Architecture | ClickMVP

Principles

Architecture decisions that scale

Every generated module follows the same contract. No shortcuts, no magic strings, no coupled layers.

Clean Architecture

Four layers with strict boundaries. Domain holds entities and value objects. Application holds use cases and DTOs. Infrastructure implements repositories with Prisma. HTTP handles routes and controllers. Use cases never import Prisma directly — only repository interfaces.

DomainApplicationInfrastructureHTTPDependency Inversion

SOLID Principles

Each class has one reason to change (SRP). New behaviors are added via composition, not modification (OCP). Repository interfaces are segregated per entity (ISP). All dependencies point inward — infrastructure depends on domain, never the reverse (DIP).

SRPOCPLSPISPDIP

Automated Tests

Three layers generated per entity. Unit tests validate use case logic with mocked repositories. Integration tests run against a real database with Prisma. E2E tests hit the HTTP endpoints and verify complete request/response cycles.

UnitIntegrationE2EVitestSupertest

Enterprise Features

Role-based access control with granular permissions per entity and action. Full audit trail logging who created and modified every record. File attachments via S3. Transactional emails via SMTP or AWS SES. Multi-language admin interface in PT, EN, and ES.

RBACAudit TrailS3 UploadSMTP / SESi18n (PT/EN/ES)

Generated Stacks

Two stacks. One command.

Backend and frontend generated independently. Each one is a standalone project you can open, run, and customize.

Backend — Node.js + Fastify + Prisma

            src/

            ├─ modules/{entity}/

            │  ├─ domain/

            │  │  ├─ entities/ ← entity classes

            │  │  └─ repositories/ ← interfaces only

            │  ├─ application/

            │  │  ├─ use-cases/ ← create, update, delete, list, get

            │  │  ├─ dto/ ← input/output contracts

            │  │  └─ schemas/ ← Zod validation

            │  ├─ infrastructure/

            │  │  ├─ prisma/ ← repository implementations

            │  │  └─ mappers/ ← DB ↔ domain

            │  └─ http/

            │     ├─ routes/ ← Fastify route definitions

            │     └─ controllers/ ← request handlers

            ├─ shared/ ← guards, filters, errors, pipes

            ├─ prisma/ ← schema, migrations, seed

            └─ tests/

               ├─ unit/ ← use case tests (mocked repos)

               ├─ integration/ ← API + real DB

               └─ e2e/ ← full HTTP flows

Node.jsFastifyPrismaPostgreSQLTypeScriptZodJWT

Frontend — React + Vite + shadcn/ui

            src/

            ├─ components/{entity}/

            │  ├─ {entity}-list.tsx ← data table + filters

            │  ├─ {entity}-form.tsx ← create / edit form

            │  └─ {entity}-detail.tsx ← read-only view

            ├─ hooks/ ← useQuery, useMutation wrappers

            ├─ services/ ← typed API clients

            ├─ layouts/ ← sidebar, header, auth guard

            ├─ i18n/ ← PT, EN, ES translations

            ├─ lib/ ← shadcn/ui components

            └─ tests/

               ├─ components/ ← render + interaction

               └─ e2e/ ← Playwright flows

React 19ViteTailwind v4shadcn/uiTypeScriptReact QueryPlaywright

AI-Ready Output

Your AI already understands the code

Every generated project ships with context files so Claude, Cursor, and Copilot can extend the code correctly — following the same architecture, conventions, and domain model.

CLAUDE.md

Architecture rules, layer conventions, naming patterns, aliases, and step-by-step recipes for adding fields, entities, and business rules. Auto-loaded by Claude Code.

AGENTS.md

Same context formatted for Cursor (.cursorrules), GitHub Copilot (.github/copilot-instructions.md), and OpenAI agents. One source of truth, multiple targets.

DOMAIN.md

Full domain catalog in natural language — every entity, every field (type, required, format), every relationship. Your AI reads this instead of 50 source files.

RECIPES.md

Exact extension recipes specific to the generated project: add a field, add an entity, add a use case, add RBAC for a new resource, add a relationship. Not generic — based on the actual code.

MCP Server

Generate from your AI editor

ClickMVP exposes a Model Context Protocol server with 4 tools. Connect it to Claude Desktop, Claude Code, Cursor, or VS Code Copilot and generate code via natural language.

list_modules

Browse available domains — ERP, startups, and industry verticals. Filter by source (erp or misc).

list_tables

Inspect entities within a module — names, labels, field counts, and cross-module references.

list_fields

Full schema of any entity — field names, types, validations, foreign keys, and select options.

generate_app

Generate backend or frontend as a ready-to-run ZIP file. Supports project_id for feature flags integration.

claude — mcp

            → "I need a clinic management system"

            list_modules(source='erp')

            ✓ Healthcare — ~50 entities

            list_tables('healthcare')

              Patient, Appointment, Medical Record,

              Prescription, Lab Test, Clinical Procedure…

            list_fields('patient')

              32 fields — name, dob, blood_group,

              insurance_carrier, allergies…

            generate_app(stack='node', module='healthcare')

            ✓ healthcare-app.zip — ~50 files, ~300 KB

1,644

Modules

14,346

Entities

71,630

Fields

Claude DesktopClaude CodeCursorVS Code Copilotstdio transport

Optional Features

Beyond CRUDs

Toggle enterprise features per project. Each one adds the corresponding code to backend and frontend.

Feature	What it generates	Requires
Role-based Permissions	Guards, roles, permissions per entity × action, admin UI for role management	—
Audit Trail	Automatic logging of create/update/delete with user, timestamp, and changes	—
File Attachments	Upload per record, S3 storage, pre-signed URLs, file list UI	AWS S3
Transactional Email	Email service, templates, send on events (create, status change)	SMTP / AWS SES
Multi-language Interface	Admin UI with language selector, translation files for PT, EN, ES	—

Under the Hood

Jinja2 engine. Not LLM.

Code is generated by templates, not by AI prompts. That's why it always compiles, always follows the same architecture, and never hallucinates.

Generation Flow

        1. User selects modules and entities in the visual designer

        2. Engine reads entity definitions from PostgreSQL (1,644 modules, 14,346 entities)

        3. Jinja2 templates render code with custom filters (pascal, snake, plural, ts_type, zod_type...)

        4. Output: complete project as ZIP — backend and/or frontend

        5. AI context files (CLAUDE.md, AGENTS.md, DOMAIN.md, RECIPES.md) generated alongside

        Zero tokens consumed. Zero LLM calls. Deterministic output.

Performance

~100 files generated in under 2 seconds. Lambda execution peaks at 200–300 MB memory. Cost per generation: ~$0.000008.

Deterministic

Same input → same output. Always. No temperature, no randomness, no "retry until it compiles". Template-based generation guarantees consistency.

Security

Production-grade security. Out of the box.

Every generated application ships with a hardened security layer — no configuration required. These are not guidelines; they are generated code.

JWT — Access + Refresh Tokens

Short-lived access tokens (15 min) paired with refresh tokens (7 days). Token type is verified on every request — refresh tokens cannot be used as access tokens.

@fastify/jwt15m access7d refresh

Rate Limiting

Global limit of 300 requests/minute per IP. Auth endpoints (login, register, verify-email, forgot-password) are capped at 10 requests per 15 minutes — blocking credential stuffing and brute force attacks.

@fastify/rate-limit10 req / 15 min (auth)

bcrypt Password Hashing

Passwords are never stored in plain text. bcrypt with cost factor 10 is applied at registration and when changing passwords. Comparison uses constant-time to prevent timing attacks.

bcryptjscost 10constant-time compare

OTP Brute Force Protection

Email verification codes expire in 15 minutes and are invalidated after 5 failed attempts — preventing exhaustive search of the 6-digit space. Each resend replaces the previous code.

max 5 attempts15 min expiryauto-invalidate

CORS — Domain Restricted

CORS is locked to the project's own domain, not open to all origins. Development environments additionally allow localhost. Credentials are enabled only for allowed origins.

@fastify/corsorigin whitelistcredentials: true

Security Headers (Helmet)

HTTP security headers are applied globally: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security (HSTS), and more — protecting against clickjacking, MIME sniffing, and protocol downgrade attacks.

@fastify/helmetHSTSX-Frame-Options

No SQL Injection — Prisma ORM

All database access goes through Prisma — no raw queries, no string concatenation. Sort fields are validated against an entity-specific whitelist before being passed to the ORM, preventing arbitrary field injection from query parameters.

Prisma ORMsort field whitelistno raw SQL

Input Validation — Zod

Every endpoint validates its payload with a typed Zod schema — body, query parameters, and path params. Unknown fields are stripped. Validation errors return 422 with field-level detail, never a 500.

Zod422 on errorfield-level detail

S3 Presigned URLs — Files Never Transit the Server

File uploads go directly from the browser to S3 using short-lived presigned URLs. The backend never handles file bytes — eliminating upload-based attack surface and reducing server memory pressure.

AWS S3presigned URLserver-bypass upload

Safe Error Responses

Unhandled errors return a generic 500 message — no stack traces, file paths, or internal state leaked to the client. Domain errors (401, 403, 404, 422) return structured JSON with a typed error code.

no stack trace leaktyped error codes

Roadmap

What's coming next

ClickMVP is actively evolving. Here's where we're headed.

Backend Node.js + Fastify + Prisma Shipped

Clean Architecture, SOLID, RBAC, audit, S3, email, i18n, automated tests

Frontend React + Vite + shadcn/ui Shipped

Clean Architecture, typed API clients, data tables, forms, i18n, Playwright tests

MCP Server Shipped

4 tools: list_modules, list_tables, list_fields, generate_app — works with Claude, Cursor, Copilot

AI-Ready Output Shipped

CLAUDE.md, AGENTS.md, DOMAIN.md, RECIPES.md generated with every project

Mobile Development Next

React Native and/or Flutter stack generation with the same Clean Architecture principles

More Frameworks Planned

Spring Boot (Java/Kotlin), Laravel (PHP), Django (Python), NestJS — the most popular backend frameworks

Serverless Generation Planned

AWS Lambda + API Gateway, Cloudflare Workers — deploy-ready serverless architectures from the same data models

What ClickMVP generates under the hood