| name | composable-svelte-deployment |
| description | Production deployment patterns for Composable Svelte SSR applications. Use when deploying to Fly.io, Docker, or any cloud platform. Covers multi-stage Docker builds, Fly.io configuration, security hardening, performance optimization, and integration with Composable Rust backends. |
Composable Svelte Deployment
This skill covers production deployment of Composable Svelte SSR applications, with focus on Fly.io and Docker-based deployments.
Architecture Overview
Stack: Fastify + Composable Svelte SSR (NOT SvelteKit)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Fly.io โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โ
โ โ Composable โ โ Composable โ โ
โ โ Svelte SSR โโโโโบโ Rust Backend โ โ
โ โ (Fastify) โ โ (Axum/Actix) โ โ
โ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โ
โ Docker Container Docker Container โ
โ Internal Network: .internal (6PN) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Why NOT SvelteKit?
- Incompatible with Composable Architecture patterns
- We use custom SSR from
@composable-svelte/core/ssr
- Reducer-based state management on both client and server
- Effect system for async operations
Docker Patterns
Multi-Stage Build (REQUIRED)
Goal: <150MB final image, production-only dependencies
# Stage 1: Dependencies (Production Only)
FROM node:20-alpine AS deps
WORKDIR /app
RUN npm install -g pnpm@9
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod
# Stage 2: Builder (Development Dependencies + Build)
FROM node:20-alpine AS builder
WORKDIR /app
RUN npm install -g pnpm@9
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile
COPY . .
RUN pnpm run build
RUN find dist -name "*.map" -type f -delete # Remove source maps
# Stage 3: Production Runtime (Minimal)
FROM node:20-alpine AS runner
RUN apk add --no-cache dumb-init
WORKDIR /app
RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
# Copy ONLY production dependencies and built artifacts
COPY --from=deps --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/package.json ./package.json
USER nodejs
ENV NODE_ENV=production PORT=3000
EXPOSE 3000
ENTRYPOINT ["dumb-init", "--"]
CMD ["node", "dist/server/index.js"]
Key Patterns:
- โ
3 stages: deps (prod only) โ builder (full build) โ runner (minimal)
- โ
Non-root user:
nodejs:nodejs (UID 1001)
- โ
Alpine Linux: Minimal attack surface (<50MB base)
- โ
dumb-init: Proper signal handling (PID 1 problem)
- โ
Remove source maps:
find dist -name "*.map" -delete
- โ
Copy package.json: Required for ES module resolution
Common Mistakes:
- โ Single-stage build โ 500MB+ images
- โ Running as root โ security vulnerability
- โ Including devDependencies โ bloated images
- โ Missing package.json โ import failures with "type": "module"
Monorepo vs Standalone
Monorepo (like this repo):
# Copy workspace structure
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
COPY packages/core/package.json ./packages/core/
COPY examples/ssr-server/package.json ./examples/ssr-server/
# Install workspace dependencies
RUN pnpm install --frozen-lockfile
# Build both packages
WORKDIR /app/packages/core
RUN pnpm run build
WORKDIR /app/examples/ssr-server
RUN pnpm run build
# Copy ALL workspace artifacts
COPY --from=builder /app/packages/core/dist ./packages/core/dist
COPY --from=builder /app/packages/core/package.json ./packages/core/package.json
COPY --from=builder /app/pnpm-workspace.yaml ./pnpm-workspace.yaml
Standalone (user's app):
# Simple install
COPY package.json package-lock.json ./
RUN npm ci
# Simple build
COPY . .
RUN npm run build
# Simple copy
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
Vite Configuration for SSR
Required: Vite must be configured for dual builds (client + server)
import { defineConfig } from 'vite';
import { svelte } from '@sveltejs/vite-plugin-svelte';
export default defineConfig({
plugins: [svelte()],
build: {
outDir: 'dist/client',
rollupOptions: {
input: 'src/client/index.ts'
}
},
ssr: {
noExternal: ['@composable-svelte/core']
}
});
package.json scripts:
{
"scripts": {
"build": "vite build && vite build --ssr",
"build:client": "vite build",
"build:server": "vite build --ssr src/server/index.ts --outDir dist/server",
"start": "NODE_ENV=production node dist/server/index.js"
}
}
Why: SSR requires TWO builds:
- Client bundle: Runs in browser, hydrates SSR HTML
- Server bundle: Runs in Node.js, renders initial HTML
Fly.io Configuration
fly.toml (Apps V2 Syntax)
app = "my-composable-app"
primary_region = "sjc"
[build]
dockerfile = "Dockerfile"
[env]
NODE_ENV = "production"
PORT = "3000"
COMPOSABLE_RUST_BACKEND_URL = "http://my-rust-backend.internal:8080"
[http_service]
internal_port = 3000
force_https = true
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[http_service.concurrency]
type = "connections"
hard_limit = 250
soft_limit = 200
[[vm]]
memory = '512mb'
cpu_kind = 'shared'
cpus = 1
[[http_service.checks]]
interval = "30s"
timeout = "5s"
grace_period = "10s"
method = "GET"
path = "/health"
Critical Patterns:
- โ
Apps V2 syntax:
[[http_service.checks]] NOT [[services.http_checks]]
- โ
Internal networking:
.internal domain for Rust backend (no internet egress)
- โ
Health endpoint: Must exist in your Fastify server
- โ
Secrets via CLI:
fly secrets set KEY=value (NOT in fly.toml)
Common Mistakes:
- โ Mixing Apps V1/V2 syntax โ deployment fails
- โ Hardcoding secrets in fly.toml โ security breach
- โ Missing health endpoint โ app marked unhealthy
- โ Using public URL for backend โ unnecessary egress costs
Secrets Management
NEVER commit secrets to fly.toml:
fly secrets set \
SESSION_SECRET=$(openssl rand -hex 32) \
JWT_SECRET=$(openssl rand -hex 32) \
BACKEND_API_KEY=your-backend-api-key-here
fly secrets list
[env]
SESSION_SECRET = "abc123"
Validate secrets at startup:
if (!process.env.SESSION_SECRET || process.env.SESSION_SECRET.length < 32) {
throw new Error('SESSION_SECRET must be at least 32 characters');
}
Security Hardening
HTTP Security Headers
Use built-in middleware:
import { fastifySecurityHeaders } from '@composable-svelte/core/ssr';
fastifySecurityHeaders(app, {
contentSecurityPolicy: [
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"connect-src 'self' https://your-backend.fly.dev",
"frame-ancestors 'none'",
"base-uri 'self'"
].join('; '),
frameOptions: 'DENY',
referrerPolicy: 'strict-origin-when-cross-origin',
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
});
Test headers:
curl -I https://your-app.fly.dev
Rate Limiting
Per-IP rate limiting:
import { fastifyRateLimit } from '@composable-svelte/core/ssr';
fastifyRateLimit(app, {
max: 100,
windowMs: 60000,
message: 'Too many requests from this IP'
});
Per-route rate limiting:
app.get('/api/expensive', {
config: {
rateLimit: {
max: 10,
timeWindow: 60000
}
}
}, async (request, reply) => {
});
CORS Configuration
Strict CORS for Rust backend:
import cors from '@fastify/cors';
app.register(cors, {
origin: [
'https://your-app.fly.dev',
process.env.NODE_ENV === 'development' ? 'http://localhost:3000' : null
].filter(Boolean),
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE']
});
Docker Security
Non-root user (REQUIRED):
RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
USER nodejs
Read-only filesystem (optional):
[[vm]]
read_only = true
[[mounts]]
source = "logs"
destination = "/app/logs"
Performance Optimization
SSR Caching
In-memory cache (single instance):
const cache = new Map<string, { html: string; timestamp: number }>();
const CACHE_TTL = 60000;
app.get('*', async (request, reply) => {
const cacheKey = request.url;
const cached = cache.get(cacheKey);
if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
return reply.type('text/html').send(cached.html);
}
const html = await renderToHTML();
cache.set(cacheKey, { html, timestamp: Date.now() });
return reply.type('text/html').send(html);
});
Redis cache (multi-instance):
import Redis from 'ioredis';
const redis = new Redis(process.env.REDIS_URL);
async function getCachedHTML(key: string) {
return await redis.get(key);
}
async function setCachedHTML(key: string, html: string, ttl: number) {
await redis.setex(key, ttl, html);
}
Compression
Enable Brotli compression:
import compress from '@fastify/compress';
app.register(compress, {
global: true,
threshold: 1024,
encodings: ['gzip', 'deflate', 'br']
});
Bundle Optimization
Code splitting (automatic with Vite):
const HeavyChart = lazy(() => import('./HeavyChart.svelte'));
{#if showChart}
<Suspense fallback={<Spinner />}>
<HeavyChart data={chartData} />
</Suspense>
{/if}
Tree shaking (use named imports):
import { createStore, Effect } from '@composable-svelte/core';
import * as Core from '@composable-svelte/core';
Deployment Workflow
Local Testing
docker build -t my-composable-app .
docker images my-composable-app
docker run -p 3000:3000 \
-e COMPOSABLE_RUST_BACKEND_URL=http://localhost:8080 \
my-composable-app
curl http://localhost:3000/health
Deploy to Fly.io
fly auth login
fly launch
fly secrets set \
SESSION_SECRET=$(openssl rand -hex 32) \
JWT_SECRET=$(openssl rand -hex 32)
fly deploy
fly status
fly open
Scaling
Horizontal scaling:
fly scale count 2
fly scale count 2 --region sjc
fly scale count 1 --region lhr
Vertical scaling:
fly scale memory 1024
fly scale vm shared-cpu-2x
Autoscaling (paid):
[auto_scaling]
min_instances = 1
max_instances = 10
[[auto_scaling.metrics]]
type = "requests"
target = 500
Rollback
fly releases
fly releases rollback
fly releases rollback v3
Internal Networking (Fly.io 6PN)
Key Pattern: Use .internal domain for Composable Rust backend
[env]
COMPOSABLE_RUST_BACKEND_URL = "http://my-rust-backend.internal:8080"
export const backendAPI = createAPIClient({
baseURL: process.env.COMPOSABLE_RUST_BACKEND_URL,
timeout: 30000
});
Benefits:
- โ
Private network (no internet routing)
- โ
Faster (low latency)
- โ
Free (no egress charges)
- โ
Secure (not exposed to internet)
CORS on Rust backend:
let cors = CorsLayer::new()
.allow_origin("https://my-composable-app.fly.dev".parse::<HeaderValue>().unwrap())
.allow_methods([Method::GET, Method::POST])
.allow_headers([AUTHORIZATION, CONTENT_TYPE]);
Monitoring
Health Check Endpoint
Required for Fly.io:
app.get('/health', async () => {
return {
status: 'ok',
timestamp: new Date().toISOString(),
uptime: process.uptime()
};
});
Logs
fly logs
fly logs | grep ERROR
fly logs --tail 100
SSH into Instance
fly ssh console
ps aux
free -m
exit
Common Issues
App Won't Start
fly logs
Health Check Failing
docker run -p 3000:3000 my-composable-app
curl http://localhost:3000/health
Backend Connection Issues
fly ssh console
wget http://my-rust-backend.internal:8080/health
High Memory Usage
fly scale memory 1024
NODE_OPTIONS="--max-old-space-size=512"
Checklist
Pre-Deployment
Post-Deployment
Performance Targets
| Metric | Target | Excellent |
|---|
| Docker image size | <150MB | <100MB |
| Initial JS bundle | <100KB (gzipped) | <70KB |
| Time to First Byte (TTFB) | <200ms | <100ms |
| First Contentful Paint (FCP) | <1.8s | <1.0s |
| Largest Contentful Paint (LCP) | <2.5s | <1.5s |
| Time to Interactive (TTI) | <3.8s | <2.5s |
| Cumulative Layout Shift (CLS) | <0.1 | <0.05 |
Reference
- Full deployment plan:
plans/production-deployment/
- SSR implementation:
packages/core/src/lib/ssr/
- Security guide:
plans/production-deployment/SECURITY.md
- Optimization guide:
plans/production-deployment/OPTIMIZATION.md
