Every side project I've started in the last few years began the same way: two weeks configuring authentication, role management, rate limiting, Docker, CI/CD, and all the infrastructure nobody wants to build but every product needs. By the time I got to actual business logic, the motivation was half gone. Or even worse: copy the same code over and over again, renaming the entire thing and removing business specific code... Or god forbid syncing improvements across the projects as I learned more and more stuff.
Sure, I could have just started writing business logic and the "rest will come as needed". But I also believe that you can't build a house with wrong foundations.
So I built NETrock - a full-stack .NET 10 + SvelteKit foundation that ships everything I kept rebuilding from scratch. And today, after months of work, I'm marking it as v1.0.0.
This is the first release I'm genuinely proud of. Not "it works on my machine" proud - proud enough that I'll be building my own next products on top of it.
What Reddit told me
I shared an earlier version on Reddit a while back and the response caught me off guard. People were genuinely interested, but the feedback was clear:
- "Why Docker Compose for local dev? Aspire looks like a valid case here."
- "Does this have OAuth or 2FA?"
- "Redis changed licensing some time ago. HybridCache exists."
They were right on all counts. So I went back and addressed every one of them.
Aspire replaced Docker Compose for local development. One dotnet run now starts the full stack - API, SvelteKit frontend with hot reload, PostgreSQL, MinIO, MailPit for email testing, and an OpenTelemetry dashboard with traces, logs, and metrics. Docker Compose is still there, but only for potential production (it's up to a developer how they are gonna host).
OAuth became admin-configurable. 8 providers out of the box - Google, GitHub, Discord, Apple, Microsoft, Facebook, LinkedIn, and X. Admins enable and configure them entirely from the UI. Client credentials are encrypted at rest with AES-256-GCM. No redeploy, no environment variables to juggle. There's even a "Test Connection" button that validates credentials without a real user login.
HybridCache replaced Redis. In-process L1 cache with stampede protection, auto-invalidation via an EF Core interceptor, and zero additional infrastructure for local dev. One fewer container to manage, and for most products it's all you need.
What ships in v1.0.0
The short version: everything I've needed across every project I've built, done once and done right.
Authentication that's actually complete. JWT in HttpOnly cookies (never touches JavaScript), refresh token rotation with reuse detection (stolen token revokes the entire family), TOTP two-factor auth with QR setup and recovery codes, and OAuth with 8 providers. Not a "plug in your own auth" abstraction - a working, tested, production-hardened auth system.
An admin panel that's useful on day one. User management with search and pagination. Custom roles with a granular permission editor. Background job dashboard with execution history. OAuth provider configuration. 2FA management for locked-out users. PII compliance baked in - emails and phone numbers are masked server-side unless you have the users.view_pii permission.
A frontend that feels like a real product. Svelte 5 with runes, shadcn-svelte component library, Tailwind CSS 4, dark mode, i18n (ships with English and Czech, add a language with a single JSON file), Cmd+K command palette with permission-gated navigation, responsive design with 44px touch targets, and a BFF proxy with CSRF protection. This isn't a throwaway reference client - it's what your users interact with.
Security that's not an afterthought. CSP with nonces, rate limiting with visible countdown timers, HSTS, security stamp propagation, soft delete with full audit trail, PII compliance with server-side masking. When convenience and security conflicted, I chose security every time.
1000+ tests. Unit, component, API integration, and architecture enforcement tests. Auth flows, 2FA, OAuth, permissions, rate limiting, response contracts - covered as much as possible.
The part I'm most excited about
I integrated the project with Claude Code. NETrock ships with 20+ native skills that automate the repetitive parts of development - scaffolding features, creating endpoints, generating types from the OpenAPI spec, creating PRs with session documentation, reviewing code for production-readiness. The project also includes structured context files that give Claude deep understanding of the architecture, so it follows the conventions without you having to explain them.
This isn't about AI writing your app. It's about not having to remember which 6 files need updating when you add a new permission, or which EF Core conventions to follow for a new entity. The boring parts get automated, and you focus on what makes your product different. You still own your architecture.
Fork it, own it
After initialization, there's no dependency on "the template." You run the init script, it renames everything to your project name, and from that point on it's your code. Every architectural decision is documented so you can understand it, change it, or throw it away.
git clone https://github.com/fpindej/netrock.git my-saas
cd my-saas
./init.sh
dotnet run --project src/backend/MyProject.AppHost
Four commands and you have a running full-stack app with auth, admin panel, background jobs, email, file storage, and a polished frontend.
What's next
v1.0.0 is the foundation. I'll be building products on top of this myself, which means it'll keep getting better as I hit real-world edge cases. It will keep improving with time and more and more experience.
See it in action!
I'm hosting a live demo with some examples, guides, interactive tour... Go take a look!
It's built on a previous version, but it does the job and sells the idea quite well.
Want to contribute?
If you've ever spent the first month of a project on infrastructure instead of your actual idea - give it a look. Star it if it's useful, open an issue if something's missing, or join the Discord if you want to chat about it.
The docs are also indexed on DeepWiki if you want to explore the architecture before cloning.
Top comments (0)