Architecture | ClickMVP

What ClickMVP generates under the hood

Not boilerplate. Not a prototype. Production-grade code with Clean Architecture, SOLID principles, and three layers of automated tests.

Try Free, Generate Your First Project

Principles

Architecture decisions that scale

Every generated module follows the same contract. No shortcuts, no magic strings, no coupled layers.

Clean Architecture

Four layers with strict boundaries. Domain holds entities and value objects. Application holds use cases and DTOs. Infrastructure implements repositories with Prisma. HTTP handles routes and controllers. Use cases never import Prisma directly, only repository interfaces.

DomainApplicationInfrastructureHTTPDependency Inversion

SOLID Principles

Each class has one reason to change (SRP). New behaviors are added via composition, not modification (OCP). Repository interfaces are segregated per entity (ISP). All dependencies point inward, infrastructure depends on domain, never the reverse (DIP).

SRPOCPLSPISPDIP

Automated Tests

Three layers generated per entity. Unit tests validate use case logic with mocked repositories. Integration tests run against a real database with Prisma. E2E tests hit the HTTP endpoints and verify complete request/response cycles.

UnitIntegrationE2EVitestSupertest

Enterprise Features

Role-based access control with granular permissions per entity and action. Full audit trail logging who created and modified every record. File attachments via S3. Transactional emails via SMTP or AWS SES. Multi-language admin interface in PT, EN, and ES.

RBACAudit TrailS3 UploadSMTP / SESi18n (PT/EN/ES)

Generated Stacks

Two stacks. One command.

Backend and frontend generated independently. Each one is a standalone project you can open, run, and customize.

Backend: Node.js + Fastify + Prisma
src/
├─ modules/{entity}/
│ ├─ domain/
│ │ ├─ entities/ ← entity classes
│ │ └─ repositories/ ← interfaces only
│ ├─ application/
│ │ ├─ use-cases/ ← create, update, delete, list, get
│ │ ├─ dto/ ← input/output contracts
│ │ └─ schemas/ ← Zod validation
│ ├─ infrastructure/
│ │ ├─ prisma/ ← repository implementations
│ │ └─ mappers/ ← DB ↔ domain
│ └─ http/
│ ├─ routes/ ← Fastify route definitions
│ └─ controllers/ ← request handlers
├─ shared/ ← guards, filters, errors, pipes
├─ prisma/ ← schema, migrations, seed
└─ tests/
├─ unit/ ← use case tests (mocked repos)
├─ integration/ ← API + real DB
└─ e2e/ ← full HTTP flows
Node.jsFastifyPrismaPostgreSQLTypeScriptZodJWT
Frontend: React + Vite + shadcn/ui
src/
├─ components/{entity}/
│ ├─ {entity}-list.tsx ← data table + filters
│ ├─ {entity}-form.tsx ← create / edit form
│ └─ {entity}-detail.tsx ← read-only view
├─ hooks/ ← useQuery, useMutation wrappers
├─ services/ ← typed API clients
├─ layouts/ ← sidebar, header, auth guard
├─ i18n/ ← PT, EN, ES translations
├─ lib/ ← shadcn/ui components
└─ tests/
├─ components/ ← render + interaction
└─ e2e/ ← Playwright flows
React 19ViteTailwind v4shadcn/uiTypeScriptReact QueryPlaywright

AI-Ready Output

Your AI already understands the code

Every generated project ships with context files so Claude, Cursor, and Copilot can extend the code correctly, following the same architecture, conventions, and domain model. Pick the format your workflow uses, including Spec Kit and AWS Kiro.

CLAUDE.md

Architecture rules, layer conventions, naming patterns, aliases, and step-by-step recipes for adding fields, entities, and business rules. Auto-loaded by Claude Code.

AGENTS.md

Same context formatted for Cursor (.cursorrules), GitHub Copilot (.github/copilot-instructions.md), and OpenAI agents. One source of truth, multiple targets.

Spec Kit

Specifications in the Spec Kit format, faithful to the canonical structure for backend and frontend, ready for a spec-driven workflow.

AWS Kiro

Steering and specs in the AWS Kiro format, so your agent picks up the project with the same architecture and conventions.

Optional Features

Beyond CRUDs

Toggle enterprise features per project. Each one adds the corresponding code to backend and frontend.

Feature What it generates Requires
Role-based Permissions Guards, roles, permissions per entity × action, admin UI for role management ·
Audit Trail Automatic logging of create/update/delete with user, timestamp, and changes ·
File Attachments Upload per record, S3 storage, pre-signed URLs, file list UI AWS S3
Transactional Email Email service, templates, send on events (create, status change) SMTP / AWS SES
Multi-language Interface Admin UI with language selector, translation files for PT, EN, ES ·

Under the Hood

Templates write the code, not a model.

The AI helps you shape the data model. The code itself is rendered by Jinja2 templates, not written token by token by a model, so it always compiles and always follows the same architecture.

Generation Flow
1. User selects modules and entities in the visual designer
2. Engine reads entity definitions from PostgreSQL (1,644 modules, 14,346 entities)
3. Jinja2 templates render code with custom filters (pascal, snake, plural, ts_type, zod_type...)
4. Output: complete project as ZIP, backend and/or frontend
5. AI context files generated alongside in your chosen format: CLAUDE.md, AGENTS.md, Spec Kit, or AWS Kiro

Deterministic generation: same input, same output.

Performance

100–1,500 files generated in 2–3 seconds. Lambda execution under 512 MB memory.

Deterministic

Same input → same output. Always. No temperature, no randomness, no "retry until it compiles". Template-based generation guarantees consistency.

Security

Production-grade security. Out of the box.

Every generated application ships with a hardened security layer, no configuration required. These are not guidelines; they are generated code.

JWT: Access + Refresh Tokens

Short-lived access tokens (15 min) paired with refresh tokens (7 days). Token type is verified on every request, refresh tokens cannot be used as access tokens.

@fastify/jwt15m access7d refresh

Rate Limiting

Global limit of 300 requests/minute per IP. Auth endpoints (login, register, verify-email, forgot-password) are capped at 10 requests per 15 minutes, blocking credential stuffing and brute force attacks.

@fastify/rate-limit10 req / 15 min (auth)

bcrypt Password Hashing

Passwords are never stored in plain text. bcrypt with cost factor 10 is applied at registration and when changing passwords. Comparison uses constant-time to prevent timing attacks.

bcryptjscost 10constant-time compare

OTP Brute Force Protection

Email verification codes expire in 15 minutes and are invalidated after 5 failed attempts, preventing exhaustive search of the 6-digit space. Each resend replaces the previous code.

max 5 attempts15 min expiryauto-invalidate

CORS: Domain Restricted

CORS is locked to the project's own domain, not open to all origins. Development environments additionally allow localhost. Credentials are enabled only for allowed origins.

@fastify/corsorigin whitelistcredentials: true

Security Headers (Helmet)

HTTP security headers are applied globally: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security (HSTS), and more, protecting against clickjacking, MIME sniffing, and protocol downgrade attacks.

@fastify/helmetHSTSX-Frame-Options

No SQL Injection: Prisma ORM

All database access goes through Prisma, no raw queries, no string concatenation. Sort fields are validated against an entity-specific whitelist before being passed to the ORM, preventing arbitrary field injection from query parameters.

Prisma ORMsort field whitelistno raw SQL

Input Validation: Zod

Every endpoint validates its payload with a typed Zod schema, body, query parameters, and path params. Unknown fields are stripped. Validation errors return 422 with field-level detail, never a 500.

Zod422 on errorfield-level detail

S3 Presigned URLs: Files Never Transit the Server

File uploads go directly from the browser to S3 using short-lived presigned URLs. The backend never handles file bytes, eliminating upload-based attack surface and reducing server memory pressure.

AWS S3presigned URLserver-bypass upload

Safe Error Responses

Unhandled errors return a generic 500 message, no stack traces, file paths, or internal state leaked to the client. Domain errors (401, 403, 404, 422) return structured JSON with a typed error code.

no stack trace leaktyped error codes

Roadmap

What's coming next

ClickMVP is actively evolving. Here's where we're headed.

Backend Node.js + Fastify + Prisma Shipped

Clean Architecture, SOLID, RBAC, audit, S3, email, i18n, automated tests

Frontend React + Vite + shadcn/ui Shipped

Clean Architecture, typed API clients, data tables, forms, i18n, Playwright tests

AI-Ready Output Shipped

CLAUDE.md, AGENTS.md, Spec Kit, AWS Kiro generated with every project

Mobile Development Next

React Native and/or Flutter stack generation with the same Clean Architecture principles

More Frameworks Planned

Spring Boot (Java/Kotlin), Laravel (PHP), Django (Python), NestJS, the most popular backend frameworks

Serverless Generation Planned

AWS Lambda + API Gateway, Cloudflare Workers, deploy-ready serverless architectures from the same data models

See it for yourself.

7-day free trial. No credit card required.

Start Free Trial →