The 2FA challenge response does not include a refreshToken (token is only
issued after successful 2FA verification). Making the field optional fixes
the TS2741 compilation error that prevented the core service from starting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The login endpoint was incorrectly storing the access token in the
refresh_token cookie. This caused silent refresh to fail after page
reload since the short-lived access token couldn't be used for refresh.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Backend:
- POST /auth/2fa/setup - generate TOTP secret + QR code (temp Redis storage)
- POST /auth/2fa/enable - verify TOTP code and activate 2FA
- POST /auth/2fa/disable - deactivate 2FA (requires password)
- PATCH /users/me - update own profile (firstName, lastName)
- POST /users/me/change-password - change own password
Frontend:
- New ProfilePage with 3 sections: personal info, password, 2FA
- QR code display for Authenticator app setup
- Clickable user info in sidebar navigates to /profile
- AuthContext extended with twoFactorEnabled + refreshUser
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Query() decorator always returns strings. Using Number() conversion
with fallback to defaults (page=1, limit=20) to prevent NaN errors
in Prisma findMany skip/take calculations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The `traefik healthcheck` CLI command doesn't reliably detect the
ping configuration. Using wget against the /ping endpoint instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The `traefik healthcheck` command requires `--ping=true` to be set.
Without it, the healthcheck always fails even though Traefik works fine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Environment variables are strings from process.env. Explicit
Type decorators ensure class-transformer converts them to numbers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix cookieParser import (default import instead of namespace)
- Cast tenant settings to Prisma.InputJsonValue for type safety
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bcrypt requires native compilation which was skipped by
--ignore-scripts. Added python3/make/g++ and npm rebuild bcrypt.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The edoburu/pgbouncer image listens on port 5432 internally,
not 6432. Updated healthcheck and DATABASE_URL accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add insight-dev-01 server IP: 172.20.10.59
- Add Git server (GAIA-GIT) details: 172.20.10.11
- Replace all IP placeholders with actual values
- Update Summarize.md with Forgejo configuration status
Server setup completed on git.xinion.lan:
- Docker Engine 29.3 installed
- Forgejo Actions + Container Registry enabled
- Runner v6.3.1 registered and running
- 5 repository secrets configured
- Branch protection on main + develop
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Step-by-step instructions for:
- Enabling Forgejo Actions and Container Registry
- Installing and registering a Forgejo Runner
- Configuring repository secrets for deployment
- Setting up branch protection rules
- Testing the Container Registry
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Generate SSH deployment key (Ed25519) for server access
- Define complete server infrastructure (ProxmoxVE VM, Docker, networking)
- Create ACCESS.md with all connection details and SSH instructions
- Create INFRASTRUCTURE.md with VM setup guide and service architecture
- Set up project directory structure per briefing specification
- Add .env.example with all required environment variables
- Add .gitignore for Node.js/Docker/TypeScript project
- Create comprehensive README.md for developer onboarding
- Add Summarize.md changelog
- Include concept and briefing documents
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
