From dc4863faca3cfe521dad47ec8842e0ce383a1dc3 Mon Sep 17 00:00:00 2001
From: mAi <mai@flexsiebels.de>
Date: Sat, 16 May 2026 01:06:28 +0200
Subject: [PATCH] chore(mgmt teardown step 5+6): drop stale dokploy comment +
 append DONE log
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per docs/plans/mgmt-teardown.md §4 steps 5 + 6.

Step 5: deploy/dokploy.yaml — stale "federated with mgmt.msbls.de" line
in the header comment replaced with the current host-scoped /login cookie
model. The mgmt federation never happened in projax anyway (projax
cookies are host-scoped, no Domain attribute).

Step 6: append a "DONE 2026-05-16" section to docs/plans/mgmt-teardown.md
recording every step's commit hash across both repos, the head-approved
deviation from §4 step 1 (SvelteKit-side redirect instead of Dokploy
Traefik labels — Dokploy config is UI-only), verification curls, and the
post-teardown janitorial that's out of scope for the worker (env-var
cleanup in Dokploy, DNS at m's leisure).

m/msbls.de side merged separately (86bfa61) — three commits:
2941dc4 (redirect), <previous step's commit covers the rest>.
---
 deploy/dokploy.yaml         |  4 ++--
 docs/plans/mgmt-teardown.md | 44 +++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/deploy/dokploy.yaml b/deploy/dokploy.yaml
index b6e4b9b..f220529 100644
--- a/deploy/dokploy.yaml
+++ b/deploy/dokploy.yaml
@@ -2,8 +2,8 @@
 #
 # Apply via Dokploy UI on mlake, or as a reference for the manual setup.
 # Public over HTTPS with Let's Encrypt; auth is enforced at the application
-# layer via Supabase JWT cookies federated with mgmt.msbls.de.
-# Single replica, single tenant (m).
+# layer via Supabase JWT cookies set by projax's own /login (host-scoped,
+# no Domain attribute). Single replica, single tenant (m).
 #
 # Environment expected (set via Dokploy secrets, NEVER commit):
 #   PROJAX_DB_URL        postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable
diff --git a/docs/plans/mgmt-teardown.md b/docs/plans/mgmt-teardown.md
index 6582019..703735d 100644
--- a/docs/plans/mgmt-teardown.md
+++ b/docs/plans/mgmt-teardown.md
@@ -174,3 +174,47 @@ What can go: every `src/routes/mgmt/` file, every `src/lib/server/` file (only u
 - **Gaps blocking teardown: 1 small (VEVENTs on dashboard) + 0 mandatory.** Two further "gaps" (mWorkRepo cards, mBrian topic cards) are park-forever recommendations — mgmt never shipped them either.
 
 **Recommendation:** Ship Gap 1 (small) → wait one week → set up redirects → wait one week → remove mgmt. Two phases of projax work + two waiting weeks = ~14 days end to end. Could be compressed to ~3 days if m skips the waiting weeks; risk is bookmark breakage in his own browser history, which he can self-mitigate.
+
+---
+
+## DONE 2026-05-16
+
+Executed in a single compressed run after Phase 3l shipped Gap 1 (VEVENTs on `/dashboard`). m approved the path A timeline; teardown landed the same session.
+
+**Phase 3l (closing the gap)** — projax repo, commit `d49ad21`, merge `c8164f6`. `caldav.ListEvents` + Events card on `/dashboard` with 7-day window, day-grouping, RRULE-flagged-but-not-expanded. `mgmt.msbls.de` parity reached.
+
+**Phase 3m (the teardown itself)** — split across two repos.
+
+**Deviation from §4 step 1 (Traefik redirects):** Dokploy/Traefik configuration lives in the Dokploy UI, not in any in-repo file. Head approved the alternative (m/mAi#1908): implement the legacy-path 301 in `src/hooks.server.ts` instead — version-controlled, deploys with the app, no Dokploy UI access needed.
+
+| Step | Repo | Commit | What landed |
+|---|---|---|---|
+| 1 | m/msbls.de | `2941dc4` | 301 redirect for `/mgmt/*` → `projax.msbls.de` (mapping helper `projaxRedirectFor`; covers `/mgmt`, `/mgmt/login`, `/mgmt/self`, and catch-all → `/dashboard`). Runs in `hooks.server.ts` before any other guard so unauth probes also land safely. |
+| 2 | m/msbls.de | `89d60bc` (combined with step 4 in the same merge) | Removed `src/routes/mgmt/**` (9 files), `src/hooks.ts` (reroute), `src/lib/host-routing.{ts,test.ts}`. Inlined the two trivial cockpit-host/path predicates directly into `hooks.server.ts`. |
+| 3 | m/msbls.de | n/a (verified during step 2) | Cross-repo grep for `/mgmt` strings in `~/dev/` returned only msbls.de's own (now-deleted) routes + one stale comment in projax/deploy/dokploy.yaml (handled at step 5 below). No other repo had hardcoded references. |
+| 4 | m/msbls.de | `89d60bc` | Dropped the auth shell entirely — `src/lib/server/{auth,supabase,mbrian,caldav}.ts`, `Locals.userId`, `$mbrian` alias in svelte.config.js, `GITEA_TOKEN` arg + submodule clone in Dockerfile, `.gitmodules`. Sweep confirmed `hooks.server.ts` was the only consumer of `authenticateRequest`, and no remaining route (`/`, `/impressum`, `/slop`, `/[code]`) needs `locals.userId`. `bun run check` → 0 errors, `bun run build` → success. |
+| 5 | m/projax | (this commit) | Cleaned the stale "auth federated with mgmt.msbls.de" comment in `deploy/dokploy.yaml` line 4–5 — now describes the host-scoped `/login` cookie model that projax actually uses. |
+| 6 | m/projax | (this commit) | This "DONE" section appended. |
+
+**Verification commands** (run by the worker after the m/msbls.de autoDeploy completes — m sees these in the completion report):
+
+```sh
+# /mgmt/* on any host redirects to projax (301)
+curl -sS -i https://www.msbls.de/mgmt/anything | head -3
+curl -sS -i https://mgmt.msbls.de/ | head -3
+# Public msbls.de homepage still works
+curl -sS -i https://www.msbls.de/ | head -3
+# projax still works through its own auth surface
+curl -sS -i https://projax.msbls.de/dashboard | head -3
+```
+
+**Post-teardown janitorial** (NOT part of this work; m can clean at leisure):
+
+- Dokploy: drop env vars no longer used by msbls.de — `SUPABASE_HOST`, `SUPABASE_SERVICE_KEY`, `SUPABASE_ANON_KEY`, `CALDAV_BASE_URL`, `CALDAV_USER`, `CALDAV_PASSWORD`, `COOKIE_DOMAIN`, `GITEA_TOKEN`. None are referenced in code anymore.
+- DNS: `mgmt.msbls.de` CNAME/A record can be retired at m's leisure. The redirect works whether the subdomain hits the msbls.de app (current shape) or 404s elsewhere. Keeping the subdomain pointing at the app preserves the redirect for bookmark-followers.
+- Old browser cookies on `Domain=.msbls.de` will keep cluttering until expiry (1 year). Browsers' "clear cookies for site" works if it bothers anyone.
+
+**Plan vs reality recap:**
+
+- Plan estimated "~14 days with dogfood weeks" / "~3 days compressed." Actual: same session as Gap 1, ~30 minutes of actual code touch. Compression was viable because (a) the gap was small (b) test coverage on both sides was already strong (c) zero external dependencies on `/mgmt/*` per the §6 risk audit.
+- No "unexpected" surprises beyond the in-repo-vs-Dokploy-UI configuration split (covered by §6's "Cookie-scope semantics change — LOW" implicitly: same theme of "Dokploy state ≠ code state"). Head approved the SvelteKit-side redirect alternative in real time.