69f293682a
Deploy fixes (critical — Phase 0 string-rebrand didn't touch numeric ports):
- deploy.sh APP_PORT 3001 → 3002 (health check was hitting HP's app!)
- apache/dow-prod-tracker.conf — all proxy/websocket rules 3001 → 3002
(traffic to /dow-prod-tracker would have been served by HP's container)
- deploy.sh: added COMPOSE_PROJECT=dow-prod-tracker and `-p $COMPOSE_PROJECT`
on every `docker compose` invocation (down, up, exec, logs, ps). This is
the CLAUDE.md belt-and-braces rule — without it, a future move of the
deploy dir to `deploy/` would collapse the compose project name to
`deploy` and collide with any other app in a sibling `deploy/` dir on
the shared server. The `name:` field in compose covers us today, -p
covers us tomorrow.
- apache conf header comment rewritten to explain the port convention and
where to keep it in sync.
Admin add-user flow (answers the open question):
- createInvitation now creates/upserts the placeholder User row
(email + role + organizationId + isExternal + mustChangePassword=true)
in addition to the Invitation bookkeeping row. It stores a 24-byte
password-reset token on BOTH the User (passwordResetToken) and the
Invitation (token) — same token, so the existing /reset-password/[token]
page accepts the invite URL without a separate accept endpoint.
- Role enum now includes CLIENT_VIEWER. isExternal auto-derives from role
but can be overridden. When admin invites a CLIENT_VIEWER, the placeholder
user lands correctly pre-flagged for external handling.
- POST /api/org/invitations now returns {acceptUrl} — the full
/reset-password/<token> link admin can hand over out-of-band while SMTP
is unwired.
- revokeInvitation also clears the reset token on the placeholder user so
a leaked URL can't be used to claim the account after revocation.
- Deleted /api/invitations/accept (SSO-era — the accept IS the password
reset now) and removed acceptInvitationSchema from the validator.
Team settings UI (src/app/(app)/settings/team/page.tsx):
- Role dropdown now has "Client (read-only)" alongside Admin/Producer/Artist.
- After a successful invite, a banner shows the accept URL with a Copy
button so admin can paste it into Teams/email. Dismissible.
- Current-members list renders CLIENT_VIEWER with an amber badge.
Plumbing verified: tsc --noEmit ✓ zero errors.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
25 lines
1.3 KiB
Text
25 lines
1.3 KiB
Text
# ── Dow Prod Tracker — Next.js standalone at :3002 ────────────────────────
|
|
# Managed by deploy.sh — edit this file and redeploy instead of editing
|
|
# /etc/apache2/sites-available/optical-dev.oliver.solutions.conf directly.
|
|
#
|
|
# Port 3002 is unique to dow-prod-tracker on the shared optical-dev server;
|
|
# hp-prod-tracker runs on 3001. Changing this must be done in lockstep with
|
|
# docker-compose.yml app port mapping and deploy.sh APP_PORT.
|
|
|
|
# Large uploads: video files up to 500 MB (overrides the global 100 MB limit)
|
|
<Location /dow-prod-tracker>
|
|
LimitRequestBody 524288000
|
|
</Location>
|
|
|
|
# WebSocket passthrough (Next.js real-time features)
|
|
RewriteCond %{HTTP:Upgrade} websocket [NC]
|
|
RewriteCond %{HTTP:Connection} upgrade [NC]
|
|
RewriteRule ^/dow-prod-tracker/(.*) ws://127.0.0.1:3002/dow-prod-tracker/$1 [P,L]
|
|
|
|
# Chat + AI endpoints: long timeout for streaming responses
|
|
ProxyPass /dow-prod-tracker/api/chat http://127.0.0.1:3002/dow-prod-tracker/api/chat timeout=300
|
|
ProxyPassReverse /dow-prod-tracker/api/chat http://127.0.0.1:3002/dow-prod-tracker/api/chat
|
|
|
|
# All other routes (must come after more-specific paths above)
|
|
ProxyPass /dow-prod-tracker http://127.0.0.1:3002/dow-prod-tracker
|
|
ProxyPassReverse /dow-prod-tracker http://127.0.0.1:3002/dow-prod-tracker
|