request → X-Query-Count header (N+1 signal for perf-tester).
+  // No-op in production. Registered early so its onRequest store is entered before any query runs.
+  registerQueryCounter(app);
+  // File upload handling (multipart/form-data)
+  await app.register(multipart, {
+    limits: {
+      fileSize: env.MAX_FILE_SIZE_MB * 1024 * 1024, // ENV-configurable (default 10MB)
+      files: 1, // Only one file per request
+    },
+  });
+  // Static file serving for uploads
+  // Get __dirname equivalent in ES modules
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = path.dirname(__filename);
+  await app.register(fastifyStatic, {
+    root: path.join(__dirname, '..', 'uploads'),
+    prefix: '/uploads/',
+  });
+  // Initialize file storage (create directories)
+  await fileStorageService.initialize();
+  // --- Sync permanent IP blocks from DB to Redis ---
+  await syncBlockedIpsToRedis();
+  // Monitoring endpoints exempt from IP blocking and request logging.
+  // Health probes (Coolify/Docker/K8s/load balancers) come from infrastructure
+  // IPs that must NEVER be blocked — a blocked probe IP would mark a healthy
+  // container as dead and restart-loop it. Exact match on the path (query
+  // string stripped) so the exemption cannot be widened by crafted URLs.
+  // These paths must match the route registrations below.
+  const monitoringPaths = new Set(['/api/v1/health', '/api/v1/ready', '/api/v1/live']);
+  // --- IP Block Check (runs before everything else) ---
+  app.addHook('onRequest', async (request: FastifyRequest) => {
+    if (monitoringPaths.has(request.url.split('?')[0])) {
+      return; // never block health probes
+    }
+    if (await isIpBlocked(getClientIp(request))) {
+      throw new ForbiddenError('Access denied', 'IP_BLOCKED');
+    }
+  });
+  // --- CSRF defense-in-depth: Origin check on state-changing methods ---
+  // With sameSite=none cookies (cross-origin deployments), the browser attaches
+  // auth cookies to cross-site requests. If a browser sends an Origin header on
+  // a state-changing request, it must be same-origin or a configured CORS
+  // origin. Requests WITHOUT an Origin header (curl, Postman, server-to-server,
+  // health probes) are allowed — they carry no ambient cookies and are not
+  // CSRF vectors. See src/libs/origin-check.ts for the full rationale.
+  const stateChangingMethods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+  const allowAllOrigins = corsOrigin === true;
+  const allowedOrigins = new Set<string>(
+    Array.isArray(corsOrigin) ? corsOrigin : typeof corsOrigin === 'string' ? [corsOrigin] : [],
+  );
+  app.addHook('onRequest', async (request: FastifyRequest) => {
+    if (!stateChangingMethods.has(request.method)) return;
+    if (isOriginAllowed(request.headers.origin, request.headers.host, allowedOrigins, allowAllOrigins)) return;
+    throw new ForbiddenError('Origin not allowed', 'ORIGIN_NOT_ALLOWED');
+  });
+  // --- Request/Response Logging ---
+  app.addHook('preHandler', async (request) => {
+    const pathname = request.url.split('?')[0];
+    if (!monitoringPaths.has(pathname)) {
+      markRequestStart(request);
+    }
+  });
+  app.addHook('onResponse', async (request, reply) => {
+    const pathname = request.url.split('?')[0];
+    if (!monitoringPaths.has(pathname)) {
+      logRequestLine(request, reply);
+    }
+  });
+  // --- Global Error Handler (must be set before routes) ---
+  app.setErrorHandler((error: FastifyError, request, reply) => {
+    // AppError — our typed errors (use duck-type check to avoid instanceof issues)
+    if (isAppError(error)) {
+      return reply.status(error.statusCode).send(errorResponse(error.code, error.message));
+    }
+    // Zod validation error
+    if (error.name === 'ZodError') {
+      return reply.status(422).send(errorResponse('VALIDATION_FAILED', 'Validation failed'));
+    }
+    // Fastify validation error
+    if (error.validation) {
+      return reply.status(400).send(
+        errorResponse(
+          'BAD_REQUEST',
+          error.message || 'Invalid request',
+        ),
+      );
+    }
+    // Fastify plugin errors (file size, rate limiting, etc.)
+    // These have statusCode properties but aren't AppError instances
+    if (error.statusCode && error.statusCode >= 400 && error.statusCode < 500) {
+      // Map common Fastify error codes to user-friendly messages
+      const errorCodeMap: Record<number, { code: string; message: string }> = {
+        413: { code: 'FILE_TOO_LARGE', message: 'File size exceeds the maximum allowed limit' },
+        429: { code: 'RATE_LIMIT_EXCEEDED', message: 'Too many requests. Please try again later' },
+      };
+      const errorInfo = errorCodeMap[error.statusCode] || {
+        code: 'BAD_REQUEST',
+        message: error.message || 'Bad request',
+      };
+      return reply.status(error.statusCode).send(errorResponse(errorInfo.code, errorInfo.message));
+    }
+    // Unexpected error — log and return generic 500
+    const requestId = request.id || 'unknown';
+    logger.error(
+      {
+        err: error,
+        requestId,
+        url: request.url,
+        method: request.method,
+        stack: error.stack,
+      },
+      `Unhandled error [${requestId}]: ${error.message}`,
+    );
+    return reply.status(500).send(errorResponse('INTERNAL_ERROR', 'Internal server error'));
+  });
+  // --- Monitoring & Health Checks ---
+  const { performHealthCheck, checkReadiness, checkLiveness } = await import('@libs/monitoring.js');
+  // Comprehensive health check (DB + Redis + Memory + Uptime)
+  app.get('/api/v1/health', async (_request, reply) => {
+    const health = await performHealthCheck();
+    const statusCode = health.status === 'healthy' ? 200 : health.status === 'degraded' ? 200 : 503;
+    return reply.status(statusCode).send(
+      successResponse(
+        health.status === 'healthy'
+          ? 'All systems operational'
+          : health.status === 'degraded'
+            ? 'Some systems degraded'
+            : 'System unhealthy',
+        health,
+      ),
+    );
+  });
+  // Readiness probe (for load balancers / K8s)
+  app.get('/api/v1/ready', async (_request, reply) => {
+    const ready = await checkReadiness();
+    const statusCode = ready ? 200 : 503;
+    return reply.status(statusCode).send(
+      successResponse(ready ? 'Service is ready' : 'Service not ready', {
+        ready,
+        timestamp: new Date().toISOString(),
+      })
+    );
+  });
+  // Liveness probe (for container orchestration)
+  app.get('/api/v1/live', (_request, reply) => {
+    const alive = checkLiveness();
+    const statusCode = alive ? 200 : 503;
+    return reply.status(statusCode).send(
+      successResponse(alive ? 'Service is alive' : 'Service not alive', {
+        alive,
+        timestamp: new Date().toISOString(),
+      })
+    );
+  });
+  // --- Routes ---
+  await app.register(authRoutes, { prefix: '/api/v1' });
+  await app.register(usersRoutes, { prefix: '/api/v1' });
+  await app.register(adminRoutes, { prefix: '/api/v1' });
+  // --- Background Jobs ---
+  registerJobs(app);
+  return app;
+}
+export default buildApp;