Templates

Key takeaways

This chapter collects copy-ready templates for enterprise Next.js monorepos; replace organization, app, team, and policy names before adopting them.
The turbo.json template declares globalDependencies, globalEnv, and per-task outputs and env keys, marking dev as non-cacheable and persistent.
The GitHub Actions CI uses fetch-depth: 0, corepack, immutable install, and turbo run lint typecheck test build --affected.
CODEOWNERS maps paths to teams, and the Codex requirements.toml sets approval policies, sandbox modes, feature flags, filesystem deny_read, and prefix rules.
The incident runbook template splits into Triage, Stabilize, and Learn, requiring a postmortem within 24-48 hours.

Use these templates as starting points. Replace organization, app, team, and policy names before adopting them in production.

Turbo

{
  "$schema": "https://turbo.build/schema.json",
  "globalDependencies": ["package.json", "yarn.lock", "tsconfig.json"],
  "globalEnv": ["NODE_ENV", "VERCEL_URL"],
  "tasks": {
    "build": {
      "dependsOn": ["^build"],
      "outputs": [".next/**", "dist/**", "!.next/cache/**"],
      "env": ["NEXT_PUBLIC_APP_URL", "DATABASE_URL"]
    },
    "typecheck": { "dependsOn": ["^build"], "outputs": [] },
    "lint": { "outputs": [] },
    "test": {
      "dependsOn": ["^build"],
      "outputs": ["coverage/**", "test-results/**", "playwright-report/**"]
    },
    "dev": { "cache": false, "persistent": true }
  }
}

GitHub Actions

name: CI
on:
  pull_request:
  push:
    branches: [main]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: yarn
      - run: corepack enable
      - run: yarn install --immutable
      - run: turbo run lint typecheck test build --affected

CODEOWNERS

*                    @acme/engineering-leads
/apps/web/           @acme/frontend-team
/apps/admin/         @acme/frontend-team
/packages/db/        @acme/backend-team @acme/platform-team
/packages/ui/        @acme/design-system-team
/.github/            @acme/platform-team
/turbo.json          @acme/platform-team

Codex Requirements

allowed_approval_policies = ["untrusted", "on-request"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
allowed_web_search_modes = ["cached"]

[features]
codex_hooks = true
in_app_browser = false
computer_use = false

[permissions.filesystem]
deny_read = ["./.env*", "./private/**"]

[rules]
prefix_rules = [
  { pattern = [{ token = "rm" }], decision = "forbidden", justification = "Use an explicit cleanup script instead." },
  { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before changing shared history." },
]

Incident Runbook

# Incident Runbook

## Triage
- [ ] Identify affected app and deployment URL
- [ ] Assign severity and Incident Commander

## Stabilize
- [ ] Check Vercel, Sentry, logs, and business metrics
- [ ] Stop or abort rolling release if active
- [ ] Roll back if customer impact continues

## Learn
- [ ] Write postmortem within 24-48 hours
- [ ] Assign owners and due dates for prevention work

Templates

Copy-ready operating templates for enterprise Next.js monorepos.

Key takeaways

This chapter collects copy-ready templates for enterprise Next.js monorepos; replace organization, app, team, and policy names before adopting them.
The turbo.json template declares globalDependencies, globalEnv, and per-task outputs and env keys, marking dev as non-cacheable and persistent.
The GitHub Actions CI uses fetch-depth: 0, corepack, immutable install, and turbo run lint typecheck test build --affected.
CODEOWNERS maps paths to teams, and the Codex requirements.toml sets approval policies, sandbox modes, feature flags, filesystem deny_read, and prefix rules.
The incident runbook template splits into Triage, Stabilize, and Learn, requiring a postmortem within 24-48 hours.

Use these templates as starting points. Replace organization, app, team, and policy names before adopting them in production.

Turbo

{
  "$schema": "https://turbo.build/schema.json",
  "globalDependencies": ["package.json", "yarn.lock", "tsconfig.json"],
  "globalEnv": ["NODE_ENV", "VERCEL_URL"],
  "tasks": {
    "build": {
      "dependsOn": ["^build"],
      "outputs": [".next/**", "dist/**", "!.next/cache/**"],
      "env": ["NEXT_PUBLIC_APP_URL", "DATABASE_URL"]
    },
    "typecheck": { "dependsOn": ["^build"], "outputs": [] },
    "lint": { "outputs": [] },
    "test": {
      "dependsOn": ["^build"],
      "outputs": ["coverage/**", "test-results/**", "playwright-report/**"]
    },
    "dev": { "cache": false, "persistent": true }
  }
}

GitHub Actions

name: CI
on:
  pull_request:
  push:
    branches: [main]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: yarn
      - run: corepack enable
      - run: yarn install --immutable
      - run: turbo run lint typecheck test build --affected

CODEOWNERS

*                    @acme/engineering-leads
/apps/web/           @acme/frontend-team
/apps/admin/         @acme/frontend-team
/packages/db/        @acme/backend-team @acme/platform-team
/packages/ui/        @acme/design-system-team
/.github/            @acme/platform-team
/turbo.json          @acme/platform-team

Codex Requirements

allowed_approval_policies = ["untrusted", "on-request"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
allowed_web_search_modes = ["cached"]

[features]
codex_hooks = true
in_app_browser = false
computer_use = false

[permissions.filesystem]
deny_read = ["./.env*", "./private/**"]

[rules]
prefix_rules = [
  { pattern = [{ token = "rm" }], decision = "forbidden", justification = "Use an explicit cleanup script instead." },
  { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before changing shared history." },
]

Incident Runbook

# Incident Runbook

## Triage
- [ ] Identify affected app and deployment URL
- [ ] Assign severity and Incident Commander

## Stabilize
- [ ] Check Vercel, Sentry, logs, and business metrics
- [ ] Stop or abort rolling release if active
- [ ] Roll back if customer impact continues

## Learn
- [ ] Write postmortem within 24-48 hours
- [ ] Assign owners and due dates for prevention work

Turbo

GitHub Actions

CODEOWNERS

Codex Requirements

Incident Runbook

On This Page

Templates

Turbo

GitHub Actions

CODEOWNERS

Codex Requirements

Incident Runbook

On This Page