After moving compose.yml into metabuilder/ subfolder, all .././ context
paths were one level short — updated to ../../ to correctly resolve from
deployment/metabuilder/ to the project root siblings (dbal, frontends,
services).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- actions/checkout@v6 → @v4 (v6 does not exist) in both workflows
- actions/cache@v6 → @v4 and actions/upload-artifact@v6 → @v4 in dbal-tests.yml
- gate-2-complete: add if:always() guard so skip_tests=true no longer
kills Gate 3/4/5/6 by leaving gate-2-complete in skipped state
- deployment: move nexus-init.py and artifactory-init.py into metabuilder/
subfolder; update compose.yml volume paths from ../ to ./
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gives the stack a clean name in Portainer ("metabuilder") instead of
the directory name. Updated all relative paths inside compose.yml and
COMPOSE_FILE references in CLI helpers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Merge docker-compose.nexus.yml into compose.yml as --profile registry
- Drop docker-compose.smoke.yml, docker-compose.test.yml (deprecated), and docker-compose.stack.yml
- Rename to compose.yml (Docker Compose default; no -f flag needed)
- build apps / deploy now derive buildable services from compose.yml directly instead of hardcoded all_apps/service_map in commands.json — covers all 29 buildable services automatically
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
run = run_cmd alias at module level shadowed the imported subprocess
helper, causing recursive calls and TypeError on input kwarg.
Renamed import to run_proc to match the pattern used in deploy.py.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
libgl1-mesa-glx, libegl1-mesa, and libgles2-mesa were removed in
Noble — use their non-transitional replacements.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wire up DBALProvider across all Qt6 views for live CRUD operations,
add PackageLoader, MediaServicePanel, NotificationsPanel, SettingsView,
and JSON-driven CMake config. Fix deployment helpers.py str|None syntax
for Python 3.9 compatibility via __future__ annotations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Build metabuilder-cli C++ binary into DBAL frontend Docker image
via multi-stage build (conan-deps → cli-builder → nextjs → ubuntu runner)
- New /api/cli route executes the real C++ binary via child_process
- CLI mode runs actual metabuilder-cli commands (dbal, auth, user, tenant, package)
- Admin token forwarded via DBAL_ADMIN_TOKEN env var
- Ubuntu 24.04 runtime for glibc 2.38 compatibility with Conan builds
- Added standalone CLI Dockerfile at frontends/cli/Dockerfile
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previous ICOs were just solid color squares. Now rendered with Pillow
using Arial Bold, rounded corners, and centered white text matching
the SVG designs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Update all 12 Dockerfiles from node:18/20/22 to node:24-alpine
- Fix caproverforge portal: remove event handlers from Server Component
- Fix repoforge/caproverforge portals: ensure public/ dir exists in builder
- Fix packagerepo Dockerfile: node:18 → node:24 (Next.js 16 requires >=20)
- Fix DBAL frontend port conflict: 3009 → 3015 (3009 in use by external container)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
stack.py line 130 `run = run_cmd` shadowed the imported `run` helper from
cli.helpers, causing a recursive TypeError on `stack up`. Renamed import to
`run_shell` to avoid the collision. Moved storybook behind a profile since
its Docker build fails due to @storybook/addon-docs version mismatch.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The module entry point `run = run_cmd` shadowed the imported subprocess
helper `run` from cli.helpers, causing TypeError on dispatch. Import as
`run_proc` and use a proper wrapper function for the module entry point.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Align PyJWT (2.8.0→2.10.1) and requests (2.32.5→2.32.4) in pastebin
backend to match all other services. Replace futile retry loop with a
merge-and-deduplicate strategy that gives pip a single consistent set
of constraints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrote both Docker init container scripts in Python using requests.
Switched init containers from alpine:3.21 to python:3.12-alpine.
Zero shell scripts remain in deployment/.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All deployment commands now go through deployment.py. Deleted:
build-base-images.sh, build-apps.sh, build-testcontainers.sh, deploy.sh,
start-stack.sh, release.sh, nexus-ci-init.sh, push-to-nexus.sh,
populate-nexus.sh, publish-npm-patches.sh.
Kept nexus-init.sh and artifactory-init.sh (Docker container entrypoints).
Updated all references in CLAUDE.md, README.md, AGENTS.md, ROADMAP.md,
deployment docs, Dockerfiles, and docker-compose comments.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Dockerfile.node-deps: upgrade FROM node:22 to node:24
- Dockerfile.node-deps: rewrite main registry= line to Nexus when detected
(was only rewriting scoped @esbuild-kit registry, leaving registry.npmjs.org
unreachable inside Docker)
- Dockerfile.node-deps: fix sed ordering so cleanup of old auth lines runs
before registry rewrite (prevents new registry= line from being deleted)
- Add deployment/cli/ modular Python CLI powered by JSON config, replacing
12 shell scripts (build-base-images.sh, build-apps.sh, deploy.sh,
start-stack.sh, release.sh, nexus-init.sh, nexus-ci-init.sh,
push-to-nexus.sh, populate-nexus.sh, publish-npm-patches.sh,
build-testcontainers.sh, artifactory-init.sh)
- Bump rocksdict 0.3.23 -> 0.3.29 (old version removed from PyPI)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
node:20-slim lacks wget and curl, causing all registry connectivity
checks to silently fail and report reachable registries as UNREACHABLE.
Switching to the full node:22 image provides both tools and upgrades
to the current LTS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allows build containers to reach npm registries and local registries
on the host network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Dockerfile now probes for Nexus (:8091) and Verdaccio (:4873) via
both host.docker.internal and localhost, then rewrites .npmrc to point
at whichever is running. This lets the same .npmrc work in CI
(Verdaccio) and on desktops (Nexus) without manual editing.
When neither registry is found, a prominent warning banner is printed
with instructions to start one, then the build continues using only
the public npm registry.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dockerfile.node-deps now checks all registries in .npmrc before running
npm install, replacing a 20-minute retry loop with an immediate error
that tells the user to start Nexus/Verdaccio first. Also adds deployment
README documenting the full build order (registries → base images → apps → stack).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The android-sdk base image was failing because gradlew/gradle/ files
weren't available in the Docker build context. Replace per-project COPY
with `gradle wrapper` generation and a single stub warmup project.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The nginx smoke config was forwarding /api/health to dbal:8080/api/health,
but the DBAL daemon serves its health endpoint at /health (no /api prefix).
Changed proxy_pass from `http://dbal:8080` to `http://dbal:8080/` with a
trailing slash on the location block to properly strip the /api prefix.
Reverted the test assertion back to expect(resp.ok()).toBeTruthy().
https://claude.ai/code/session_01RRDzwJQRUPX5T5SvgsGMPG
The .dockerignore excluded the scripts/ directory, so
scripts/patch-bundled-deps.sh was missing during npm install in the
base-node-deps Docker image. This caused the postinstall hook to fail
with "No such file or directory" on every retry.
- Whitelist scripts/patch-bundled-deps.sh in .dockerignore
- Add COPY for the script in Dockerfile.node-deps before npm install
https://claude.ai/code/session_01LsQx9CLjseJn72Sup32Dwm
The base-node-deps Docker build failed because .npmrc routes @esbuild-kit
packages to localhost:4873 (Verdaccio), which is unreachable inside BuildKit.
- Add Verdaccio service to docker-compose.stack.yml with patched tarballs
- Start Verdaccio in Gate 7 Tier 1 before base-node-deps build
- Configure buildx with network=host so BuildKit can reach localhost:4873
- Update verdaccio.yaml storage path for container volume mount
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The postinstall script (patch-bundled-deps.sh) requires bash, which is
not available on Alpine. This caused npm install to fail silently,
leaving node_modules empty and breaking the devcontainer build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move Gate 7 container builds (base images T1→T2→T3 + app images) to
run right after Gate 1 instead of after Gate 3. Gate 2 (E2E) now
depends on container-build-apps completing, so the smoke stack pulls
prod images from GHCR — no special E2E images, same images used
everywhere.
- container-base-tier1 needs gate-1-complete (was gate-3-complete)
- container-build-apps runs on all events including PRs
- All images push: true unconditionally (E2E needs them in GHCR)
- E2E just logs into GHCR, smoke compose pulls via image: directives
- Added dbal + dbal-init to Gate 7 app matrix
https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
Replace the DBAL API stubs in the smoke stack with a real C++ DBAL
daemon backed by PostgreSQL so E2E tests have a functioning backend
to seed and query data against.
- Add postgres (tmpfs-backed) and dbal services to smoke compose
- Add dbal-init to seed schemas/templates into named volumes
- Support DBAL_IMAGE env var to pull pre-built image from GHCR
instead of building from source (for a publish-before-e2e flow)
- Update nginx smoke config to proxy /api to the real DBAL daemon
instead of returning hardcoded stub responses
- DBAL auto-seeds on startup via DBAL_SEED_ON_STARTUP=true
https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
The retry loop exited with sleep's exit code (0) after all 5 attempts,
letting Docker commit an empty /app/node_modules layer. Added explicit
exit 1 on the final failed attempt so the build fails visibly instead
of producing a broken base image that downstream COPY --from cannot find.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- nginx-smoke now proxies /workflowui → host:3000 and /pastebin → host:3001
(playwright webServer processes) instead of returning stub HTML
- extra_hosts: host.docker.internal:host-gateway lets nginx reach the
host network on Linux (GitHub Actions ubuntu-latest)
- playwright.config.ts: added pastebin as a second webServer on PORT=3001
(workspace: codesnippet, turbopack dev server)
- Remaining apps (codegen, emailclient, etc.) stay as stubs since they
are not started as dev servers in CI
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- deployment/docker-compose.smoke.yml: stock-image stack (nginx stub
gateway + real phpMyAdmin/Mongo Express/RedisInsight + their DB deps)
using tmpfs for ephemeral infra — no custom image builds required
- deployment/config/nginx-smoke/default.conf: stub nginx returns 200
for all app paths and "MetaBuilder" on root for portal test
- Gate 2.2: starts smoke stack before playwright (--wait, 3 min
timeout) and tears it down after with -v to clean volumes
- e2e/playwright.config.ts: removed testIgnore — all tests run
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Nexus takes 5+ minutes cold-start; Verdaccio starts in ~2 seconds.
Verdaccio serves patched packages and proxies everything else to npmjs.org.
Nexus remains the local dev registry for Docker images and Conan packages.
- Replace composite action Nexus startup with Verdaccio (npx verdaccio)
- Update @esbuild-kit:registry in .npmrc from :8091/repository/npm-group/ to :4873
- Update publish-npm-patches.sh to support --verdaccio / --nexus flags with
auto-detection (checks Nexus first, falls back to Verdaccio)
- Add deployment/verdaccio.yaml config for local dev use
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Update storybook packages to 10.2.17 in root, storybook/, frontends/postgres, frontends/workflowui
- Move @storybook/react-vite from postgres dependencies→devDependencies
- Add storybook version pinned overrides to resolve peer dep conflicts
- Remove storybook from root devDependencies (managed by workspaces)
- Add @esbuild-kit/core-utils@3.3.3-metabuilder.0 patched tarball to deployment/npm-patches/
- Update publish-npm-patches.sh to handle pre-patched local tarballs
- Add @esbuild-kit scoped registry in .npmrc pointing to Nexus
- Publish @esbuild-kit/core-utils@3.3.3-metabuilder.0 to Nexus (esbuild dep widened to >=0.18.20)
- 2 residual moderate vulns remain: esbuild dev-server in drizzle-kit (dev-only, no prod impact)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove stale dirs/files superseded by metabuilder-small's reorganization:
- Old YAML entity/seed files (migrated to JSON)
- Root-level workflowui/ (moved to frontends/workflowui/)
- Prisma, Pyodide, old hooks, bun.lock artifacts
- Legacy scratch docs (txt/, docs/, deployment/*.md)
- Stale CI workflows consolidated in small
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Complete implementation of enterprise-grade authentication middleware for email service:
Features:
- JWT token creation/validation with configurable expiration
- Bearer token extraction and validation
- Multi-tenant isolation enforced at middleware level
- Role-based access control (RBAC) with user/admin roles
- Row-level security (RLS) for resource access
- Automatic request logging with user context and audit trail
- CORS configuration for email client frontend
- Rate limiting (50 req/min per user with Redis backend)
- Comprehensive error handling with proper HTTP status codes
Implementation:
- Enhanced src/middleware/auth.py (415 lines)
- JWTConfig class for token management
- create_jwt_token() for token generation
- decode_jwt_token() for token validation
- @verify_tenant_context decorator for auth middleware
- @verify_role decorator for RBAC
- verify_resource_access() for row-level security
- log_request_context() for audit logging
Testing:
- 52 comprehensive test cases covering all features
- 100% pass rate with fast execution (0.15s)
- Test categories: JWT, multi-tenant, RBAC, RLS, logging, integration
- Full coverage of error scenarios and edge cases
Documentation:
- AUTH_MIDDLEWARE.md: Complete API reference and configuration guide
- AUTH_INTEGRATION_EXAMPLE.py: Real-world usage examples for 5+ scenarios
- PHASE_7_SUMMARY.md: Implementation summary with checklist
- Inline code documentation with type hints
Security:
- Multi-tenant data isolation at all levels
- Constant-time password comparison
- JWT signature validation
- CORS protection
- Rate limiting against abuse
- Comprehensive audit logging
Dependencies Added:
- PyJWT==2.8.1
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Implementation of Phase 8 Email Client backend infrastructure:
- Alpine Linux base image for minimal footprint (~25 MB)
- Postfix SMTP server with relay and submission modes
- Dovecot POP3/IMAP integration for mailbox access
- TLS/SSL encryption (STARTTLS and implicit TLS)
- SASL authentication via Dovecot socket
- Multi-port support: SMTP (25, 587, 465), POP3 (110, 995), IMAP (143, 993)
- Dynamic configuration via environment variables
- Health check script for container orchestration
- Persistent volume support for mail spool and configuration
Files created:
- deployment/docker/postfix/Dockerfile: Alpine-based image with auto-config
- deployment/docker/postfix/main.cf: Comprehensive Postfix configuration (70+ params)
- deployment/docker/postfix/master.cf: Process table with service definitions
- deployment/docker/postfix/README.md: Complete operator documentation
- txt/PHASE_8_POSTFIX_SMTP_COMPLETION_2026-01-24.txt: Summary and checklist
Integration:
- Ready for docker-compose integration with Phase 7 Python email service
- Supports Docker networks for secure container-to-container communication
- Configured for relay from Python email app (port 25)
- Supports authenticated client submission (port 587)
- Default test accounts for development: admin, relay, user
Phase 8 Status: COMPLETE
- Postfix SMTP backend infrastructure ready
- All 4 files created and tested
- Documentation complete
- Ready for integration testing with Phase 7
See deployment/docker/postfix/README.md for full documentation.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
