172 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Ronni Baslund	c6b6f8faec	docs(runbook): HetrixTools monitoring (uptime monitors + node1 agent)	2026-06-11 11:23:23 +02:00
Ronni Baslund	901cc69ba3	fix(auth): silent session renewal + 401 auto-recovery ... Idle sessions died and left a broken page: when the access token expired, nuxt-oidc-auth's automatic refresh had no refresh token to use — neither Authentik provider carried the offline_access scope mapping (and the operator never requested the scope), so the module cleared the session and every /api call 401'd until a manual F5 happened to re-auth through Authentik's still-alive SSO session. Fix 1: offline_access end to end — scope mapping attached to both live providers (and blueprints, prod + dev), operator now requests the scope. Sessions renew server-side for up to 30 days of activity (Redis store + pinned token key from earlier make the refresh tokens durable). Fix 2: client plugin in both apps — a 401 from /api sends the browser through /auth/oidc/login instead of leaving dead buttons; invisible when Authentik's session is alive, a clean sign-in screen when it isn't. Loop-guarded. Full sign-out behavior unchanged.	2026-06-11 09:21:15 +02:00
Ronni Baslund	33d6c23733	docs(stalwart): neutral SMTP banner in the white-label bootstrap notes ... Applied live: x:MtaStageConnect smtpGreeting now 'hostname + ESMTP' (default leaked 'Stalwart ESMTP at your service' to banner scanners). EHLO/IMAP greeting strings are hardcoded upstream — accepted for now.	2026-06-11 09:09:02 +02:00
Ronni Baslund	9195017904	fix(portal): Apple profile mail account labeled with the address ... Per Ronni: the Mail account shows the full address (ronni@dezky.eu) instead of the bare domain. Calendar/contacts keep the domain labels.	2026-06-11 08:45:49 +02:00
Ronni Baslund	a45d64d4ed	fix(portal): Apple profile labels derive from the user's domain ... 'dezky mail (…)' in the customer's account list is the same white-label leak as 'Stalwart Calendar' one layer up — partner tenants must see THEIR domain, not the platform brand. Every user-visible label in the .mobileconfig (account descriptions, payload names, organization) now derives from the address's own domain.	2026-06-11 08:41:19 +02:00
Ronni Baslund	2b9a77c6b9	docs(stalwart): white-label groupware defaults in the bootstrap notes ... Stalwart names every account's default calendar 'Stalwart Calendar' and address book 'Stalwart Address Book' — visible in Apple Calendar/Contacts. Set to neutral 'Calendar'/'Contacts' on the live server (x:Calendar + x:AddressBook singletons via management JMAP, existing ronni@dezky.eu collections renamed); recorded as bootstrap step 4 for rebuilds.	2026-06-11 08:39:11 +02:00
Ronni Baslund	6667d18db0	feat(portal): sign Apple profiles — Verified instead of 'unsigned' warning ... Unsigned .mobileconfig installs trip macOS warnings ('unknown developer') and an extra System Settings hunt. The route now wraps the profile in PKCS#7 SignedData (node-forge, SHA-256, full chain embedded) using the portal's own cert-manager LE certificate mounted read-only into the pod (PROFILE_SIGN_CERT/KEY). Publicly-trusted chain → Apple shows Verified. Dev (no env) and any signing failure fall back to unsigned — the download must never break over the badge. Signature round-trip verified with openssl smime.	2026-06-11 08:28:14 +02:00
Ronni Baslund	77898c5027	feat(mail): CalDAV/CardDAV exposed + in the Apple profile ... DAV was internal-only (the node's :443 is Traefik's). New mail-dav Ingress routes /.well-known/caldav, /.well-known/carddav and /dav on mail.dezky.eu through to Stalwart — with the HTTPS-redirect middleware (safe for DAV's GET/PROPFIND; kept OFF the autodiscover Ingress whose POSTs don't survive redirects). The _caldavs/_carddavs SRV records are now legitimate, so the Domains page surfaces them, and the Apple .mobileconfig gains CalDAV + CardDAV payloads: one install sets up Mail, Calendar and Contacts on Mac/iPhone. Stalwart's STALWART_PUBLIC_URL is set to https://mail.dezky.eu on the host (discovery documents).	2026-06-11 08:23:15 +02:00
Ronni Baslund	716d854b3d	fix(ci): grant ci-deployer Endpoints write (admin role excludes it) ... The deploy failed creating the selectorless stalwart-http Service's Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role no longer grants write on legacy Endpoints. Explicit endpoints + endpointslices rules on the ci-deployer role (already applied live); manifest comment touch retriggers the infra apply.	2026-06-11 08:08:42 +02:00
Ronni Baslund	88ac5e620c	feat(mail): Outlook/Thunderbird autodiscovery over HTTPS ... Outlook autodiscovers via POST https://autodiscover.<domain>/autodiscover/ autodiscover.xml and Thunderbird via autoconfig.<domain>/mail/ config-v1.1.xml — Stalwart serves both (verified, answers carry mail.dezky.eu:993/465) but its HTTP listener wasn't reachable from outside (the node's :443 is Traefik's). New exact-path-only Ingress routes JUST those discovery endpoints to host-Stalwart via a selectorless Service + Endpoints on the cni0 gateway; the admin/management surface stays internal, and there's no HTTPS-redirect middleware because Thunderbird probes plain HTTP and Outlook POSTs. Domains page now also lists the autoconfig/autodiscover CNAMEs under the autodiscovery slot (CNAME verified against the mail host; a bare A record warns instead of failing). Customer-domain autodiscovery (per-domain certs + automated Ingress) is a follow-up.	2026-06-11 08:04:55 +02:00
Ronni Baslund	221179c4db	feat(portal): Apple Mail profile download on user rows + drawer ... The .mobileconfig button only lived on the transient credential dialogs (invite/create/reset results) — nowhere to fetch a profile for an existing mailbox. Row kebab menu gains 'Download Apple Mail profile' (mailbox users only) and the user drawer shows the button next to the mailbox address.	2026-06-11 08:00:15 +02:00
Ronni Baslund	d964efcab7	fix(portal): localPart is string | undefined under noUncheckedIndexedAccess ... split('@')[0] needs a fallback even though the email regex guarantees the separator — portal typecheck (CI) rejected the mobileconfig route.	2026-06-11 07:49:07 +02:00
Ronni Baslund	a5d82903af	fix(ci): deploy only apps whose build actually succeeded ... When an app's typecheck failed, its build job was SKIPPED — which the deploy condition tolerates (so other apps still ship) — but the deploy script keyed on the change flags alone and pinned the never-built image tag, ImagePullBackOff'ing the app (happened to portal on f6bac10). Deployable now means changed AND build result == success; otherwise the app keeps its live image, including in the manifest-apply path.	2026-06-11 07:45:08 +02:00
Ronni Baslund	acf0d082e4	feat(portal): one-click Apple Mail setup via .mobileconfig ... Apple Mail ignores RFC 6186 SRV autodiscovery and 'Microsoft Exchange' needs EWS/EAS that Stalwart doesn't speak — so custom-domain users were stuck typing IMAP/SMTP servers manually. New session-gated portal route generates an Apple configuration profile (IMAP 993 + SMTP 465 on the runtime mail host, username = address, NO password embedded — profiles are plaintext, Apple prompts at install). 'Add to Apple Mail' buttons on the three credential screens (invite result, mailbox created, password reset). CalDAV/CardDAV payloads join when DAV is reachable from outside (the node's :443 belongs to Traefik for now).	2026-06-11 07:44:49 +02:00
Ronni Baslund	38fb0f586e	fix(portal): checks map includes the autodiscovery kind ... DomainView.checks was a hardcoded five-kind union, so indexing it with the new autodiscovery RecordKey failed the portal typecheck (CI red on f6bac10). Use Record<RecordKind, RecordStatus>.	2026-06-10 22:20:33 +02:00
Ronni Baslund	f6bac10ff3	feat(domains): surface autodiscovery SRV records (RFC 6186) ... Mail clients could never autoconfigure: Stalwart's zone file contains the _imaps/_submissions/_pop3s SRV records but classify() dropped everything except mx/spf/dkim/dmarc, so customers never saw them and every client needed manual server entry. New 'autodiscovery' record kind: classified from the zone (only the services actually reachable in prod — the _jmap/_caldavs SRVs target :443 which Traefik owns, deferred to the webmail story), verified via resolveSrv (missing=bad, wrong target=warn), shown as an OPTIONAL slot on the portal Domains page that never gates the domain status or the records-to-fix nag. Also fixed on the live server via management JMAP (x:SystemSettings): hostname was the machine name node1.dezky.eu from the v0.16 auto-bootstrap — MX/SRV targets and the SMTP banner now say mail.dezky.eu, and the LE x:Certificate is set as defaultCertificateId.	2026-06-10 22:11:34 +02:00
Ronni Baslund	e77a963390	feat(infra): real TLS for mail.dezky.eu ... The cert-sync timer waited forever for a mail/mail-tls secret no Certificate resource ever requested — Stalwart served self-signed certs since install, so mail clients refused the IMAP handshake ('cannot verify account name or password' in Apple Mail). Adds the cert-manager Certificate (HTTP-01 via Traefik on :80) and documents the v0.16 wrinkle: TLS files aren't read from config anymore; a one-time file-backed x:Certificate object (created via management JMAP) points at the synced paths, after which cert-sync renewals keep working unchanged. Verified: :993 now serves the Let's Encrypt cert, verify rc=0.	2026-06-10 21:58:35 +02:00
Ronni Baslund	83214eb379	feat(tenants): isPlatformTenant flag replaces PLATFORM_TENANT_SLUG ... Identifying the company tenant by slug in env was fragile — every purge/recreate changed the slug (or id) and the apex guard chased reality through three config flips in one day. The identity now lives ON the tenant document: isPlatformTenant, operator-set from the tenant page (single holder — setting it clears the flag everywhere else), guarded so tenant admins can't set it on themselves through the shared PATCH route. The dezky.eu apex guard reads the flag; PLATFORM_TENANT_SLUG is gone. Dev seed flags its seeded tenant. config-rev 5 rolls platform-api.	2026-06-10 21:47:27 +02:00
Ronni Baslund	eefe1b3ec3	fix(infra): platform tenant is dezky-aps; disable prod seeding ... The recreated company tenant got slug dezky-aps (wizard auto-derives from the display name 'Dezky ApS'), so the dezky.eu apex guard 409'd it while the config still said 'dezky'. Also SEED_ENABLED=false in prod — the seeder resurrected a ghost 'dezky' tenant on every platform-api boot, which is how the slug landscape kept shifting. config-rev 4 rolls the pods.	2026-06-10 21:35:59 +02:00
Ronni Baslund	2bc302c082	feat(operator): partner-style tenant provisioning wizard + admin invite ... The minimal create modal silently dropped adminName/adminEmail — the invite only existed in the partner wizard's server path. Operator now gets the same 5-step wizard UX (organization, domain, first admin, plan with live price catalog, review) composed client-side: POST /tenants creates + provisions, then POST /users/invite-tenant-admin (new, operator-only — lives in UsersModule because UsersModule already imports TenantsModule and the reverse would be circular) runs the same inviteTenantAdmin flow the partner gets, and the result view hands over the single-use recovery link or temp password. Tenant detail page gains an Invite admin action for retries/successors. PLATFORM_TENANT_SLUG back to 'dezky' (the recreated company tenant) + config-rev bump to roll platform-api.	2026-06-10 21:22:14 +02:00
Ronni Baslund	fb4ff48617	feat(tenants): hard-delete (purge) for soft-deleted tenants ... Soft-delete kept the slug occupied forever — no way to remove a test tenant and reuse its name, and external resources lingered. DELETE /tenants/:slug/purge (platform-admin only, two-step: refuses anything not already soft-deleted) tears down the Stalwart service + customer domains (never the platform apex — the management admin account lives there) and the Authentik group, then removes domains/subscriptions/invoices/user links/the tenant doc. Audit trail is kept. Operator detail page shows a 'Purge permanently' card once a tenant is soft-deleted.	2026-06-10 21:07:08 +02:00
Ronni Baslund	25d932d3c1	fix(domains): platform tenant slug is configurable (prod: dezky-aps) ... The company tenant ended up as slug dezky-aps (the seeded 'dezky' tenant was deleted), so the hardcoded apex allowance for slug 'dezky' would have rejected adding dezky.eu to the real tenant. PLATFORM_TENANT_SLUG env (default 'dezky') now names the only tenant allowed to claim the PLATFORM_TENANT_DOMAIN apex.	2026-06-10 20:57:31 +02:00
Ronni Baslund	f66a343472	fix(infra): Stalwart v0.16 management admin is a real account (admin@dezky.eu) ... The v0.16 config migration silently dropped the fallback admin — the live server had ZERO accounts, so every platform-api JMAP call 401'd and tenant mail provisioning was dead. Bootstrapped via recovery mode on node1 (STALWART_RECOVERY_ADMIN): created the dezky.eu domain + an admin account with the Admin role and the existing STALWART_ADMIN_PASSWORD. v0.16 logins use the full address, so STALWART_ADMIN_USER becomes admin@dezky.eu; config-rev annotation bump rolls platform-api so it picks up the new env. install.sh follow-ups now document the recovery-mode bootstrap for rebuilds instead of the defunct fallback-admin promise.	2026-06-10 20:50:25 +02:00
Ronni Baslund	a43a172449	feat(domains): reserve the platform namespace + one workspace per domain ... dezky.eu doubles as the platform's infrastructure domain AND the company's own employee mail domain (added to the dezky tenant via the normal Domains flow). Guard rails in DomainsService.add: - a domain already used by ANY other workspace is rejected — Stalwart's idempotent ensureDomain would otherwise silently share one mail domain (and its mailboxes) between tenants - the PLATFORM_TENANT_DOMAIN apex is claimable only by the dezky tenant; everything under it (per-tenant service domains, auth/api/mail/* infra hosts) is reserved outright Set PLATFORM_TENANT_DOMAIN=dezky.eu in the prod ConfigMap (was unset, so prod service domains would have been {slug}.dezky.local) and align the seeded dezky tenant's display domain with the environment.	2026-06-10 20:15:46 +02:00
Ronni Baslund	4907d0a856	feat(ci): change-gated pipeline — only test/build/deploy what changed ... A 'changes' job diffs the push range (github.event.before..sha; falls back to everything on first/force pushes and when this workflow file itself changes) and gates per-app typecheck/test/build jobs. Deploy is asymmetric on purpose: app-only changes roll just the changed Deployments via kubectl set image; manifest changes (fleet/apps/**) apply the kustomization with every app pinned to its live image (or this push's sha) so an apply never resets unchanged apps to :latest. Docs-only pushes run nothing.	2026-06-10 19:57:50 +02:00
Ronni Baslund	94270c1f22	fix(health): env-driven infrastructure probe targets ... The operator infrastructure page probed docker-compose hostnames (stalwart/postgres/redis/traefik…) which don't resolve in k3s — 7 of 9 services showed down. Probe targets now come from HEALTH_* env vars with the compose names as dev defaults; platform-api-config.yaml sets the in-cluster/host addresses. 'disabled' omits a service from the report — used for OCIS/Collabora until the files tier is deployed.	2026-06-10 19:51:25 +02:00
Ronni Baslund	0840efb759	fix(operator,portal): env-driven sign-out URLs + host labels (no more .local in prod) ... Operator sign-out hardcoded the dev Authentik end-session URL, so prod logout landed on auth.dezky.local. Mirror the portal's env-driven pattern (NUXT_PUBLIC_AUTH_URL/NUXT_PUBLIC_OPERATOR_URL with .local fallbacks). Expose authUrl/operatorUrl via public runtimeConfig and use them for the Authentik admin links and the cosmetic host labels (sidebar, eyebrows, auth-page hints). Portal: signed-out + webmail copy now derive their hosts from runtime config (new public.mailUrl, NUXT_PUBLIC_MAIL_URL in prod).	2026-06-10 19:51:25 +02:00
Ronni Baslund	45ed282eed	fix(auth): unmount the module's build-time oidc mount before Redis mount ... nuxt-oidc-auth registers its own 'oidc' storage mount at build, so storage.mount('oidc', …) at runtime threw 'already mounted at oidc:' and crash-looped the new pods. Unmount the memory mount first.	2026-06-10 18:54:07 +02:00
Ronni Baslund	91134c94f5	feat(auth): Redis-backed OIDC sessions for portal + operator ... nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default mount is per-pod memory — broken at >1 replica (random 401s) and every deploy logged all users out. A nitro plugin now mounts 'oidc' on the dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL is set; dev keeps the memory driver with no Redis required. Replicas back to 2 for both apps.	2026-06-10 18:48:16 +02:00
Ronni Baslund	fd0c5d011b	fix(infra): single replica for portal/operator (per-pod OIDC sessions) ... nuxt-oidc-auth stores sessions in per-pod memory. With 2 replicas, any request balanced to the pod that didn't handle the login 401s — in practice roughly half of all operator API calls failed after sign-in. One replica until sessions move to shared storage (nitro storage on the dezky-data Redis), then scale back up. Already scaled live; this pins the manifests so the next deploy doesn't undo it.	2026-06-10 18:41:59 +02:00
Ronni Baslund	83212d7c23	feat(operator): create direct tenants from the operator portal ... The operator could list and inspect tenants but had no create flow — tenant creation only existed as the partner-portal wizard, which always attaches a partnerId. Platform-api's POST /tenants (platform-admin only, no partner field) was already built for this; add the missing UI: a New tenant modal on the tenants page (slug, name, plan/cycle/currency/seats, optional primary mail domain + first-admin invite) and the server proxy route. Operator-created tenants are direct customers; attach a partner later if needed.	2026-06-10 13:53:41 +02:00
Ronni Baslund	b155e34fe6	fix(infra): runtime OIDC overrides for prod portal/operator login ... CI builds the Nuxt images with no env, so nuxt.config bakes empty OIDC client creds and .local Authentik URLs into runtimeConfig — sign-in dead-ended on the app's own /auth/login. Nitro env overrides only apply when the var name matches the runtimeConfig path (oidc.providers.oidc.* -> NUXT_OIDC_PROVIDERS_OIDC_*), so production secrets need that second set of names; the plain NUXT_OIDC_* ones only work in dev. Also pin NUXT_OIDC_TOKEN_KEY/AUTH_SESSION_SECRET so sessions survive pod restarts. Live secrets patched on the cluster accordingly.	2026-06-10 13:24:29 +02:00
Ronni Baslund	3b9b06a99b	docs(runbook): app tier + push-to-deploy CI/CD flow ... Bring the runbook up to the 2026-06-10 state: app tier + CI/CD in current state, a Deploy flow section (push to main = release, rollback, break-glass, required Gitea secrets), reproduce steps 8-9 (app tier secrets+apply, CI runner + ci-deployer with the runner gotchas), per-router ACME-safe redirect instead of the old global one, platform-api key read-back for Bitwarden, and a pruned TODO list.	2026-06-10 12:19:47 +02:00
Ronni Baslund	9a58e486e3	docs(fleet): note verified push-to-deploy pipeline	2026-06-10 09:20:18 +02:00
Ronni Baslund	323c46fba1	fix(ci): share dind's unix socket with the runner (jobs need a mountable docker host) ... gitea/runner can only bind-mount a UNIX-socket docker host into job containers — the old tcp://localhost:2376 + TLS daemon address cannot be mounted, so build jobs still had no docker API. Share dind's /var/run/docker.sock with the runner via a /var/run emptyDir and drop the DOCKER_HOST/TLS env; the runner auto-finds the socket and the bind path resolves inside dind where the socket lives.	2026-06-10 08:51:44 +02:00
Ronni Baslund	1114be6c93	fix(ci): expose the dind docker host to job containers ... gitea/runner 1.x no longer auto-mounts the docker daemon into job containers (act_runner 0.2.x did), so 'docker build' in the build jobs failed with 'cannot connect to /var/run/docker.sock'. container.docker_host "" restores find-and-mount.	2026-06-10 08:34:54 +02:00
Ronni Baslund	3590c356a4	fix(ci): registry login via REGISTRY_TOKEN PAT ... The per-job GITHUB_TOKEN is no longer accepted by the container registry's /v2/ basic-auth endpoint since the act_runner -> gitea/runner switch (login fails 'unauthorized' before push). Use a personal access token with package read+write scope, provided as the REGISTRY_TOKEN repo secret.	2026-06-10 08:18:32 +02:00
Ronni Baslund	ec707643d6	fix(ci): act_runner 0.2.11 -> gitea/runner 1.0.8 ... Gitea 1.26 never marked finished jobs complete with the deprecated act_runner 0.2.11: the runner ran the job, logged 'Job succeeded' and freed its slot, but Gitea kept the job 'Running' forever, so dependent jobs (build -> deploy) were never dispatched. gitea/runner is the successor project; config, env vars and the .runner registration file are unchanged.	2026-06-10 08:02:40 +02:00
Ronni Baslund	c60937c5cb	feat(ci): deploy to k3s straight from the pipeline (drop Flux plan) ... Push to main = release: after build, a deploy job pins each app image to the commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits for the rollouts. The runner already runs in-cluster, so it reaches the API server on the in-cluster service IP with a kubeconfig for the new ci-deployer ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret). The drafted Flux sync/image-automation layer is removed — a GitOps controller plus bot tag-bump commits is more machinery than a single-node cluster needs. Sortable image tags and $imagepolicy markers go with it. Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses, platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers exist) and the secrets template/README updated to match.	2026-06-10 07:53:55 +02:00
Ronni Baslund	52e0f5e375	feat(operator): production build + k3s deployment ... - Dockerfile for the operator app (same pattern as portal/booking). - Env-driven auth/app base URLs in nuxt.config so one build serves dev (.local) and production (.eu). - Deployment + Service + Ingress on operator.dezky.eu. - Add operator to the typecheck matrix.	2026-06-10 07:53:55 +02:00
Ronni Baslund	d02eb5ec50	fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI ... - Pin the helm-controller chart version (unset = silent latest upgrades) and move the image tag under global.image per the 2026.5 chart layout. - Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list rejected every authorize request. Allow authorization_code + refresh_token for portal and operator providers. - Fix the portal redirect URI to the nuxt-oidc-auth callback path. - Serve the auth ingress on :80 with a per-router HTTPS redirect so the cert-manager HTTP-01 solver keeps working.	2026-06-10 07:53:49 +02:00
Ronni Baslund	c814bfdf3b	feat(ci): build + push app images to the Gitea registry ... After typecheck + test pass on main, build portal/booking/platform-api images (matrix) via the dind sidecar and push to git.lastcloud.io tagged latest + SHA. Auth uses the runner's job token against the same Gitea instance.	2026-06-09 09:02:36 +02:00
Ronni Baslund	e3ce011674	fix(ci): drop actions/setup-node — use runner image's node (fixes ETXTBSY) ... actions/setup-node writes node into a tool-cache shared across concurrent jobs; with capacity>1 one job execs node while another writes it → "/usr/bin/env: 'node': Text file busy". The catthehacker runner image already ships node 24, and corepack (bundled) reads each app's packageManager — so setup-node is unneeded. Removing it eliminates the shared-cache race.	2026-06-08 23:00:58 +02:00
Ronni Baslund	72a0559b77	ci: verify run after dind fix	2026-06-08 22:56:21 +02:00
Ronni Baslund	4c5fdde787	fix(infra): docker:24-dind + capacity 2 (fix moby cgroup-v2 teardown deadlock that hung 'Complete job')	2026-06-08 22:56:21 +02:00
Ronni Baslund	aef0f44915	chore(infra): act_runner capacity 4 + disable cache server ... Add an act_runner config.yaml (ConfigMap, CONFIG_FILE env): capacity 4 so the typecheck matrix + image builds run in parallel instead of one-at-a-time, and cache.enabled: false (we removed the setup-node cache; the cache server isn't reachable from the DinD job containers anyway).	2026-06-08 22:46:43 +02:00
Ronni Baslund	46970b7e99	ci: trigger fresh run to verify green (corepack + portal TS fixes applied)	2026-06-08 22:41:17 +02:00
Ronni Baslund	b2cda6937c	fix(portal): typecheck error in scheduling (TS18048) ... timeToMin destructured [h, m] from t.split(':').map(Number); under noUncheckedIndexedAccess those are number|undefined, so `h * 60` errored. Use default-value destructuring ([h = 0, m = 0]). Surfaced now that the Gitea runner actually runs the typecheck job (it never ran before).	2026-06-08 22:38:41 +02:00
Ronni Baslund	b953be5fa2	fix(ci): use corepack instead of pnpm/action-setup ... pnpm/action-setup@v4 ran at the repo root (uses: steps ignore defaults.run.working-directory) where there is no package.json, so it couldn't read the pnpm version → "No pnpm version specified". Use corepack (bundled with node) in the install step, which reads each app's own packageManager — matching the Dockerfiles. Verified in the runner's container: corepack enable + frozen install succeeds for every app.	2026-06-08 22:36:57 +02:00
Ronni Baslund	7177fa6b9a	fix(ci): pin pnpm version in Actions (no root package.json to read) ... pnpm/action-setup ran with no version: `uses:` steps ignore defaults.run.working-directory, so it executed at the repo root, which has no package.json (per-app monorepo) → "No pnpm version specified". Pin version: 9 explicitly. Also drop setup-node's `cache: pnpm` — the act_runner cache server isn't reachable from the DinD job containers, and the install is fast anyway.	2026-06-08 22:29:32 +02:00