All deployment commands now go through deployment.py. Deleted:
build-base-images.sh, build-apps.sh, build-testcontainers.sh, deploy.sh,
start-stack.sh, release.sh, nexus-ci-init.sh, push-to-nexus.sh,
populate-nexus.sh, publish-npm-patches.sh.
Kept nexus-init.sh and artifactory-init.sh (Docker container entrypoints).
Updated all references in CLAUDE.md, README.md, AGENTS.md, ROADMAP.md,
deployment docs, Dockerfiles, and docker-compose comments.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Dockerfile.node-deps: upgrade FROM node:22 to node:24
- Dockerfile.node-deps: rewrite main registry= line to Nexus when detected
(was only rewriting scoped @esbuild-kit registry, leaving registry.npmjs.org
unreachable inside Docker)
- Dockerfile.node-deps: fix sed ordering so cleanup of old auth lines runs
before registry rewrite (prevents new registry= line from being deleted)
- Add deployment/cli/ modular Python CLI powered by JSON config, replacing
12 shell scripts (build-base-images.sh, build-apps.sh, deploy.sh,
start-stack.sh, release.sh, nexus-init.sh, nexus-ci-init.sh,
push-to-nexus.sh, populate-nexus.sh, publish-npm-patches.sh,
build-testcontainers.sh, artifactory-init.sh)
- Bump rocksdict 0.3.23 -> 0.3.29 (old version removed from PyPI)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
node:20-slim lacks wget and curl, causing all registry connectivity
checks to silently fail and report reachable registries as UNREACHABLE.
Switching to the full node:22 image provides both tools and upgrades
to the current LTS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allows build containers to reach npm registries and local registries
on the host network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Dockerfile now probes for Nexus (:8091) and Verdaccio (:4873) via
both host.docker.internal and localhost, then rewrites .npmrc to point
at whichever is running. This lets the same .npmrc work in CI
(Verdaccio) and on desktops (Nexus) without manual editing.
When neither registry is found, a prominent warning banner is printed
with instructions to start one, then the build continues using only
the public npm registry.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dockerfile.node-deps now checks all registries in .npmrc before running
npm install, replacing a 20-minute retry loop with an immediate error
that tells the user to start Nexus/Verdaccio first. Also adds deployment
README documenting the full build order (registries → base images → apps → stack).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The android-sdk base image was failing because gradlew/gradle/ files
weren't available in the Docker build context. Replace per-project COPY
with `gradle wrapper` generation and a single stub warmup project.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CI runners (2-core ubuntu-latest) cannot build Qt6+DBAL+gameengine
in under 6 hours — always times out. Mark base-conan-deps as
require_prebuilt=true so CI errors immediately with instructions
to build locally and push instead of hanging for 6+ hours.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add check-app-changes job (runs parallel with gate-2-start after Gate 1)
that git-diffs the push range to detect whether test-relevant paths changed:
e2e_changed: frontends/ + e2e/ + packages/ + components/
unit_changed: frontends/nextjs/src/
test-unit and test-e2e both gain a cache-restore step:
- Finds the last successful run on the same branch via gh CLI
- Downloads coverage-report / playwright-report artifact from that run
- Sets hit=true if download succeeded
- All heavy steps (npm install, build, browsers, test run) are gated on
hit != 'true', so the job completes in seconds on cache hit
Fallback: if no prior successful run exists (hit=false), tests run
normally. New branches and manual dispatches always run (no before SHA).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each matrix entry now declares watch_paths (source dirs that affect the
image). The check step combines GHCR existence with git diff:
image exists in GHCR + no changes in watch_paths → docker pull (fast)
image missing OR watch_paths changed → full rebuild + push
Uses git fetch --depth=1 origin $BEFORE to get the pre-push commit for
diffing without fetching full history. Handles edge cases: new branch,
first push (zero SHA), and manual workflow_dispatch all trigger rebuild.
watch_paths per image:
nextjs-app, codegen, pastebin, emailclient, workflowui: frontend dir + packages + components
postgres-dashboard: frontends/postgres + packages
exploded-diagrams: frontends/exploded-diagrams
dbal: dbal/
dbal-init: deployment/config/dbal + dbal/shared
TODO: expose rebuild=true/false per image to Gate 2 so E2E tests can
skip unchanged apps and reuse cached playwright-report artifacts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When a base or app image already exists in GHCR, pull it to the local
runner rather than exiting after the manifest check. This makes the
image immediately available for any downstream steps (security scanning,
smoke tests, dependent builds) without a rebuild.
Flow per image job:
exists=true → docker pull <image>:<branch> (fast, ~seconds)
exists=false → full build + push to GHCR
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add skip_containers dispatch input: skips all Gate 7 container builds
when existing GHCR images are sufficient (complements skip_tests)
- Decouple gate-2-start from container-build-apps: tests only need Gate 1
to pass, not a full Docker build. Gate 2 and Gate 7 now run in parallel,
cutting total pipeline time by up to 60 min on normal pushes
- Gate tier1/tier2/tier3/build-apps on !inputs.skip_containers
With GHCR existence check (previous commit) + this change, subsequent
pushes that don't touch Dockerfiles skip the build step entirely and
Gate 2 E2E tests start immediately after Gate 1 completes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a 'Check if image already exists in GHCR' step to tier1 and tier2
base image jobs. After GHCR login, inspect the branch-tagged manifest
and set exists=true if found. The metadata extract, build-push, and
attestation steps are all gated on exists != 'true', so subsequent
pushes that haven't changed Dockerfiles skip the 30-60 min conan/apt/
node/pip/android builds entirely.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
getByLabel('Workspace') fails because FakeMUI Select renders a custom
div-based dropdown without a real <input id>, so Playwright cannot resolve
the label→control association. Use :text-is('Workspace') to match the
FormLabel element directly with exact text, avoiding substring match on
the breadcrumb 'Workspaces' link.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Security:
- /api/setup and /api/bootstrap now require Authorization: Bearer $SETUP_SECRET
before executing any database seed operations
E2E:
- global.setup.ts: replace fixed 2s sleep with waitForServer() poll loop
(60s timeout, 1s interval) so seed POST only fires when server is ready
CI pipeline:
- lint gate: remove || true so ESLint failures propagate; tighten
error threshold from 1500 to 0 (errors are now a hard gate)
- container-build-apps: replace !failure() with explicit
needs.container-base-tier1.result == 'success' so a failed tier-1
build blocks Gate 2 instead of being silently skipped
- skip_tests workflow_dispatch input now wired to gate-2-start,
test-unit, test-e2e, and test-dbal-daemon jobs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fix Playwright strict mode violations in template E2E tests
- template-card/list-item prefix selectors: use toHaveCount(8) instead of
toBeVisible since the prefix selector matches all 8 template elements
- text=Overview: use role-based locator (tab) to disambiguate from heading
- text=Workspace: use label-based locator to disambiguate from nav link
https://claude.ai/code/session_01FjbPFPsxUAicLeX1HhnHaU
- template-card/list-item prefix selectors: use toHaveCount(8) instead of
toBeVisible since the prefix selector matches all 8 template elements
- text=Overview: use role-based locator (tab) to disambiguate from heading
- text=Workspace: use label-based locator to disambiguate from nav link
https://claude.ai/code/session_01FjbPFPsxUAicLeX1HhnHaU
Fix DBAL smoke test: strip /api prefix in nginx proxy config
The nginx smoke config was forwarding /api/health to dbal:8080/api/health,
but the DBAL daemon serves its health endpoint at /health (no /api prefix).
Changed proxy_pass from `http://dbal:8080` to `http://dbal:8080/` with a
trailing slash on the location block to properly strip the /api prefix.
Reverted the test assertion back to expect(resp.ok()).toBeTruthy().
https://claude.ai/code/session_01RRDzwJQRUPX5T5SvgsGMPG
The nginx smoke config was forwarding /api/health to dbal:8080/api/health,
but the DBAL daemon serves its health endpoint at /health (no /api prefix).
Changed proxy_pass from `http://dbal:8080` to `http://dbal:8080/` with a
trailing slash on the location block to properly strip the /api prefix.
Reverted the test assertion back to expect(resp.ok()).toBeTruthy().
https://claude.ai/code/session_01RRDzwJQRUPX5T5SvgsGMPG
- Auth test: login page defaults to Salesforce style, updated test to check
for salesforce-login-page testid instead of Material Design text
- Template tests: populated redux/services/data/templates.json with actual
template data (was empty), and fixed test selectors to use string IDs
(email-automation) instead of numeric IDs (1)
- DBAL smoke test: relaxed assertion to accept any HTTP response since the
DBAL daemon may not be running in CI lightweight smoke stacks
https://claude.ai/code/session_01RRDzwJQRUPX5T5SvgsGMPG
The workflowui Next.js app uses basePath: '/workflowui', so its API
routes are served at /workflowui/api/setup, not /api/setup. The global
setup was calling the wrong path, resulting in a 404 and aborting the
entire E2E test suite.
https://claude.ai/code/session_019xbfXDfsSMKjWoH6BkaPx6
The .dockerignore excluded the scripts/ directory, so
scripts/patch-bundled-deps.sh was missing during npm install in the
base-node-deps Docker image. This caused the postinstall hook to fail
with "No such file or directory" on every retry.
- Whitelist scripts/patch-bundled-deps.sh in .dockerignore
- Add COPY for the script in Dockerfile.node-deps before npm install
https://claude.ai/code/session_01LsQx9CLjseJn72Sup32Dwm
The base-node-deps Docker build failed because .npmrc routes @esbuild-kit
packages to localhost:4873 (Verdaccio), which is unreachable inside BuildKit.
- Add Verdaccio service to docker-compose.stack.yml with patched tarballs
- Start Verdaccio in Gate 7 Tier 1 before base-node-deps build
- Configure buildx with network=host so BuildKit can reach localhost:4873
- Update verdaccio.yaml storage path for container volume mount
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The postinstall script (patch-bundled-deps.sh) requires bash, which is
not available on Alpine. This caused npm install to fail silently,
leaving node_modules empty and breaking the devcontainer build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move Gate 7 container builds (base images T1→T2→T3 + app images) to
run right after Gate 1 instead of after Gate 3. Gate 2 (E2E) now
depends on container-build-apps completing, so the smoke stack pulls
prod images from GHCR — no special E2E images, same images used
everywhere.
- container-base-tier1 needs gate-1-complete (was gate-3-complete)
- container-build-apps runs on all events including PRs
- All images push: true unconditionally (E2E needs them in GHCR)
- E2E just logs into GHCR, smoke compose pulls via image: directives
- Added dbal + dbal-init to Gate 7 app matrix
https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
Replace the DBAL API stubs in the smoke stack with a real C++ DBAL
daemon backed by PostgreSQL so E2E tests have a functioning backend
to seed and query data against.
- Add postgres (tmpfs-backed) and dbal services to smoke compose
- Add dbal-init to seed schemas/templates into named volumes
- Support DBAL_IMAGE env var to pull pre-built image from GHCR
instead of building from source (for a publish-before-e2e flow)
- Update nginx smoke config to proxy /api to the real DBAL daemon
instead of returning hardcoded stub responses
- DBAL auto-seeds on startup via DBAL_SEED_ON_STARTUP=true
https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
The E2E global setup calls POST /api/setup on localhost:3000, but port
3000 is the workflowui dev server which had no such route — it only
existed in the nextjs workspace. This caused a 404, leaving the DB
empty and making all data-dependent tests (workflowui-auth,
workflowui-templates) time out waiting for content that was never seeded.
- Add /api/setup/route.ts to workflowui that seeds InstalledPackage and
PageConfig records via the DBAL REST API
- Make global setup throw on seed failure instead of logging and
continuing, so the suite fails fast rather than running 250 tests
against an empty database
https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
Replace manual docker compose start/stop in the CI workflow with
Testcontainers in Playwright global setup/teardown. This gives:
- Automatic container lifecycle tied to the test run
- Health-check-based wait strategies per service
- Clean teardown even on test failures
- No CI workflow coupling to Docker orchestration
Changes:
- e2e/global.setup.ts: Start smoke stack via DockerComposeEnvironment
(nginx, phpMyAdmin, Mongo Express, RedisInsight) with health check waits
- e2e/global.teardown.ts: New file — stops Testcontainers environment
- e2e/playwright.config.ts: Register globalSetup/globalTeardown, bind dev
servers to 0.0.0.0 in CI so nginx can proxy via host.docker.internal
- gated-pipeline.yml: Remove docker compose start/stop/verify steps,
add 10min timeout to Playwright step
- e2e/deployment-smoke.spec.ts: Update doc comment
- package.json: Add testcontainers@^11.12.0 devDependency
https://claude.ai/code/session_018rmhuicK7L7jV2YBJDXiQz
Re-allow docs/docs.db and txt/reports.db via .gitignore negation
so the project SQLite databases are version-controlled.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- multi-tenant-context: filter cross-tenant variables instead of throwing
- workflow-error-handler: add headers Map to WorkflowApiResponse for Retry-After
- workflow-error-handler: fix memory detection to require 'limit' keyword
- workflow-error-handler: expose original error message in development mode
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
workflow-error-handler: change handler return type from NextResponse to
plain { status, json } object so tests can read response.json as a property
rather than a method. Also fix EXECUTION_QUEUE_FULL status: 503 → 429.
multi-tenant-context: remove redundant global-scope variable check from
validateContextSafety (buildVariables already skips them silently). Fix
cross-tenant check to respect allowCrossTenantAccess option so super-admin
tests pass. Lowercase global-scope warning message to match test assertion.
ItemsPerPageSelector: add native prop to FakeMUI Select so a real <select>
element is rendered (enables standard testing-library queries). Pass id via
inputProps for correct label association. Replace MenuItem with <option>.
Update test to query option elements instead of .menu-item class.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The retry loop exited with sleep's exit code (0) after all 5 attempts,
letting Docker commit an empty /app/node_modules layer. Added explicit
exit 1 on the final failed attempt so the build fails visibly instead
of producing a broken base image that downstream COPY --from cannot find.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
