Commit graph

11 commits

Author SHA1 Message Date
Natalie
336f41c905 fix(deploy): macsync edge writes a conf.d snippet, not the whole Caddyfile
Some checks failed
Swift Build & Test / swift build + test (push) Has been cancelled
ct.prod is a SHARED DMZ (Prospector's apps.ftw.pw + macsync). The old edge
script overwrote /etc/caddy/Caddyfile wholesale, so it and Prospector's deploy
clobbered each other (an outage: a Prospector deploy dropped the macsync site
and repointed DNS). Now each service owns one /etc/caddy/conf.d/<svc>.caddy and
the main Caddyfile just `import conf.d/*.caddy`. deploy-edge.sh idempotently adds
the import, removes any legacy inline macsync block, writes conf.d/macsync.caddy,
validates, and hot-reloads — never touching other sites.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 09:06:14 -04:00
Natalie
e52ed1b44f feat(deploy): codify the ct.prod DMZ edge + add deploy/ops runbook
Some checks failed
Swift Build & Test / swift build + test (push) Waiting to run
Server Typecheck & Test / bun typecheck + test (push) Failing after 5m48s
deploy-edge.sh reproducibly configures macsync's public edge on ct.prod (Caddy
-> macsync 10.20.0.5:3201 over the VPC), so a ct.prod rebuild restores it (it was
hand-configured during cut-over). docs/DEPLOY.md documents the two-box DMZ/internal
topology, one-command deploys, rebuild recovery, secrets model, security posture,
and how to run the tests. Verified: edge returns 200.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 06:25:49 -04:00
Natalie
acebcdc37e deploy(server): rewrite deploy-server.sh as a rebuild-safe one-command deploy
Some checks are pending
Swift Build & Test / swift build + test (push) Waiting to run
Captures the working DO-native deployment so a terraform rebuild (which wipes
the manual install) is recovered with one command: installs runtime (bun/redis/
caddy), syncs code, pushes secrets OVER SSH (never in cloud-init user-data — that
is metadata-readable, per the gpu.sh finding), wires the systemd unit + Caddy TLS
edge, verifies health. Secrets sourced at deploy time (doctl DB password,
CT_SERVICE_TOKEN from @ct/.env.local, Spaces keys from vault) — none hardcoded.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 10:31:56 -04:00
Natalie
f9cf50e695 fix(server): unbuffered logging + reject operator token on contact sync
Some checks failed
Swift Build & Test / swift build + test (push) Waiting to run
Server Typecheck & Test / bun typecheck + test (push) Failing after 5m9s
- logger: emit straight to fd 1/2 (unbuffered). The buffered process.std*
  streams block-buffer to a pipe under systemd, so low-volume logs never
  flushed and were invisible.
- /client/imessage/contacts: return 401 (like /sync/batch) when the caller
  presents the operator/service token instead of a device token, instead of
  500ing on a null deviceId downstream.
- systemd unit: reflect the working deploy (root + /root/.bun, Redis
  dependency, file logging since the droplet journald is volatile).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 19:47:18 -04:00
Natalie
4ea358035a chore(mac-sync): manifest + deploy + bunfig updates
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 11:35:13 -04:00
Natalie
52e641c9a5 fix(deploy): use official rclone for mount (brew rclone lacks FUSE on macOS)
Homebrew's rclone is compiled without 'mount' support on macOS. Resolve a
mount-capable binary ($HOME/bin/rclone, official rclone.org build) and fail
fast with install guidance if none is found. brew rclone still serves plain
transfers via spaces-env.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 21:18:03 -04:00
Natalie
576496ca3e feat(deploy): video-projects FUSE mount over DO Spaces
Generalize the photos-originals rclone-mount pattern to a video-projects
prefix so the video studio (and imajin ETL, per storage-portability-plan
§2.3) can read/write multi-GB project sources/renders as local files while
only hot data stays resident on plum (bounded VFS LRU cache). Lets a
small-disk laptop work with large footage without filling APFS.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 21:10:13 -04:00
Natalie
9373b14ab4 fix(@mac-sync): 🐛 add keychain search list cleanup on sign failure
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
2026-05-21 22:03:45 -07:00
Natalie
b5706cbb99 fix(@applications/mac-sync): 🐛 fix identity validation logic
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
2026-05-17 23:41:30 -07:00
quinn
90443dad36 apricot baseline: contacts-sync-core + BlobSyncManager + embedding/search/sync-history 2026-05-15 17:05:39 -07:00
quinn
b8b63ac63d plum baseline: Phase 1/3/4/5 work (BaseSyncManager, SendQueue layer, ireminders, inotes) 2026-05-15 17:05:13 -07:00