Empty compose env vars were blocking Infisical secret injection at startup.
Only TRANSAK_ENV needs to be in compose; API keys and secrets come from Infisical.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hardcoded PRODUCTION overrode the Infisical value. Use env var with
STAGING default until Transak production gateway auth issue is resolved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TRANSAK_ENV was set to PRODUCTION but TRANSAK_API_KEY_PRODUCTION was
missing, causing the Transak session endpoint to return 503. Add the
env var reference so rCart card payments work in production.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pin encrypted backups and AI-generated files to Kubo (ipfs.jeffemmett.com)
as fire-and-forget redundancy. Filesystem remains primary storage — IPFS
failures are logged and swallowed. Adds /api/ipfs routes for status,
pin/unpin, and gateway proxy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Dockerfile's healthcheck hit a nonexistent /health endpoint, causing
permanent "unhealthy" status. Override with a check that accepts any HTTP
response (including 401) as proof the service is running.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rTasks: port backlog-md ordinal algorithm (bisection + rebalance),
fix column detection via bounding-box hit test, add empty-column
drop zones, source column dimming, no-op detection, and optimistic
DOM updates (no flash). New bulk-sort-order rebalance endpoint.
EncryptID: sync claimed invite members to Automerge doc immediately,
redirect to space subdomain after identity claim.
Server: add /api/internal/sync-space-member endpoint, fallback
member check in WebSocket auth for not-yet-synced invites.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
KiCad, FreeCAD, and Blender sidecars now start on API request and stop
after 5min idle, saving ~8GB RAM when not in use. Docker socket mounted
into rspace container for container lifecycle control. Memory/CPU limits
added to all services to prevent runaway resource consumption.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- KiCad, FreeCAD, Blender, Scribus: add .wrapper flex container with
height:100% + min-height:0 so content stays within element bounds
- KiCad assembler: regex fallback for non-JSON tool results (SVG, Gerber, PDF)
- Scribus image gen: actually write downloaded fal.ai images to disk
(was creating imagePath but never saving bytes)
- Mount rspace-files volume in scribus-novnc so generated images are
accessible from both containers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a module script (e.g. canvas-*.js) fails to load (502 during
deploy, network error), the pane stayed in cache with a blank canvas.
Subsequent tab switches showed the broken cached pane instead of
re-fetching. Now script onerror removes the failed tag and evicts
the pane, so the next switchTo does a fresh fetch.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch from broken StdioClientTransport (child process) to
SSEClientTransport (HTTP to sidecar containers via supergateway).
Both sidecars share rspace-files volume so generated CAD files
(STEP, STL, Gerber, SVG) are directly servable without copying.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Consolidates token verification into server/auth.ts, removing the
external SDK dependency. All modules now import from the local module.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Secrets now fetched from Infisical at container startup instead of
being passed through docker-compose from .env. Reduces .env to only
Infisical auth creds and non-Infisical container secrets.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reverts Traefik rules and removes standaloneDomain from rdesign, rvnb,
rbnb, rdocs, and crowdsurf — we don't have these domains.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rdesign.online, rvnb.online, rbnb.online, rdocs.online, crowdsurf.online
had standaloneDomain declared in their modules but no Traefik router rules,
so {space}.r*.online subdomain redirects wouldn't reach the server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mailcow rejects noreply@rspace.online because the authenticated user
is noreply@rmail.online. Updated all SMTP_FROM and SMTP_USER defaults
to use rmail.online consistently: spaces invites, rSplat notifications,
EncryptID auth emails, and rCart payment receipts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Server-side proxy routes (POST /api/360split, GET status, POST import) fetch
video from R2, submit to video360-splitter, and import results back. Frontend
adds Split 360° button with settings modal, progress polling, and library import.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
POST /checklist/send builds and emails a styled checklist from backlog AC items.
GET /checklist/:token verifies the HMAC signature, toggles the AC in the
markdown file, and re-renders the page with fresh links for remaining items.
Adds dev-ops volume mount and RTASKS_HMAC_SECRET/RTASKS_API_KEY env vars.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add EncryptID internal endpoint for email lookup by userId
- rcart: send "Payment Sent" to payer and "Payment Received" to recipient
- rcart: resolve emails via EncryptID when not provided in request
- rsplat: add GLB/GLTF 3D viewer using Three.js GLTFLoader
- rsplat: enable publicWrite for photo uploads without space membership
- docker-compose: add SITE_URL and SPLAT_NOTIFY_EMAIL env vars
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add getTransakApiKey() and getTransakWebhookSecret() helpers that
resolve TRANSAK_API_KEY_STAGING or TRANSAK_API_KEY_PRODUCTION based
on TRANSAK_ENV, with fallback to legacy TRANSAK_API_KEY. All consumers
(rcart, rflows, transak-onramp) now use the shared helpers instead of
reading env vars directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch TRANSAK_ENV default from PRODUCTION to STAGING in shared/transak.ts,
docker-compose.yml, and rflows config endpoint. All card purchases now
route through Transak's staging gateway until production is ready.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove Coinbase and Ramp Network from onramp registry, keeping
Transak as the sole payment gateway. Add TRANSAK_* env vars to
docker-compose for .env override of Infisical values.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Uses ${TWENTY_API_TOKEN:-} so it won't override Infisical when
.env doesn't define it, but allows .env to provide the value
when Infisical's stored token needs regeneration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The docker-compose env var override was setting an empty string,
preventing the Infisical-injected value from being used.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Session manager now calls EncryptID /api/auth/start + /api/auth/complete
to get a properly signed JWT instead of creating unsigned local tokens.
This fixes 401 errors on /api/payments, /api/notifications, and other
authenticated endpoints that verify tokens via EncryptID server.
- Token refresh calls /api/session/refresh instead of extending unsigned tokens
- Server generateSessionToken now includes authTime, jti, recoveryConfigured
- rNetwork: /crm route renders folk-crm-view instead of iframe
- rNetwork: ?view=app redirects 301 to /crm (backward compat)
- rNetwork: graph viewer always uses API (removed hardcoded demo data)
- docker-compose: pass through TWENTY_API_TOKEN from Infisical
- rcart: add catalog product images
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add shared ViewHistory<V> utility class that provides a proper navigation
stack for rApps with hierarchical views. Replaces hardcoded data-back
targets with stack-based back navigation across 10 rApps: rtrips, rmaps,
rtasks, rforum, rphotos, rvote, rnotes, rinbox, rschedule, rcart.
Rename rWork module to rTasks — directory, component (folk-tasks-board),
CSS, exports, domains, and all cross-module references updated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update docker-compose, vite config, Traefik labels, module imports,
and all cross-module references to use the new rflows naming.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Existing Twenty instances on Netcup use twenty-server/twenty-db/twenty-redis
names. Renamed to twenty-ch-server/twenty-ch-db/twenty-ch-redis for the
commons-hub instance. Updated TWENTY_API_URL accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds dedicated /crm sub-route to rNetwork module embedding Twenty CRM
via ExternalAppShell iframe. Updates TWENTY_API_URL to use internal Docker
networking (http://twenty-server:3000). Includes full Twenty CRM Docker
stack (server, worker, postgres, redis) with Traefik routing for
crm.rspace.online and deployment instructions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The encryptid-internal network had persistent Docker networking issues
(TCP CONNECT_TIMEOUT between containers on the same bridge). Using the
rspace-internal network which already works for rspace↔rspace-db.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge encryptid + encryptid-db services from separate docker-compose.encryptid.yml
into the main compose file. Update Dockerfile.encryptid to use additional_contexts
for encryptid-sdk (matching main Dockerfile pattern) instead of fragile context: ..
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implement the 4-layer data model (device → encrypted backup → shared sync → federated):
- Extract shared encryption-utils from community-store (deriveSpaceKey, AES-256-GCM, rSEN format)
- Encrypt module docs at rest when space has meta.encrypted === true
- Fix relay mode persistence: relay-backup/relay-restore wire protocol + .automerge.enc blob storage
- Add backup store + REST API (PUT/GET/DELETE /api/backup/:space/:docId) with JWT auth
- Add client BackupSyncManager with delta-only push, full restore, auto-backup
- Wire backup stubs in encryptid-bridge to BackupSyncManager
- Add rspace-backups Docker volume
- Create docs/DATA-ARCHITECTURE.md design doc with threat model and data flow diagrams
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DATABASE_URL, ADMIN_DIDS, and ENCRYPTID_DEMO_SPACES are now stored
in Infisical and injected via the entrypoint. Remove the last
docker-compose.yml reference that was temporarily re-added.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The shared/db/pool.ts requires DATABASE_URL but it was missing from
both docker-compose.yml and Infisical, causing the container to
crash-loop on startup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove DATABASE_URL and ADMIN_DIDS from docker-compose.yml (now
injected via Infisical entrypoint). Add scripts/seed-infisical.sh
to interactively populate 21 module-specific secrets (R2, Immich,
Twenty, Discourse, FAL, RunPod, etc.) into the rspace Infisical
project. Update Dockerfile to include scripts/ in the image.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add tabbed admin UI (Spaces | Users) with auth gate
- Add admin API endpoints on EncryptID: list users, delete user, clean space members
- Add admin force-delete space endpoint on rSpace (bypasses owner check)
- Protect all admin endpoints with ADMIN_DIDS env var
- Add ADMIN_DIDS to both Docker Compose configs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace internal rewrites with 301 redirects for all standalone
domains. Handles bare domains, subdomains, paths, and query strings:
- rnotes.online/ → rspace.online/rnotes
- rnotes.online/alice/path → alice.rspace.online/rnotes/path
- alice.rnotes.online/path → alice.rspace.online/rnotes/path
- rnotes.online/api/... → rspace.online/rnotes/api/...
Traefik labels updated to also match *.r*.online subdomains.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- New rSocials module (federated social feed aggregator) with demo timeline
- Standalone domain root (r*.online/) now 302 redirects to rspace.online/{moduleId}
- Self-fetch detection breaks circular proxy loop (User-Agent: rSpace-Proxy/1.0)
- Traefik label for rsocials.online
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rProviders (providers.mycofi.earth) is a separate project — removed
module registration, app switcher entry, tab bar badge, canvas embed
button, Traefik router, and standalone config. rSwag domain updated
from swag.mycofi.earth to rswag.online across all references.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett
Jeff Emmett