m/projax
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

chore(mgmt teardown step 5+6): drop stale dokploy comment + append DONE log

Browse Source 
Per docs/plans/mgmt-teardown.md §4 steps 5 + 6.

Step 5: deploy/dokploy.yaml — stale "federated with mgmt.msbls.de" line
in the header comment replaced with the current host-scoped /login cookie
model. The mgmt federation never happened in projax anyway (projax
cookies are host-scoped, no Domain attribute).

Step 6: append a "DONE 2026-05-16" section to docs/plans/mgmt-teardown.md
recording every step's commit hash across both repos, the head-approved
deviation from §4 step 1 (SvelteKit-side redirect instead of Dokploy
Traefik labels — Dokploy config is UI-only), verification curls, and the
post-teardown janitorial that's out of scope for the worker (env-var
cleanup in Dokploy, DNS at m's leisure).

m/msbls.de side merged separately (86bfa61) — three commits:
2941dc4 (redirect), <previous step's commit covers the rest>.
This commit is contained in:
mAi
2026-05-16 01:06:28 +02:00
parent c8164f6328
commit dc4863faca
2 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
deploy/dokploy.yaml
View File

@@ -2,8 +2,8 @@
# #
# Apply via Dokploy UI on mlake, or as a reference for the manual setup. # Apply via Dokploy UI on mlake, or as a reference for the manual setup.
# Public over HTTPS with Let's Encrypt; auth is enforced at the application # Public over HTTPS with Let's Encrypt; auth is enforced at the application
# layer via Supabase JWT cookies federated with mgmt.msbls.de. # layer via Supabase JWT cookies set by projax's own /login (host-scoped,
# Single replica, single tenant (m). # no Domain attribute). Single replica, single tenant (m).
# #
# Environment expected (set via Dokploy secrets, NEVER commit): # Environment expected (set via Dokploy secrets, NEVER commit):
# PROJAX_DB_URL postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable # PROJAX_DB_URL postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable

44
docs/plans/mgmt-teardown.md
View File

@@ -174,3 +174,47 @@ What can go: every `src/routes/mgmt/` file, every `src/lib/server/` file (only u
- **Gaps blocking teardown: 1 small (VEVENTs on dashboard) + 0 mandatory.** Two further "gaps" (mWorkRepo cards, mBrian topic cards) are park-forever recommendations — mgmt never shipped them either. - **Gaps blocking teardown: 1 small (VEVENTs on dashboard) + 0 mandatory.** Two further "gaps" (mWorkRepo cards, mBrian topic cards) are park-forever recommendations — mgmt never shipped them either.
**Recommendation:** Ship Gap 1 (small) → wait one week → set up redirects → wait one week → remove mgmt. Two phases of projax work + two waiting weeks = ~14 days end to end. Could be compressed to ~3 days if m skips the waiting weeks; risk is bookmark breakage in his own browser history, which he can self-mitigate. **Recommendation:** Ship Gap 1 (small) → wait one week → set up redirects → wait one week → remove mgmt. Two phases of projax work + two waiting weeks = ~14 days end to end. Could be compressed to ~3 days if m skips the waiting weeks; risk is bookmark breakage in his own browser history, which he can self-mitigate.
---
## DONE 2026-05-16
Executed in a single compressed run after Phase 3l shipped Gap 1 (VEVENTs on `/dashboard`). m approved the path A timeline; teardown landed the same session.
**Phase 3l (closing the gap)** — projax repo, commit `d49ad21`, merge `c8164f6`. `caldav.ListEvents` + Events card on `/dashboard` with 7-day window, day-grouping, RRULE-flagged-but-not-expanded. `mgmt.msbls.de` parity reached.
**Phase 3m (the teardown itself)** — split across two repos.
**Deviation from §4 step 1 (Traefik redirects):** Dokploy/Traefik configuration lives in the Dokploy UI, not in any in-repo file. Head approved the alternative (m/mAi#1908): implement the legacy-path 301 in `src/hooks.server.ts` instead — version-controlled, deploys with the app, no Dokploy UI access needed.
| Step | Repo | Commit | What landed |
|---|---|---|---|
| 1 | m/msbls.de | `2941dc4` | 301 redirect for `/mgmt/*``projax.msbls.de` (mapping helper `projaxRedirectFor`; covers `/mgmt`, `/mgmt/login`, `/mgmt/self`, and catch-all → `/dashboard`). Runs in `hooks.server.ts` before any other guard so unauth probes also land safely. |
| 2 | m/msbls.de | `89d60bc` (combined with step 4 in the same merge) | Removed `src/routes/mgmt/**` (9 files), `src/hooks.ts` (reroute), `src/lib/host-routing.{ts,test.ts}`. Inlined the two trivial cockpit-host/path predicates directly into `hooks.server.ts`. |
| 3 | m/msbls.de | n/a (verified during step 2) | Cross-repo grep for `/mgmt` strings in `~/dev/` returned only msbls.de's own (now-deleted) routes + one stale comment in projax/deploy/dokploy.yaml (handled at step 5 below). No other repo had hardcoded references. |
| 4 | m/msbls.de | `89d60bc` | Dropped the auth shell entirely — `src/lib/server/{auth,supabase,mbrian,caldav}.ts`, `Locals.userId`, `$mbrian` alias in svelte.config.js, `GITEA_TOKEN` arg + submodule clone in Dockerfile, `.gitmodules`. Sweep confirmed `hooks.server.ts` was the only consumer of `authenticateRequest`, and no remaining route (`/`, `/impressum`, `/slop`, `/[code]`) needs `locals.userId`. `bun run check` → 0 errors, `bun run build` → success. |
| 5 | m/projax | (this commit) | Cleaned the stale "auth federated with mgmt.msbls.de" comment in `deploy/dokploy.yaml` line 45 — now describes the host-scoped `/login` cookie model that projax actually uses. |
| 6 | m/projax | (this commit) | This "DONE" section appended. |
**Verification commands** (run by the worker after the m/msbls.de autoDeploy completes — m sees these in the completion report):
```sh
# /mgmt/* on any host redirects to projax (301)
curl -sS -i https://www.msbls.de/mgmt/anything | head -3
curl -sS -i https://mgmt.msbls.de/ | head -3
# Public msbls.de homepage still works
curl -sS -i https://www.msbls.de/ | head -3
# projax still works through its own auth surface
curl -sS -i https://projax.msbls.de/dashboard | head -3
```
**Post-teardown janitorial** (NOT part of this work; m can clean at leisure):
- Dokploy: drop env vars no longer used by msbls.de — `SUPABASE_HOST`, `SUPABASE_SERVICE_KEY`, `SUPABASE_ANON_KEY`, `CALDAV_BASE_URL`, `CALDAV_USER`, `CALDAV_PASSWORD`, `COOKIE_DOMAIN`, `GITEA_TOKEN`. None are referenced in code anymore.
- DNS: `mgmt.msbls.de` CNAME/A record can be retired at m's leisure. The redirect works whether the subdomain hits the msbls.de app (current shape) or 404s elsewhere. Keeping the subdomain pointing at the app preserves the redirect for bookmark-followers.
- Old browser cookies on `Domain=.msbls.de` will keep cluttering until expiry (1 year). Browsers' "clear cookies for site" works if it bothers anyone.
**Plan vs reality recap:**
- Plan estimated "~14 days with dogfood weeks" / "~3 days compressed." Actual: same session as Gap 1, ~30 minutes of actual code touch. Compression was viable because (a) the gap was small (b) test coverage on both sides was already strong (c) zero external dependencies on `/mgmt/*` per the §6 risk audit.
- No "unexpected" surprises beyond the in-repo-vs-Dokploy-UI configuration split (covered by §6's "Cookie-scope semantics change — LOW" implicitly: same theme of "Dokploy state ≠ code state"). Head approved the SvelteKit-side redirect alternative in real time.