Compare commits
34 Commits
fix/cl9-sm
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 4eacf62d3e | |||
| 20a46e5abf | |||
| eab74e1aba | |||
| 53c362e0c7 | |||
| 00a24e55d3 | |||
| 4c19f0fd8e | |||
| 7346447136 | |||
| e4c3c9a343 | |||
| 7538231f9d | |||
| 8c0ba875c4 | |||
| d26be9893a | |||
| 268b10554a | |||
| 8f178e6b07 | |||
| 4cf768abec | |||
| 56a30fac4b | |||
| 164e97618e | |||
| 2bb78e9864 | |||
| 173071cd5c | |||
| fc73bf422f | |||
| 4c8ff2d07d | |||
| 5b5682acb1 | |||
| 3701db4470 | |||
| c67926dcb5 | |||
| 151a13f4b3 | |||
| 79bf929b2d | |||
| 7d5512230f | |||
| 2915f10315 | |||
| 23ad8af20e | |||
| ea57734fa8 | |||
| 0efe1a5129 | |||
| 18912934f8 | |||
| 4a8e5ae853 | |||
| a2d69f8210 | |||
| 74b1ab02b6 |
36
.clinerules
Normal file
36
.clinerules
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
# Project AI Rules
|
||||||
|
|
||||||
|
This repository contains the Plesk Agency Portal SaaS project.
|
||||||
|
|
||||||
|
Before making changes, read the following documentation files:
|
||||||
|
|
||||||
|
docs/ai-bootstrap.md
|
||||||
|
docs/ai-project-context.md
|
||||||
|
docs/system-architecture.md
|
||||||
|
docs/GUARDRAILS.md
|
||||||
|
docs/next-steps.md
|
||||||
|
docs/handovers/latest.md
|
||||||
|
docs/current-focus.md
|
||||||
|
|
||||||
|
Project guidelines:
|
||||||
|
|
||||||
|
- Treat master branch as production-ready.
|
||||||
|
- Preserve the working Jenkins CI/CD deployment pipeline.
|
||||||
|
- Avoid breaking Supabase Row Level Security policies.
|
||||||
|
- Prefer minimal changes over large rewrites.
|
||||||
|
- Follow existing Next.js App Router structure.
|
||||||
|
|
||||||
|
Deployment architecture:
|
||||||
|
|
||||||
|
Jenkins builds Docker image.
|
||||||
|
Image transferred using:
|
||||||
|
docker save → scp → docker load
|
||||||
|
|
||||||
|
Application host path:
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
Public domain:
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
Supabase domain
|
||||||
|
https://supabase.rdbcloud.co.uk
|
||||||
45
AI-START-HERE.md
Normal file
45
AI-START-HERE.md
Normal file
@@ -0,0 +1,45 @@
|
|||||||
|
# AI Start Here
|
||||||
|
|
||||||
|
Before making changes, read these files in order:
|
||||||
|
|
||||||
|
1. docs/ai-project-context.md
|
||||||
|
2. docs/system-architecture.md
|
||||||
|
3. docs/next-steps.md
|
||||||
|
4. docs/handovers/latest.md (or the newest dated handover file)
|
||||||
|
|
||||||
|
## Project
|
||||||
|
|
||||||
|
Plesk Agency Portal
|
||||||
|
|
||||||
|
## Rules
|
||||||
|
|
||||||
|
- Make minimal safe changes
|
||||||
|
- Do not weaken Supabase RLS
|
||||||
|
- Preserve working deployment pipeline
|
||||||
|
- Prefer extending existing patterns over rewrites
|
||||||
|
- Treat `master` as production-ready
|
||||||
|
|
||||||
|
## Current Focus
|
||||||
|
|
||||||
|
- Fix Supabase HTTPS/public URL
|
||||||
|
- Validate auth flow
|
||||||
|
- Keep CI/CD stable
|
||||||
|
|
||||||
|
## Deployment Summary
|
||||||
|
|
||||||
|
- Jenkins builds Docker image
|
||||||
|
- Image transferred via `docker save -> scp -> docker load`
|
||||||
|
- App runs on `/opt/plesk-agency-portal`
|
||||||
|
- Public app URL: `https://portal.rdbcloud.co.uk`
|
||||||
|
- supabase URL: `https://supabase.rdbcloud.co.uk`
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
Use the docs folder as source of truth for current state and handover history.
|
||||||
|
|
||||||
|
## When updating the project
|
||||||
|
|
||||||
|
- update docs/ai-project-context.md for current state
|
||||||
|
- add a new file in docs/handovers/
|
||||||
|
- update docs/next-steps.md
|
||||||
|
- keep this file short
|
||||||
12
Dockerfile
12
Dockerfile
@@ -9,8 +9,14 @@ WORKDIR /app
|
|||||||
|
|
||||||
ARG NEXT_PUBLIC_SUPABASE_URL
|
ARG NEXT_PUBLIC_SUPABASE_URL
|
||||||
ARG NEXT_PUBLIC_SUPABASE_ANON_KEY
|
ARG NEXT_PUBLIC_SUPABASE_ANON_KEY
|
||||||
|
ARG SUPABASE_URL
|
||||||
|
ARG NEXT_PUBLIC_APP_URL
|
||||||
|
ARG BUILD_CACHE_BUSTER
|
||||||
ENV NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
|
ENV NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
|
||||||
ENV NEXT_PUBLIC_SUPABASE_ANON_KEY=${NEXT_PUBLIC_SUPABASE_ANON_KEY}
|
ENV NEXT_PUBLIC_SUPABASE_ANON_KEY=${NEXT_PUBLIC_SUPABASE_ANON_KEY}
|
||||||
|
ENV SUPABASE_URL=${SUPABASE_URL}
|
||||||
|
ENV NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL}
|
||||||
|
ENV BUILD_CACHE_BUSTER=${BUILD_CACHE_BUSTER}
|
||||||
|
|
||||||
COPY --from=deps /app/node_modules ./node_modules
|
COPY --from=deps /app/node_modules ./node_modules
|
||||||
COPY . .
|
COPY . .
|
||||||
@@ -26,6 +32,12 @@ FROM node:20-bookworm-slim AS runner
|
|||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
ENV NODE_ENV=production
|
ENV NODE_ENV=production
|
||||||
|
ARG NEXT_PUBLIC_SUPABASE_URL
|
||||||
|
ARG SUPABASE_URL
|
||||||
|
ARG NEXT_PUBLIC_APP_URL
|
||||||
|
ENV NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
|
||||||
|
ENV SUPABASE_URL=${SUPABASE_URL}
|
||||||
|
ENV NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL}
|
||||||
|
|
||||||
COPY --from=prod-deps /app/node_modules ./node_modules
|
COPY --from=prod-deps /app/node_modules ./node_modules
|
||||||
COPY --from=builder /app/package.json ./package.json
|
COPY --from=builder /app/package.json ./package.json
|
||||||
|
|||||||
98
Jenkinsfile
vendored
98
Jenkinsfile
vendored
@@ -1,6 +1,7 @@
|
|||||||
pipeline {
|
pipeline {
|
||||||
// Build + deploy stages require Docker CLI/daemon access on the Jenkins node.
|
// Build + deploy stages require Docker CLI/daemon access on the Jenkins node.
|
||||||
// Ensure this label maps to an agent with Docker installed and usable.
|
// Ensure this label maps to an agent with Docker installed and usable.
|
||||||
|
//update
|
||||||
agent any
|
agent any
|
||||||
|
|
||||||
environment {
|
environment {
|
||||||
@@ -11,9 +12,8 @@ pipeline {
|
|||||||
APP_HOST = "${env.APP_HOST ?: '192.168.68.89'}"
|
APP_HOST = "${env.APP_HOST ?: '192.168.68.89'}"
|
||||||
APP_USER = "${env.APP_USER ?: 'deploy'}"
|
APP_USER = "${env.APP_USER ?: 'deploy'}"
|
||||||
DEPLOY_PATH = "${env.DEPLOY_PATH ?: '/opt/plesk-agency-portal'}"
|
DEPLOY_PATH = "${env.DEPLOY_PATH ?: '/opt/plesk-agency-portal'}"
|
||||||
APP_BASE_URL = "${env.APP_BASE_URL ?: 'http://192.168.68.89:3000'}"
|
APP_BASE_URL = "${env.APP_BASE_URL ?: 'https://portal.rdbcloud.co.uk'}"
|
||||||
NEXT_PUBLIC_SUPABASE_URL = "${env.NEXT_PUBLIC_SUPABASE_URL ?: ''}"
|
NEXT_PUBLIC_APP_URL = "${env.NEXT_PUBLIC_APP_URL ?: 'https://portal.rdbcloud.co.uk'}"
|
||||||
NEXT_PUBLIC_SUPABASE_ANON_KEY = "${env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?: ''}"
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -64,50 +64,104 @@ pipeline {
|
|||||||
|
|
||||||
stage('Build application') {
|
stage('Build application') {
|
||||||
steps {
|
steps {
|
||||||
sh 'npm run build'
|
withCredentials([
|
||||||
|
string(credentialsId: 'supabase-public-url', variable: 'SUPABASE_PUBLIC_URL'),
|
||||||
|
string(credentialsId: 'supabase-public-anon-key', variable: 'NEXT_PUBLIC_SUPABASE_ANON_KEY')
|
||||||
|
]) {
|
||||||
|
sh '''
|
||||||
|
ANON_PREFIX="$(printf '%s' "$NEXT_PUBLIC_SUPABASE_ANON_KEY" | cut -c1-6)"
|
||||||
|
echo "ENV DEBUG:"
|
||||||
|
echo "NEXT_PUBLIC_SUPABASE_URL=$SUPABASE_PUBLIC_URL"
|
||||||
|
echo "NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL"
|
||||||
|
echo "NEXT_PUBLIC_SUPABASE_ANON_KEY=${ANON_PREFIX}***"
|
||||||
|
echo "SUPABASE_URL=$SUPABASE_PUBLIC_URL"
|
||||||
|
|
||||||
|
NEXT_PUBLIC_SUPABASE_URL="$SUPABASE_PUBLIC_URL" \
|
||||||
|
SUPABASE_URL="$SUPABASE_PUBLIC_URL" \
|
||||||
|
NEXT_PUBLIC_APP_URL="$NEXT_PUBLIC_APP_URL" \
|
||||||
|
npm run build
|
||||||
|
'''
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Build Docker image') {
|
stage('Build Docker image') {
|
||||||
steps {
|
steps {
|
||||||
sh 'docker build --build-arg NEXT_PUBLIC_SUPABASE_URL="${NEXT_PUBLIC_SUPABASE_URL}" --build-arg NEXT_PUBLIC_SUPABASE_ANON_KEY="${NEXT_PUBLIC_SUPABASE_ANON_KEY}" -t ${IMAGE_LATEST} -t ${IMAGE_BUILD} .'
|
withCredentials([
|
||||||
|
string(credentialsId: 'supabase-public-url', variable: 'SUPABASE_PUBLIC_URL'),
|
||||||
|
string(credentialsId: 'supabase-public-anon-key', variable: 'NEXT_PUBLIC_SUPABASE_ANON_KEY')
|
||||||
|
]) {
|
||||||
|
sh 'docker build --build-arg NEXT_PUBLIC_SUPABASE_URL="$SUPABASE_PUBLIC_URL" --build-arg SUPABASE_URL="$SUPABASE_PUBLIC_URL" --build-arg NEXT_PUBLIC_APP_URL="$NEXT_PUBLIC_APP_URL" --build-arg NEXT_PUBLIC_SUPABASE_ANON_KEY="$NEXT_PUBLIC_SUPABASE_ANON_KEY" --build-arg BUILD_CACHE_BUSTER="${BUILD_NUMBER}" -t ${IMAGE_LATEST} -t ${IMAGE_BUILD} .'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Deploy') {
|
stage('Deploy') {
|
||||||
steps {
|
steps {
|
||||||
withCredentials([sshUserPrivateKey(
|
|
||||||
credentialsId: "${env.DEPLOY_SSH_CREDENTIAL_ID}",
|
|
||||||
keyFileVariable: 'SSH_KEY'
|
|
||||||
)]) {
|
|
||||||
sh '''
|
sh '''
|
||||||
bash -eo pipefail << 'EOF'
|
bash <<'EOF'
|
||||||
set -euo pipefail
|
set -euxo pipefail
|
||||||
|
|
||||||
ssh -i "$SSH_KEY" "$APP_USER@$APP_HOST" "mkdir -p $DEPLOY_PATH/scripts"
|
SSH_KEY="/var/lib/jenkins/.ssh/plesk_agency_deploy"
|
||||||
|
SSH_USER="deploy"
|
||||||
|
SSH_COMMON_OPTS="-i ${SSH_KEY} -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
|
||||||
|
SSH_OPTS="-n ${SSH_COMMON_OPTS}"
|
||||||
|
RSYNC_SSH="ssh ${SSH_COMMON_OPTS}"
|
||||||
|
|
||||||
|
echo "SSH user from configured deploy key: ${SSH_USER}"
|
||||||
|
echo "SSH key file path: ${SSH_KEY}"
|
||||||
|
ls -l "${SSH_KEY}"
|
||||||
|
ssh-keygen -y -f "${SSH_KEY}"
|
||||||
|
|
||||||
|
echo "Testing remote SSH connectivity"
|
||||||
|
ssh -n ${SSH_OPTS} "${SSH_USER}@${APP_HOST}" "whoami && hostname && pwd"
|
||||||
|
|
||||||
|
echo "Deploying image tag: ${IMAGE_BUILD}"
|
||||||
|
docker image inspect "${IMAGE_BUILD}" --format='{{.Id}} {{.RepoTags}}'
|
||||||
|
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "mkdir -p $DEPLOY_PATH/scripts"
|
||||||
|
|
||||||
rsync -az \
|
rsync -az \
|
||||||
-e "ssh -i $SSH_KEY" \
|
-e "${RSYNC_SSH}" \
|
||||||
docker-compose.prod.yml \
|
docker-compose.prod.yml \
|
||||||
"$APP_USER@$APP_HOST:$DEPLOY_PATH/"
|
"$SSH_USER@$APP_HOST:$DEPLOY_PATH/"
|
||||||
|
|
||||||
rsync -az \
|
rsync -az \
|
||||||
-e "ssh -i $SSH_KEY" \
|
-e "${RSYNC_SSH}" \
|
||||||
scripts/ \
|
scripts/ \
|
||||||
"$APP_USER@$APP_HOST:$DEPLOY_PATH/scripts/"
|
"$SSH_USER@$APP_HOST:$DEPLOY_PATH/scripts/"
|
||||||
|
|
||||||
docker save ${IMAGE_LATEST} ${IMAGE_BUILD} \
|
IMAGE_TAR="plesk-agency-portal-build.tar"
|
||||||
| ssh -i "$SSH_KEY" "$APP_USER@$APP_HOST" 'docker load'
|
echo "Creating image archive: ${IMAGE_TAR}"
|
||||||
|
docker save -o "${IMAGE_TAR}" "${IMAGE_BUILD}"
|
||||||
|
ls -lh "${IMAGE_TAR}"
|
||||||
|
sha256sum "${IMAGE_TAR}"
|
||||||
|
|
||||||
ssh -i "$SSH_KEY" "$APP_USER@$APP_HOST" \
|
echo "Copying image archive to remote host via scp"
|
||||||
|
scp ${SSH_COMMON_OPTS} "${IMAGE_TAR}" "$SSH_USER@$APP_HOST:$DEPLOY_PATH/"
|
||||||
|
|
||||||
|
echo "Verifying image archive exists on remote host"
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "ls -lh $DEPLOY_PATH/plesk-agency-portal-build.tar"
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "sha256sum $DEPLOY_PATH/plesk-agency-portal-build.tar"
|
||||||
|
|
||||||
|
echo "Loading image archive on remote host"
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "docker load -i $DEPLOY_PATH/plesk-agency-portal-build.tar"
|
||||||
|
|
||||||
|
echo "Verifying exact image tag is available on remote host"
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "docker image inspect ${IMAGE_BUILD} --format='{{.Id}} {{.RepoTags}}'"
|
||||||
|
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" \
|
||||||
"cd $DEPLOY_PATH && chmod +x ./scripts/deploy-prod.sh ./scripts/smoke-check.sh ./scripts/rollback-prod.sh"
|
"cd $DEPLOY_PATH && chmod +x ./scripts/deploy-prod.sh ./scripts/smoke-check.sh ./scripts/rollback-prod.sh"
|
||||||
|
|
||||||
ssh -i "$SSH_KEY" "$APP_USER@$APP_HOST" \
|
echo "Running remote deploy script with exact image tag"
|
||||||
"cd $DEPLOY_PATH && ./scripts/deploy-prod.sh"
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" \
|
||||||
|
"cd $DEPLOY_PATH && APP_IMAGE='${IMAGE_BUILD}' ./scripts/deploy-prod.sh"
|
||||||
|
|
||||||
|
echo "Printing final running container image metadata"
|
||||||
|
ssh -n ${SSH_OPTS} "$SSH_USER@$APP_HOST" "docker inspect plesk-agency-portal --format='{{.Image}} {{.Created}}'"
|
||||||
EOF
|
EOF
|
||||||
'''
|
'''
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Smoke check') {
|
stage('Smoke check') {
|
||||||
|
|||||||
245
docs/GUARDRAILS.md
Normal file
245
docs/GUARDRAILS.md
Normal file
@@ -0,0 +1,245 @@
|
|||||||
|
# GUARDRAILS
|
||||||
|
|
||||||
|
These systems are **currently working** and must **not be broken by AI refactors**.
|
||||||
|
|
||||||
|
AI tools must **prefer minimal changes** and avoid architecture changes unless explicitly instructed.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Core Principle
|
||||||
|
|
||||||
|
If a task can be solved with a **small change**, the AI must **not perform a large rewrite**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Git Workflow Rules
|
||||||
|
|
||||||
|
The AI must **NEVER commit directly to `master` or `main`.**
|
||||||
|
|
||||||
|
All changes must be made via a branch.
|
||||||
|
|
||||||
|
## Branch naming conventions
|
||||||
|
|
||||||
|
Feature work:
|
||||||
|
|
||||||
|
feature/<short-description>
|
||||||
|
|
||||||
|
Bug fixes:
|
||||||
|
|
||||||
|
fix/<short-description>
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
feature/supabase-public-endpoint
|
||||||
|
fix/smoke-check-url
|
||||||
|
fix/magic-link-auth
|
||||||
|
|
||||||
|
## Required workflow
|
||||||
|
|
||||||
|
1. Create a branch from `master`
|
||||||
|
2. Make the required changes
|
||||||
|
3. Commit changes to that branch
|
||||||
|
4. Show the diff
|
||||||
|
5. Do **not merge automatically**
|
||||||
|
6. Push the branch and create a pull request unless explicitly told not to.
|
||||||
|
7. User performs merge after review
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Infrastructure Protection
|
||||||
|
|
||||||
|
The AI must **not modify infrastructure** unless explicitly instructed.
|
||||||
|
|
||||||
|
This includes:
|
||||||
|
|
||||||
|
- DNS records
|
||||||
|
- reverse proxy configuration
|
||||||
|
- SSL certificates
|
||||||
|
- server networking
|
||||||
|
- firewall rules
|
||||||
|
- Proxmox configuration
|
||||||
|
- VM/LXC creation
|
||||||
|
- Nginx Proxy Manager configuration
|
||||||
|
- Supabase server configuration
|
||||||
|
|
||||||
|
These systems are **managed manually**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# CI/CD
|
||||||
|
|
||||||
|
The Jenkins pipeline currently **builds and deploys the application**.
|
||||||
|
|
||||||
|
Deployment process:
|
||||||
|
|
||||||
|
docker save → scp → docker load
|
||||||
|
|
||||||
|
The AI must **not change the deployment architecture** without instruction.
|
||||||
|
|
||||||
|
Allowed CI changes:
|
||||||
|
|
||||||
|
- fixing pipeline bugs
|
||||||
|
- improving reliability
|
||||||
|
- adding environment variables
|
||||||
|
- improving logs
|
||||||
|
|
||||||
|
Not allowed:
|
||||||
|
|
||||||
|
- replacing Jenkins
|
||||||
|
- replacing Docker deployment
|
||||||
|
- changing deployment host
|
||||||
|
- introducing Kubernetes
|
||||||
|
- major CI architecture changes
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Container
|
||||||
|
|
||||||
|
Container name:
|
||||||
|
|
||||||
|
plesk-agency-portal
|
||||||
|
|
||||||
|
Deployment path:
|
||||||
|
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
The AI must **not rename containers or paths** without explicit approval.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Reverse Proxy
|
||||||
|
|
||||||
|
Reverse proxy is managed by:
|
||||||
|
|
||||||
|
Nginx Proxy Manager
|
||||||
|
|
||||||
|
Public application URL:
|
||||||
|
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
Supabase public endpoint:
|
||||||
|
|
||||||
|
https://supabase.rdbcloud.co.uk
|
||||||
|
|
||||||
|
The AI must **not change reverse proxy configuration**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Authentication
|
||||||
|
|
||||||
|
Authentication system:
|
||||||
|
|
||||||
|
Supabase Magic Link
|
||||||
|
|
||||||
|
Required environment variables:
|
||||||
|
|
||||||
|
NEXT_PUBLIC_SUPABASE_URL
|
||||||
|
SUPABASE_URL
|
||||||
|
NEXT_PUBLIC_SUPABASE_ANON_KEY
|
||||||
|
|
||||||
|
The AI must **not replace the authentication system**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Environment Variables
|
||||||
|
|
||||||
|
Secrets must **never be committed to the repository**.
|
||||||
|
|
||||||
|
Secrets must come from:
|
||||||
|
|
||||||
|
- Jenkins credentials
|
||||||
|
- environment variables
|
||||||
|
- deployment configuration
|
||||||
|
|
||||||
|
Never commit:
|
||||||
|
|
||||||
|
API keys
|
||||||
|
private tokens
|
||||||
|
database passwords
|
||||||
|
service keys
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Docker
|
||||||
|
|
||||||
|
Docker is used for **build and deployment**.
|
||||||
|
|
||||||
|
The AI may:
|
||||||
|
|
||||||
|
- update Dockerfile
|
||||||
|
- fix build issues
|
||||||
|
- improve caching
|
||||||
|
|
||||||
|
The AI must **not introduce complex container orchestration**.
|
||||||
|
|
||||||
|
Not allowed:
|
||||||
|
|
||||||
|
kubernetes
|
||||||
|
docker swarm
|
||||||
|
nomad
|
||||||
|
terraform
|
||||||
|
|
||||||
|
Unless explicitly requested.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Database
|
||||||
|
|
||||||
|
Database system:
|
||||||
|
|
||||||
|
Supabase Postgres
|
||||||
|
|
||||||
|
The AI must **not perform destructive database changes**.
|
||||||
|
|
||||||
|
Not allowed automatically:
|
||||||
|
|
||||||
|
DROP TABLE
|
||||||
|
DROP COLUMN
|
||||||
|
DELETE large datasets
|
||||||
|
schema rewrites
|
||||||
|
|
||||||
|
Schema changes must be **reviewed first**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Safe Refactoring Rules
|
||||||
|
|
||||||
|
Allowed:
|
||||||
|
|
||||||
|
- small code improvements
|
||||||
|
- bug fixes
|
||||||
|
- performance improvements
|
||||||
|
- logging improvements
|
||||||
|
- type fixes
|
||||||
|
- lint fixes
|
||||||
|
|
||||||
|
Avoid:
|
||||||
|
|
||||||
|
- large rewrites
|
||||||
|
- framework changes
|
||||||
|
- directory restructuring
|
||||||
|
- renaming large parts of the codebase
|
||||||
|
|
||||||
|
Unless specifically requested.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# When AI Is Unsure
|
||||||
|
|
||||||
|
If the AI is unsure:
|
||||||
|
|
||||||
|
1. Explain the risk
|
||||||
|
2. Ask for clarification
|
||||||
|
3. Do **not proceed with risky changes**
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Priority Order
|
||||||
|
|
||||||
|
When making decisions, the AI must prioritise:
|
||||||
|
|
||||||
|
1. **Do not break production**
|
||||||
|
2. **Respect guardrails**
|
||||||
|
3. **Make minimal safe changes**
|
||||||
|
4. **Preserve deployment pipeline**
|
||||||
|
5. **Follow branch workflow**
|
||||||
43
docs/PROJECT-STATE.md
Normal file
43
docs/PROJECT-STATE.md
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
# PROJECT-STATE
|
||||||
|
|
||||||
|
## Stable Systems
|
||||||
|
|
||||||
|
The following are stable and working:
|
||||||
|
|
||||||
|
CI/CD pipeline
|
||||||
|
Docker deployment
|
||||||
|
Reverse proxy routing
|
||||||
|
Application container startup
|
||||||
|
Smoke test endpoint
|
||||||
|
|
||||||
|
## Deployment
|
||||||
|
|
||||||
|
Jenkins → Build → Docker image → docker save → SCP → docker load → container recreate
|
||||||
|
|
||||||
|
App path:
|
||||||
|
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
Container:
|
||||||
|
|
||||||
|
plesk-agency-portal
|
||||||
|
|
||||||
|
## Public Endpoint
|
||||||
|
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
## Current Work
|
||||||
|
|
||||||
|
Fix Supabase HTTPS endpoint and authentication flow.
|
||||||
|
|
||||||
|
## Known Risk
|
||||||
|
|
||||||
|
Supabase currently exposed via HTTP internally causing browser mixed content blocking.
|
||||||
|
|
||||||
|
## Update Rules
|
||||||
|
|
||||||
|
When system changes:
|
||||||
|
|
||||||
|
1. Update PROJECT-STATE.md
|
||||||
|
2. Update ai-project-context.md
|
||||||
|
3. Add a new handover file
|
||||||
58
docs/RUNBOOK.md
Normal file
58
docs/RUNBOOK.md
Normal file
@@ -0,0 +1,58 @@
|
|||||||
|
# RUNBOOK
|
||||||
|
|
||||||
|
## Production App
|
||||||
|
|
||||||
|
Host:
|
||||||
|
192.168.68.89
|
||||||
|
|
||||||
|
Deploy path:
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
Container:
|
||||||
|
plesk-agency-portal
|
||||||
|
|
||||||
|
Public URL:
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Health Check
|
||||||
|
|
||||||
|
Public:
|
||||||
|
|
||||||
|
curl https://portal.rdbcloud.co.uk/api/health
|
||||||
|
|
||||||
|
Local:
|
||||||
|
|
||||||
|
curl http://127.0.0.1:3000/api/health
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Check Running Container
|
||||||
|
|
||||||
|
docker ps
|
||||||
|
docker inspect plesk-agency-portal --format '{{.Image}} {{.Created}}'
|
||||||
|
docker images | grep plesk-agency-portal
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## View Logs
|
||||||
|
|
||||||
|
cd /opt/plesk-agency-portal
|
||||||
|
docker compose -f docker-compose.prod.yml logs --tail=200
|
||||||
|
|
||||||
|
Follow logs:
|
||||||
|
|
||||||
|
docker logs -f plesk-agency-portal
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Rollback
|
||||||
|
|
||||||
|
cd /opt/plesk-agency-portal
|
||||||
|
APP_IMAGE=plesk-agency-portal:build-37 ./scripts/rollback-prod.sh
|
||||||
|
|
||||||
|
Verify:
|
||||||
|
|
||||||
|
docker inspect plesk-agency-portal --format '{{.Image}} {{.Created}}'
|
||||||
|
curl http://127.0.0.1:3000/api/health
|
||||||
191
docs/ai-bootstrap.md
Normal file
191
docs/ai-bootstrap.md
Normal file
@@ -0,0 +1,191 @@
|
|||||||
|
# AI Bootstrap Context -- Plesk Agency Portal
|
||||||
|
|
||||||
|
This document is intended to be uploaded into a new AI conversation so
|
||||||
|
the assistant can quickly understand the project state.
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Project Overview
|
||||||
|
|
||||||
|
The **Plesk Agency Portal** is a multi-tenant SaaS platform that allows
|
||||||
|
agencies to manage multiple Plesk servers, hosting subscriptions, and
|
||||||
|
domains from a single interface.
|
||||||
|
|
||||||
|
Goals:
|
||||||
|
|
||||||
|
- Connect multiple Plesk servers
|
||||||
|
- Sync subscriptions and domains
|
||||||
|
- Manage hosting environments
|
||||||
|
- Provide SaaS billing integration
|
||||||
|
- Enforce tenant isolation using Supabase Row Level Security (RLS)
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Technology Stack
|
||||||
|
|
||||||
|
Frontend Next.js (App Router)
|
||||||
|
|
||||||
|
Backend Next.js API routes
|
||||||
|
|
||||||
|
Authentication Supabase Auth (Magic Link)
|
||||||
|
|
||||||
|
Database Supabase PostgreSQL
|
||||||
|
|
||||||
|
CI/CD Jenkins
|
||||||
|
|
||||||
|
Containerisation Docker
|
||||||
|
|
||||||
|
Reverse Proxy Nginx Proxy Manager
|
||||||
|
|
||||||
|
Infrastructure Self-hosted Linux servers
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Current Deployment Architecture
|
||||||
|
|
||||||
|
CI/CD Pipeline:
|
||||||
|
|
||||||
|
1. Code pushed to repository
|
||||||
|
2. Jenkins pipeline runs
|
||||||
|
3. Next.js application builds
|
||||||
|
4. Docker image builds
|
||||||
|
5. Image exported via `docker save`
|
||||||
|
6. Image transferred via SSH/SCP
|
||||||
|
7. Image loaded on application host
|
||||||
|
8. Container recreated
|
||||||
|
9. Smoke test verifies service
|
||||||
|
|
||||||
|
Images are transferred using:
|
||||||
|
|
||||||
|
docker save → scp → docker load
|
||||||
|
|
||||||
|
This avoids requiring a Docker registry during early development.
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Infrastructure
|
||||||
|
|
||||||
|
Jenkins Host Responsible for:
|
||||||
|
|
||||||
|
- building Docker images
|
||||||
|
- running CI/CD pipeline
|
||||||
|
- deploying containers
|
||||||
|
|
||||||
|
Application Host
|
||||||
|
|
||||||
|
Deployment path:
|
||||||
|
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
Docker container:
|
||||||
|
|
||||||
|
plesk-agency-portal
|
||||||
|
|
||||||
|
Application port:
|
||||||
|
|
||||||
|
3000
|
||||||
|
|
||||||
|
Reverse Proxy:
|
||||||
|
|
||||||
|
Nginx Proxy Manager
|
||||||
|
|
||||||
|
Public domain:
|
||||||
|
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Database & Auth
|
||||||
|
|
||||||
|
Supabase is self-hosted on an internal server.
|
||||||
|
|
||||||
|
Current API endpoint:
|
||||||
|
|
||||||
|
http://192.168.68.52:54321
|
||||||
|
|
||||||
|
Because the portal runs via HTTPS, this causes a browser mixed-content
|
||||||
|
error.
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Current Blocking Issue
|
||||||
|
|
||||||
|
Supabase authentication fails because the frontend attempts to call:
|
||||||
|
|
||||||
|
http://192.168.68.52:54321
|
||||||
|
|
||||||
|
while the portal itself is served via HTTPS.
|
||||||
|
|
||||||
|
Browsers block the request.
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Planned Fix
|
||||||
|
|
||||||
|
Expose Supabase through HTTPS using Nginx Proxy Manager.
|
||||||
|
|
||||||
|
Target domain:
|
||||||
|
|
||||||
|
https://supabase.rdbcloud.co.uk
|
||||||
|
|
||||||
|
Proxy configuration:
|
||||||
|
|
||||||
|
Forward host: 192.168.68.52\
|
||||||
|
Forward port: 54321
|
||||||
|
|
||||||
|
After that update environment variables:
|
||||||
|
|
||||||
|
NEXT_PUBLIC_SUPABASE_URL SUPABASE_URL
|
||||||
|
|
||||||
|
Then redeploy the portal.
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Deployment Verification
|
||||||
|
|
||||||
|
Example deployed image:
|
||||||
|
|
||||||
|
plesk-agency-portal:build-62
|
||||||
|
|
||||||
|
Verification command:
|
||||||
|
|
||||||
|
docker inspect plesk-agency-portal --format '{{.Image}} {{.Created}}'
|
||||||
|
|
||||||
|
Health endpoint:
|
||||||
|
|
||||||
|
/api/health
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Repository Documentation
|
||||||
|
|
||||||
|
Important docs:
|
||||||
|
|
||||||
|
docs/ai-project-context.md\
|
||||||
|
docs/system-architecture.md\
|
||||||
|
docs/next-steps.md\
|
||||||
|
docs/handovers/\*
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Typical AI Assistance Areas
|
||||||
|
|
||||||
|
- CI/CD debugging
|
||||||
|
- Docker deployment
|
||||||
|
- Next.js development
|
||||||
|
- Supabase integration
|
||||||
|
- SaaS multi-tenant architecture
|
||||||
|
- Stripe billing integration
|
||||||
|
- Plesk API integration
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Current Development Stage
|
||||||
|
|
||||||
|
Infrastructure and deployment pipeline are working.
|
||||||
|
|
||||||
|
Next priorities:
|
||||||
|
|
||||||
|
1. Fix Supabase HTTPS endpoint
|
||||||
|
2. Verify authentication flow
|
||||||
|
3. Continue SaaS portal feature development
|
||||||
7
docs/current-focus.md
Normal file
7
docs/current-focus.md
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
# Current Focus
|
||||||
|
|
||||||
|
Immediate tasks:
|
||||||
|
|
||||||
|
1. Fix Supabase HTTPS endpoint
|
||||||
|
2. Verify authentication flow
|
||||||
|
3. Continue SaaS portal feature development
|
||||||
100
docs/handovers/2026-03-07-cicd-deploy-working.md
Normal file
100
docs/handovers/2026-03-07-cicd-deploy-working.md
Normal file
@@ -0,0 +1,100 @@
|
|||||||
|
# Handover – 2026-03-07 – CI/CD Deploy Working
|
||||||
|
|
||||||
|
## Status
|
||||||
|
|
||||||
|
The Plesk Agency Portal deployment pipeline is now working end‑to‑end.
|
||||||
|
|
||||||
|
### Jenkins Pipeline
|
||||||
|
|
||||||
|
Pipeline successfully performs:
|
||||||
|
|
||||||
|
1. Build Next.js application
|
||||||
|
2. Build Docker image
|
||||||
|
3. Save image archive
|
||||||
|
4. Transfer archive to app host
|
||||||
|
5. Load image on remote server
|
||||||
|
6. Recreate container
|
||||||
|
7. Run smoke test
|
||||||
|
|
||||||
|
Example deployed image:
|
||||||
|
|
||||||
|
plesk-agency-portal:build-62
|
||||||
|
|
||||||
|
Verification command:
|
||||||
|
|
||||||
|
docker inspect plesk-agency-portal --format '{{.Image}} {{.Created}}'
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Infrastructure
|
||||||
|
|
||||||
|
### Jenkins Host
|
||||||
|
|
||||||
|
Responsibilities:
|
||||||
|
|
||||||
|
- Build Docker images
|
||||||
|
- Execute CI/CD pipeline
|
||||||
|
- Transfer deployment artifacts
|
||||||
|
|
||||||
|
### Application Host
|
||||||
|
|
||||||
|
Deployment path:
|
||||||
|
|
||||||
|
/opt/plesk-agency-portal
|
||||||
|
|
||||||
|
Container:
|
||||||
|
|
||||||
|
plesk-agency-portal
|
||||||
|
|
||||||
|
Application port:
|
||||||
|
|
||||||
|
3000
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Reverse Proxy
|
||||||
|
|
||||||
|
Managed using:
|
||||||
|
|
||||||
|
Nginx Proxy Manager
|
||||||
|
|
||||||
|
Public domain:
|
||||||
|
|
||||||
|
https://portal.rdbcloud.co.uk
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Known Issue
|
||||||
|
|
||||||
|
Supabase authentication blocked due to mixed content.
|
||||||
|
|
||||||
|
Frontend attempts:
|
||||||
|
|
||||||
|
http://192.168.68.52:54321
|
||||||
|
|
||||||
|
while the site runs via HTTPS.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Next Task
|
||||||
|
|
||||||
|
Expose Supabase API through HTTPS:
|
||||||
|
|
||||||
|
https://supabase.rdbcloud.co.uk
|
||||||
|
|
||||||
|
Then update environment variables:
|
||||||
|
|
||||||
|
NEXT_PUBLIC_SUPABASE_URL
|
||||||
|
SUPABASE_URL
|
||||||
|
|
||||||
|
and redeploy the application.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Deployment Strategy
|
||||||
|
|
||||||
|
Docker registry intentionally avoided.
|
||||||
|
|
||||||
|
Images transferred using:
|
||||||
|
|
||||||
|
docker save → scp → docker load
|
||||||
0
docs/handovers/latest.md
Normal file
0
docs/handovers/latest.md
Normal file
@@ -35,7 +35,8 @@ export const env = {
|
|||||||
stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
|
stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
|
||||||
stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",
|
stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",
|
||||||
stripePriceId: process.env.STRIPE_PRICE_ID ?? "",
|
stripePriceId: process.env.STRIPE_PRICE_ID ?? "",
|
||||||
supabaseUrl: process.env.NEXT_PUBLIC_SUPABASE_URL ?? "",
|
supabaseUrl:
|
||||||
|
process.env.SUPABASE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL ?? "",
|
||||||
supabaseAnonKey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?? "",
|
supabaseAnonKey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?? "",
|
||||||
supabaseServiceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY ?? "",
|
supabaseServiceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY ?? "",
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -12,8 +12,13 @@ if [ ! -f "${DEPLOY_PATH}/docker-compose.prod.yml" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${DEPLOY_PATH}/.env" ]; then
|
||||||
|
echo "Missing .env in ${DEPLOY_PATH}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
cd "${DEPLOY_PATH}"
|
cd "${DEPLOY_PATH}"
|
||||||
|
|
||||||
APP_IMAGE="${APP_IMAGE}" docker compose -f docker-compose.prod.yml up -d
|
APP_IMAGE="${APP_IMAGE}" docker compose -f docker-compose.prod.yml up -d --no-build --force-recreate
|
||||||
|
|
||||||
docker compose -f docker-compose.prod.yml ps
|
APP_IMAGE="${APP_IMAGE}" docker compose -f docker-compose.prod.yml ps
|
||||||
|
|||||||
@@ -21,10 +21,20 @@ if [ ! -f "${DEPLOY_PATH}/docker-compose.prod.yml" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${DEPLOY_PATH}/.env" ]; then
|
||||||
|
echo "Missing .env in ${DEPLOY_PATH}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${DEPLOY_PATH}/scripts/smoke-check.sh" ]; then
|
||||||
|
echo "Missing scripts/smoke-check.sh in ${DEPLOY_PATH}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
cd "${DEPLOY_PATH}"
|
cd "${DEPLOY_PATH}"
|
||||||
|
|
||||||
APP_IMAGE="${PREVIOUS_IMAGE_TAG}" docker compose -f docker-compose.prod.yml up -d --no-build
|
APP_IMAGE="${PREVIOUS_IMAGE_TAG}" docker compose -f docker-compose.prod.yml up -d --no-build --force-recreate
|
||||||
|
|
||||||
"${DEPLOY_PATH}/smoke-check.sh" "${APP_BASE_URL}"
|
"${DEPLOY_PATH}/scripts/smoke-check.sh" "${APP_BASE_URL}"
|
||||||
|
|
||||||
docker compose -f docker-compose.prod.yml ps
|
docker compose -f docker-compose.prod.yml ps
|
||||||
|
|||||||
Reference in New Issue
Block a user