crewli

bert.hausmans/crewli

Fork 0

Commit Graph

Author	SHA1	Message	Date
bert.hausmans	a748c9ee7a	chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app deploy.sh referenced apps/portal which was deleted in WS-3 PR-B1; the script has been broken in main since that merge (npm run build -w apps/portal would fail). Collapse to a single-app build. Changes: - deploy.sh: replace dual-build block (build app + portal, verify both dist/) with single-app build (build app, verify dist/index.html) - deploy/nginx/csp-portal.conf: deleted (content was identical to csp-spa.conf — verified before removal) - deploy/README.md: replace "Portal (portal.crewli.app)" server-block section with "Legacy portal redirect" — a 301 server block template that redirects portal.crewli.app → crewli.app preserving the request URI. Notes that DNS retirement is a separate ops task Out of scope: actually retiring the portal.crewli.app DNS record (operational, tracked separately). bash -n deploy.sh: clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 00:24:40 +02:00
bert.hausmans	28727f246b	chore: remove admin SPA and update to two-app production setup Remove apps/admin/ entirely — platform admin functionality now lives in apps/app/ under /platform/* routes for super_admin users. Production URL scheme changed: - Organizer app: crewli.app (was app.crewli.app) - Portal: portal.crewli.app (unchanged) - API: api.crewli.app (unchanged) - admin.crewli.app and app.crewli.app retired Backend: - Removed FRONTEND_ADMIN_URL config and admin cookie (crewli_admin_token) from SetAuthCookie, CookieBearerToken, cors.php, app.php - Updated .env and .env.example (two origins, no port 5173) - Updated cookie test: admin origin test → unknown origin fallback test Infrastructure: - Makefile: removed admin target - deploy/nginx: updated CSP comment, removed admin vhost - Updated README.md, CLAUDE.md, and all dev-docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 08:44:10 +02:00
bert.hausmans	940297f214	security: implement CSP headers (API middleware + Nginx configs + dev meta tags) API middleware: - SecurityHeaders now sets Content-Security-Policy from config/security.php - Default API policy: "default-src 'none'; frame-ancestors 'none'" - Supports report-only mode via CSP_REPORT_ONLY env var - Policy value configurable via CSP_POLICY env var Nginx deployment configs (deploy/nginx/): - security-headers.conf: shared headers for all server blocks - csp-api.conf: restrictive JSON-only policy for api.crewli.app - csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles) - csp-portal.conf: portal policy matching SPA Development: - CSP meta tags added to all three index.html files - Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script - Each app allows its own ws:// port for HMR websocket Resolves security finding A13-9. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 16:14:37 +02:00

Author

SHA1

Message

Date

bert.hausmans

a748c9ee7a

chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app

deploy.sh referenced apps/portal which was deleted in WS-3 PR-B1; the
script has been broken in main since that merge (npm run build
-w apps/portal would fail). Collapse to a single-app build.

Changes:
- deploy.sh: replace dual-build block (build app + portal, verify both
  dist/) with single-app build (build app, verify dist/index.html)
- deploy/nginx/csp-portal.conf: deleted (content was identical to
  csp-spa.conf — verified before removal)
- deploy/README.md: replace "Portal (portal.crewli.app)" server-block
  section with "Legacy portal redirect" — a 301 server block
  template that redirects portal.crewli.app → crewli.app preserving
  the request URI. Notes that DNS retirement is a separate ops task

Out of scope: actually retiring the portal.crewli.app DNS record
(operational, tracked separately).

bash -n deploy.sh: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-06 00:24:40 +02:00

bert.hausmans

28727f246b

chore: remove admin SPA and update to two-app production setup

Remove apps/admin/ entirely — platform admin functionality now lives
in apps/app/ under /platform/* routes for super_admin users.

Production URL scheme changed:
- Organizer app: crewli.app (was app.crewli.app)
- Portal: portal.crewli.app (unchanged)
- API: api.crewli.app (unchanged)
- admin.crewli.app and app.crewli.app retired

Backend:
- Removed FRONTEND_ADMIN_URL config and admin cookie (crewli_admin_token)
  from SetAuthCookie, CookieBearerToken, cors.php, app.php
- Updated .env and .env.example (two origins, no port 5173)
- Updated cookie test: admin origin test → unknown origin fallback test

Infrastructure:
- Makefile: removed admin target
- deploy/nginx: updated CSP comment, removed admin vhost
- Updated README.md, CLAUDE.md, and all dev-docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-15 08:44:10 +02:00

bert.hausmans

940297f214

security: implement CSP headers (API middleware + Nginx configs + dev meta tags)

API middleware:
- SecurityHeaders now sets Content-Security-Policy from config/security.php
- Default API policy: "default-src 'none'; frame-ancestors 'none'"
- Supports report-only mode via CSP_REPORT_ONLY env var
- Policy value configurable via CSP_POLICY env var

Nginx deployment configs (deploy/nginx/):
- security-headers.conf: shared headers for all server blocks
- csp-api.conf: restrictive JSON-only policy for api.crewli.app
- csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles)
- csp-portal.conf: portal policy matching SPA

Development:
- CSP meta tags added to all three index.html files
- Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script
- Each app allows its own ws:// port for HMR websocket

Resolves security finding A13-9.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 16:14:37 +02:00

3 Commits