diff --git a/dashboard/DEPLOYMENT.md b/dashboard/DEPLOYMENT.md index 5cc64f9..9362487 100644 --- a/dashboard/DEPLOYMENT.md +++ b/dashboard/DEPLOYMENT.md @@ -1,106 +1,365 @@ -# DevOps Dashboard Deployment Guide +# DevOps & Admin Dashboard Deployment Guide -## Current Status +> Canonical deployment doc for `dashboard/`. The previous `DEPLOYMENT_GUIDE.md` +> has been folded into this file; it remains as a one-line redirect for +> backwards compatibility with `deploy.sh` and external links. -The DevOps dashboard has been significantly enhanced with production-ready features, but deployment requires resolving workspace dependencies. +## Overview -## Dependency Issues +This guide covers deploying both the DevOps Dashboard and Platform Admin Dashboard using the existing Traefik gateway infrastructure, following the same pattern as the trading dashboard (https://invttrdg.bytelyst.com). -The dashboard currently depends on workspace packages from `learning_ai_common_plat`: -- `@bytelyst/config` - Configuration management -- `@bytelyst/auth` - Authentication utilities -- `@bytelyst/cosmos` - Cosmos DB client -- `@bytelyst/errors` - Error handling -- `@bytelyst/react-auth` - React auth context -- `@bytelyst/telemetry-client` - Telemetry +## Public URLs -## Deployment Options +- **DevOps Dashboard**: `https://devops.bytelyst.com` +- **Admin Dashboard**: `https://admin.bytelyst.com` +- **API Gateway**: `https://api.bytelyst.com` + - Platform API: `https://api.bytelyst.com/platform/api` + - DevOps API: `https://api.bytelyst.com/api/devops` -### Option 1: Deploy with Common Platform (Recommended) +## Ports — quick reference -**Prerequisites:** -1. Ensure `learning_ai_common_plat` packages are built and available -2. Configure npm registry to point to local package registry -3. Use the provided install scripts +The web container always listens on **3000** internally; what changes is what +the host exposes. Memorize the column for the deployment mode you're in: + +| Mode | Web (host) | Backend (host) | Notes | +|-------------------------------------|--------------------|-------------------|--------------------------------------------------------------------| +| Local dev (`pnpm dev`) | `localhost:3000` | `localhost:4004` | Next listens directly on 3000. | +| Docker Compose (this repo) | `localhost:3049` | `localhost:4004` | `docker-compose.yml` maps `127.0.0.1:3049:3000` (loopback only). | +| Production (Traefik) | `https://devops.bytelyst.com` | `https://api.bytelyst.com/api/devops` | Traefik label `loadbalancer.server.port=3000` targets the container port. | + +Whenever a doc says "the dashboard runs on port 3000", it means the **container +port** seen by Traefik / Next dev mode — not the host port for the deployed +stack. Use the table above instead of relying on prose. + +## Architecture + +``` +Internet → Traefik Gateway → Services + ├─ DevOps Web (container :3000, host :3049) + ├─ DevOps Backend (:4004) + ├─ Admin Web (:3001) + ├─ Platform Service (:4003) + └─ Trading Dashboard (:3085) +``` + +- **Traefik**: API gateway and reverse proxy. +- **Docker network**: All services connect via `learning_ai_common_plat_default`. +- **Domain routing**: Traefik routes by host header. +- **SSL/TLS**: Managed by Traefik with Let's Encrypt. + +## Prerequisites + +1. Platform stack running with Traefik gateway. +2. Docker and Docker Compose installed. +3. Domain names configured with DNS pointing to your server. +4. Azure Cosmos DB account (shared with platform-service). +5. Platform Service running and accessible. + +## Quick Start + +### 1. Start the platform stack (if not running) -**Steps:** ```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard - -# Install dependencies with common platform -pnpm install:common-plat - -# Build both backend and web -pnpm build - -# Deploy with Docker Compose +cd /opt/bytelyst/learning_ai_common_plat docker-compose up -d ``` -### Option 2: Deploy Standalone (Simplified) +### 2. Deploy the dashboards -**Prerequisites:** -1. Remove workspace dependencies -2. Implement simplified auth/config/cosmos layers -3. Set up environment variables +```bash +cd /opt/bytelyst/learning_ai_devops_tools/dashboard +./deploy.sh +``` -**Environment Variables Required:** -```env +This will: +- Deploy the DevOps Dashboard (backend + web) +- Deploy the Admin Dashboard via the platform stack +- Run health checks +- Print deployment information + +## Local development + +If you only need a non-containerized iteration loop (no Traefik, no Docker): + +```bash +cd /opt/bytelyst/learning_ai_devops_tools/dashboard + +# Resolve workspace deps +pnpm install:common-plat # uses sibling learning_ai_common_plat checkout +# or +pnpm install:gitea # uses local Gitea registry at localhost:3300 + +pnpm dev # backend on 4004, web on 3000 (NOT 3049) +``` + +Required env vars are documented under **Environment Configuration** below; for +local dev a minimal `.env` with `JWT_SECRET`, `COSMOS_*`, and +`PLATFORM_SERVICE_URL` is enough. + +## Manual Docker deployment + +### Deploy DevOps Dashboard + +```bash +cd /opt/bytelyst/learning_ai_devops_tools/dashboard +docker-compose up -d --build +``` + +### Deploy Admin Dashboard + +```bash +cd /opt/bytelyst/learning_ai_common_plat +docker-compose up -d admin-web +``` + +## Environment Configuration + +### DevOps Dashboard (`.env`) + +```bash +# Backend PORT=4004 -PLATFORM_SERVICE_URL=http://localhost:4003 +PLATFORM_SERVICE_URL=http://platform-service:4003 COSMOS_ENDPOINT=https://your-cosmos-account.documents.azure.com:443/ COSMOS_KEY=your-cosmos-primary-key COSMOS_DATABASE=bytelyst-platform -JWT_SECRET=your-jwt-signing-secret -CSRF_SECRET=your-csrf-secret-change-in-production +JWT_SECRET=your-production-jwt-secret +CSRF_SECRET=your-production-csrf-secret +ENCRYPTION_KEY=your-production-encryption-key +PRODUCT_ID=bytelyst-devops +PRODUCT_NAME=ByteLyst DevOps Dashboard + +# Azure Key Vault (optional) +AZURE_TENANT_ID=your-tenant-id +AZURE_CLIENT_ID=your-client-id +AZURE_CLIENT_SECRET=your-client-secret +AZURE_KEY_VAULT_URL=https://your-keyvault.vault.azure.net/ + +# Frontend +NEXT_PUBLIC_DEVOPS_API_URL=https://api.bytelyst.com/devops +NEXT_PUBLIC_PLATFORM_URL=https://api.bytelyst.com/platform/api +NEXT_PUBLIC_ADMIN_WEB_URL=https://admin.bytelyst.com +NEXT_PUBLIC_PRODUCT_ID=bytelyst-devops +NEXT_PUBLIC_PRODUCT_NAME=ByteLyst DevOps Dashboard ``` -**Steps:** +### Platform Dashboard (`.env`) + +Add to your platform `.env`: + ```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard/backend -npm install -npm run build -npm start - -# In another terminal: -cd /opt/bytelyst/learning_ai_devops_tools/dashboard/web -npm install -npm run build -npm start +# Admin Web Dashboard +NEXT_PUBLIC_PLATFORM_URL=https://api.bytelyst.com/platform/api +NEXT_PUBLIC_DEVOPS_WEB_URL=https://devops.bytelyst.com ``` -### Option 3: Deploy to Production Server +## Traefik Configuration -**Prerequisites:** -1. Production server with Node.js 22+ -2. Azure Cosmos DB account -3. Platform service instance -4. Docker installed +Both dashboards use Traefik labels for routing. -**Steps:** +### DevOps Web + +```yaml +labels: + - 'traefik.enable=true' + - 'traefik.http.routers.devops-web.rule=Host(`devops.bytelyst.com`)' + - 'traefik.http.services.devops-web.loadbalancer.server.port=3000' # container port +``` + +### DevOps Backend API + +```yaml +labels: + - 'traefik.enable=true' + - 'traefik.http.routers.devops-api.rule=PathPrefix(`/api/devops`)' + - 'traefik.http.services.devops-api.loadbalancer.server.port=4004' +``` + +### Admin Web + +```yaml +labels: + - 'traefik.enable=true' + - 'traefik.http.routers.admin-web.rule=Host(`admin.bytelyst.com`)' + - 'traefik.http.services.admin-web.loadbalancer.server.port=3001' +``` + +## DNS Configuration + +Add DNS records pointing to your Traefik gateway server: + +``` +devops.bytelyst.com A +admin.bytelyst.com A +api.bytelyst.com A +``` + +## SSL/TLS Configuration + +Traefik can automatically handle SSL certificates with Let's Encrypt: + +```yaml +command: + - '--certificatesresolvers.myresolver.acme.tlschallenge=true' + - '--certificatesresolvers.myresolver.acme.email=admin@bytelyst.com' + - '--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json' +``` + +Then update router labels: + +```yaml +labels: + - 'traefik.http.routers.devops-web.tls=true' + - 'traefik.http.routers.devops-web.tls.certresolver=myresolver' +``` + +## Cross-Navigation + +### DevOps Dashboard → Admin Dashboard +- Header includes a "Platform Admin" link with Shield icon. +- Opens admin dashboard in a new tab. +- Uses `NEXT_PUBLIC_ADMIN_WEB_URL`. + +### Admin Dashboard → DevOps Dashboard +- Sidebar includes a "DevOps Dashboard" link with Server icon. +- Opens devops dashboard in a new tab. +- Uses `NEXT_PUBLIC_DEVOPS_WEB_URL`. + +## Shared Authentication + +1. **Platform Service Auth**: Both authenticate against platform-service. +2. **JWT Tokens**: Same `JWT_SECRET` validates tokens across services. +3. **Per-Product Access**: Admin access is checked per-product via membership roles. +4. **Single Sign-On**: Users stay logged in across both dashboards. + +### Granting Access + +To grant a user access to both dashboards: + +1. Ensure user exists in platform-service. +2. Add admin membership for both products: + +```json +{ + "memberships": [ + { "productId": "bytelyst-devops", "role": "admin", "plan": "pro" }, + { "productId": "bytelyst-platform", "role": "admin", "plan": "pro" } + ] +} +``` + +## Health Checks + +- DevOps Backend: `http://localhost:4004/health` +- DevOps Web: `http://localhost:3049` (Docker Compose host port; container :3000) +- Admin Web: `http://localhost:3001` +- Traefik Dashboard: `http://localhost:8080` + +## Troubleshooting + +### Network issues ```bash -# Build Docker images -docker-compose build +# Check if the platform network exists +docker network inspect learning_ai_common_plat_default -# Tag and push to registry -docker tag devops-backend:latest your-registry/devops-backend:latest -docker tag devops-web:latest your-registry/devops-web:latest -docker push your-registry/devops-backend:latest -docker push your-registry/devops-web:latest - -# On production server: -docker pull your-registry/devops-backend:latest -docker pull your-registry/devops-web:latest -docker-compose -f docker-compose.prod.yml up -d +# Check container connectivity +docker network inspect learning_ai_common_plat_default | grep devops ``` +### Traefik routing +```bash +# Traefik dashboard +http://localhost:8080 + +# Traefik logs +docker logs $(docker ps -q -f name=gateway) + +# Router config for the devops web container +docker inspect devops-web | grep -A 10 Labels +``` + +### Authentication failures +- Verify `JWT_SECRET` matches across all services. +- Check platform-service is accessible: `curl http://localhost:4003/health`. +- Ensure the user has the right product memberships. + +### Service not starting +```bash +docker logs devops-backend +docker logs devops-web +docker logs admin-web +docker ps +docker inspect devops-backend | grep -A 5 Health +``` + +### Workspace dependency errors +```bash +pnpm install:common-plat # local sibling checkout +pnpm install:gitea # local Gitea registry +``` + +## Service Management + +### Stop services +```bash +cd /opt/bytelyst/learning_ai_devops_tools/dashboard +docker-compose down + +cd /opt/bytelyst/learning_ai_common_plat +docker-compose stop admin-web +``` + +### Restart services +```bash +cd /opt/bytelyst/learning_ai_devops_tools/dashboard +docker-compose restart + +cd /opt/bytelyst/learning_ai_common_plat +docker-compose restart admin-web +``` + +### View logs +```bash +# DevOps +docker logs -f devops-backend +docker logs -f devops-web + +# Admin +docker logs -f admin-web + +# Traefik +docker logs -f gateway +``` + +## Comparison with Trading Dashboard + +| Feature | Trading | DevOps | Admin | +|--------------|----------------------|-------------------------|------------------------| +| Domain | invttrdg.bytelyst.com| devops.bytelyst.com | admin.bytelyst.com | +| Web Port | 3085 (host) | 3049 (host) / 3000 (ctr)| 3001 (host) | +| Backend Port | 4018 | 4004 | N/A | +| Network | platform_net | platform_net | default | +| Traefik | Yes | Yes | Yes | +| Auth | Platform | Platform | Platform | + +## Production Checklist + +- [ ] Platform stack running with Traefik. +- [ ] DNS records configured. +- [ ] SSL/TLS certificates configured in Traefik. +- [ ] Environment variables set for production. +- [ ] Cosmos DB connection configured. +- [ ] `JWT_SECRET` matches across all services. +- [ ] User memberships configured for access. +- [ ] Health checks passing. +- [ ] Cross-navigation links working. +- [ ] Monitoring and logging configured. + ## Features Implemented -The dashboard includes these production-ready features: - -### Backend (Port 4004) +### Backend (port 4004) - ✅ CI/CD pipeline with Gitea Actions -- ✅ E2E tests with Playwright +- ✅ E2E tests with Playwright (gated; see `.gitea/workflows/ci.yml`) - ✅ Telemetry integration - ✅ Error boundary - ✅ CSRF protection with token refresh @@ -115,58 +374,13 @@ The dashboard includes these production-ready features: - ✅ Docker cleanup endpoints - ✅ OpenAPI/Swagger documentation at `/docs` -### Frontend (Port 3000) +### Frontend (container :3000, host :3049 under Compose) - ✅ Service management UI - ✅ Deployment monitoring - ✅ Health dashboard - ✅ Metrics/charts page - ✅ System management page -- ✅ Real-time log viewer +- ✅ Log viewer (poll-based) - ✅ Accessibility features (ARIA, keyboard nav) - ✅ PWA manifest - ✅ Responsive design - -## Services Configured - -The dashboard can deploy: -1. **Investment Trading** (`learning_ai_invt_trdg`) -2. **Agentic Notes** (`learning_ai_notes`) -3. **AI Clock** (`learning_ai_clock`) -4. **Platform Services** (`learning_ai_common_plat`) - can be added - -## Next Steps for Production Deployment - -1. **Resolve Workspace Dependencies**: Ensure common platform packages are accessible -2. **Configure Environment Variables**: Set production values for Cosmos, JWT, etc. -3. **Set Up Infrastructure**: Azure Cosmos DB, platform service instance -4. **Configure CI/CD**: Update Gitea Actions with production registry -5. **Test Deployments**: Verify all deployment scripts work in production -6. **Set Up Monitoring**: Configure logging, metrics, and alerting - -## Access - -- **Dashboard**: http://localhost:3000 (or production URL) -- **API**: http://localhost:4004 (or production URL) -- **API Docs**: http://localhost:4004/docs -- **System Management**: Navigate to System page in dashboard - -## Troubleshooting - -**Workspace dependency errors:** -```bash -# Use the install scripts provided -pnpm install:common-plat # For local development -pnpm install:gitea # For Gitea environment -``` - -**Docker build failures:** -- Ensure Dockerfiles reference correct lock files -- Check that all dependencies are in registry -- Verify context paths in docker-compose.yml - -**Port conflicts:** -- Backend uses port 4004 -- Web uses port 3000 -- Ensure these ports are available - -The dashboard is feature-complete and ready for production deployment once the dependency infrastructure is resolved. diff --git a/dashboard/DEPLOYMENT_GUIDE.md b/dashboard/DEPLOYMENT_GUIDE.md index a77b1b6..9e4ad1b 100644 --- a/dashboard/DEPLOYMENT_GUIDE.md +++ b/dashboard/DEPLOYMENT_GUIDE.md @@ -1,339 +1,5 @@ # DevOps & Admin Dashboard Deployment Guide -## Overview - -This guide covers deploying both the DevOps Dashboard and Platform Admin Dashboard using the existing Traefik gateway infrastructure, following the same pattern as the trading dashboard (https://invttrdg.bytelyst.com). - -## URLs - -- **DevOps Dashboard**: `https://devops.bytelyst.com` -- **Admin Dashboard**: `https://admin.bytelyst.com` -- **API Gateway**: `https://api.bytelyst.com` - - Platform API: `https://api.bytelyst.com/platform/api` - - DevOps API: `https://api.bytelyst.com/api/devops` - -## Architecture - -Both dashboards follow the same pattern as the trading dashboard: - -``` -Internet → Traefik Gateway → Services - ├─ DevOps Web (port 3049) - ├─ DevOps Backend (port 4004) - ├─ Admin Web (port 3001) - ├─ Platform Service (port 4003) - └─ Trading Dashboard (port 3085) -``` - -- **Traefik**: Acts as API gateway and reverse proxy -- **Docker Network**: All services connect via `learning_ai_common_plat_default` -- **Domain Routing**: Traefik routes based on host headers -- **SSL/TLS**: Managed by Traefik with Let's Encrypt - -## Prerequisites - -1. Platform stack running with Traefik gateway -2. Docker and Docker Compose installed -3. Domain names configured with DNS pointing to your server -4. Azure Cosmos DB account (shared with platform-service) -5. Platform Service running and accessible - -## Quick Start - -### 1. Start Platform Stack (if not running) - -```bash -cd /opt/bytelyst/learning_ai_common_plat -docker-compose up -d -``` - -### 2. Deploy Dashboards - -```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard -./deploy.sh -``` - -This will: -- Deploy DevOps Dashboard (backend + web) -- Deploy Admin Dashboard via platform stack -- Run health checks -- Show deployment information - -## Manual Deployment - -### Deploy DevOps Dashboard - -```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard -docker-compose up -d --build -``` - -### Deploy Admin Dashboard - -```bash -cd /opt/bytelyst/learning_ai_common_plat -docker-compose up -d admin-web -``` - -## Environment Configuration - -### DevOps Dashboard (.env) - -```bash -# Backend -PORT=4004 -PLATFORM_SERVICE_URL=http://platform-service:4003 -COSMOS_ENDPOINT=https://your-cosmos-account.documents.azure.com:443/ -COSMOS_KEY=your-cosmos-primary-key -COSMOS_DATABASE=bytelyst-platform -JWT_SECRET=your-production-jwt-secret -CSRF_SECRET=your-production-csrf-secret -ENCRYPTION_KEY=your-production-encryption-key -PRODUCT_ID=bytelyst-devops -PRODUCT_NAME=ByteLyst DevOps Dashboard - -# Azure Key Vault (optional) -AZURE_TENANT_ID=your-tenant-id -AZURE_CLIENT_ID=your-client-id -AZURE_CLIENT_SECRET=your-client-secret -AZURE_KEY_VAULT_URL=https://your-keyvault.vault.azure.net/ - -# Frontend -NEXT_PUBLIC_DEVOPS_API_URL=https://api.bytelyst.com/devops -NEXT_PUBLIC_PLATFORM_URL=https://api.bytelyst.com/platform/api -NEXT_PUBLIC_ADMIN_WEB_URL=https://admin.bytelyst.com -NEXT_PUBLIC_PRODUCT_ID=bytelyst-devops -NEXT_PUBLIC_PRODUCT_NAME=ByteLyst DevOps Dashboard -``` - -### Platform Dashboard (.env) - -Add to your platform `.env`: - -```bash -# Admin Web Dashboard -NEXT_PUBLIC_PLATFORM_URL=https://api.bytelyst.com/platform/api -NEXT_PUBLIC_DEVOPS_WEB_URL=https://devops.bytelyst.com -``` - -## Traefik Configuration - -Both dashboards use Traefik labels for routing: - -### DevOps Web -```yaml -labels: - - 'traefik.enable=true' - - 'traefik.http.routers.devops-web.rule=Host(`devops.bytelyst.com`)' - - 'traefik.http.services.devops-web.loadbalancer.server.port=3000' -``` - -### DevOps Backend API -```yaml -labels: - - 'traefik.enable=true' - - 'traefik.http.routers.devops-api.rule=PathPrefix(`/api/devops`)' - - 'traefik.http.services.devops-api.loadbalancer.server.port=4004' -``` - -### Admin Web -```yaml -labels: - - 'traefik.enable=true' - - 'traefik.http.routers.admin-web.rule=Host(`admin.bytelyst.com`)' - - 'traefik.http.services.admin-web.loadbalancer.server.port=3001' -``` - -## DNS Configuration - -Add DNS records pointing to your Traefik gateway server: - -``` -devops.bytelyst.com A -admin.bytelyst.com A -api.bytelyst.com A -``` - -## SSL/TLS Configuration - -Traefik can automatically handle SSL certificates with Let's Encrypt. Add to your Traefik configuration: - -```yaml -command: - - '--certificatesresolvers.myresolver.acme.tlschallenge=true' - - '--certificatesresolvers.myresolver.acme.email=admin@bytelyst.com' - - '--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json' -``` - -Then update router labels: - -```yaml -labels: - - 'traefik.http.routers.devops-web.tls=true' - - 'traefik.http.routers.devops-web.tls.certresolver=myresolver' -``` - -## Cross-Navigation Features - -Both dashboards include cross-navigation links: - -### DevOps Dashboard → Admin Dashboard -- Header includes "Platform Admin" link with Shield icon -- Opens admin dashboard in new tab -- Uses configured `NEXT_PUBLIC_ADMIN_WEB_URL` - -### Admin Dashboard → DevOps Dashboard -- Sidebar includes "DevOps Dashboard" link with Server icon -- Opens devops dashboard in new tab -- Uses configured `NEXT_PUBLIC_DEVOPS_WEB_URL` - -## Shared Authentication - -Both dashboards use the same authentication system: - -1. **Platform Service Auth**: Both authenticate against platform-service -2. **JWT Tokens**: Same JWT secret validates tokens across services -3. **Per-Product Access**: Admin access is checked per-product via membership roles -4. **Single Sign-On**: Users stay logged in across both dashboards - -### Granting Access - -To grant a user access to both dashboards: - -1. Ensure user exists in platform-service -2. Add admin membership for both products: - -```json -{ - "memberships": [ - { - "productId": "bytelyst-devops", - "role": "admin", - "plan": "pro" - }, - { - "productId": "bytelyst-platform", - "role": "admin", - "plan": "pro" - } - ] -} -``` - -## Health Checks - -- DevOps Backend: `http://localhost:4004/health` -- DevOps Web: `http://localhost:3049` -- Admin Web: `http://localhost:3001` -- Traefik Dashboard: `http://localhost:8080` - -## Troubleshooting - -### Network Issues -```bash -# Check if platform network exists -docker network inspect learning_ai_common_plat_default - -# Check container connectivity -docker network inspect learning_ai_common_plat_default | grep devops -``` - -### Traefik Routing -```bash -# Check Traefik dashboard -http://localhost:8080 - -# Check Traefik logs -docker logs $(docker ps -q -f name=gateway) - -# Check router configuration -docker inspect devops-web | grep -A 10 Labels -``` - -### Authentication Failures -- Verify JWT_SECRET matches across all services -- Check platform-service is accessible: `curl http://localhost:4003/health` -- Ensure user has proper product memberships - -### Service Not Starting -```bash -# Check service logs -docker logs devops-backend -docker logs devops-web -docker logs admin-web - -# Check health status -docker ps -docker inspect devops-backend | grep -A 5 Health -``` - -## Monitoring - -Both dashboards include: -- Performance monitoring hooks -- Audit logging -- Health check endpoints -- Error tracking - -Monitor these through: -- Traefik Dashboard: `http://localhost:8080` -- Grafana (if configured): `http://localhost:3000` -- Loki logs (if configured): `http://localhost:3100` - -## Comparison with Trading Dashboard - -| Feature | Trading | DevOps | Admin | -|---------|---------|--------|-------| -| Domain | invttrdg.bytelyst.com | devops.bytelyst.com | admin.bytelyst.com | -| Web Port | 3085 | 3049 | 3001 | -| Backend Port | 4018 | 4004 | N/A | -| Network | platform_net | platform_net | default | -| Traefik | Yes | Yes | Yes | -| Auth | Platform | Platform | Platform | - -## Service Management - -### Stop Services -```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard -docker-compose down - -cd /opt/bytelyst/learning_ai_common_plat -docker-compose stop admin-web -``` - -### Restart Services -```bash -cd /opt/bytelyst/learning_ai_devops_tools/dashboard -docker-compose restart - -cd /opt/bytelyst/learning_ai_common_plat -docker-compose restart admin-web -``` - -### View Logs -```bash -# DevOps -docker logs -f devops-backend -docker logs -f devops-web - -# Admin -docker logs -f admin-web - -# Traefik -docker logs -f gateway -``` - -## Production Checklist - -- [ ] Platform stack running with Traefik -- [ ] DNS records configured -- [ ] SSL/TLS certificates configured in Traefik -- [ ] Environment variables set for production -- [ ] Cosmos DB connection configured -- [ ] JWT_SECRET matches across all services -- [ ] User memberships configured for access -- [ ] Health checks passing -- [ ] Cross-navigation links working -- [ ] Monitoring and logging configured +This file is a redirect kept for backwards compatibility (e.g. `deploy.sh`). +The canonical deployment guide is now [`DEPLOYMENT.md`](./DEPLOYMENT.md). Open +that file for the current content; do not edit this stub. diff --git a/dashboard/ENDPOINTS.md b/dashboard/ENDPOINTS.md index d8185f6..9125abd 100644 --- a/dashboard/ENDPOINTS.md +++ b/dashboard/ENDPOINTS.md @@ -4,6 +4,14 @@ Canonical URL reference for the ByteLyst DevOps dashboard workspace. Use this document when you need the dashboard website URL, browser routes, backend API endpoints, health checks, or the related integration URLs referenced by the dashboard. +> **Local port note:** every `http://localhost:3000` URL in this file refers to +> the **`pnpm dev`** workflow, where Next listens directly on 3000. Under the +> Docker Compose deployment in this repo, the same web container is exposed on +> the host as **`http://localhost:3049`** (compose maps `127.0.0.1:3049:3000`). +> Substitute `:3049` for `:3000` whenever you're hitting the dockerized stack. +> Production traffic goes through Traefik on `https://devops.bytelyst.com` and +> doesn't expose either port. See `DEPLOYMENT.md` for the full port table. + ## Canonical Bases | Surface | Local | Production | Notes | diff --git a/dashboard/README.md b/dashboard/README.md index 810038a..8b1ca1b 100644 --- a/dashboard/README.md +++ b/dashboard/README.md @@ -102,7 +102,7 @@ pnpm dev # Runs on port 4004 ```bash cd web cp .env.local.example .env.local # Add your URLs -pnpm dev # Runs on port 3000 +pnpm dev # Next dev server on http://localhost:3000 (no Docker) ``` ### Running Both @@ -197,8 +197,8 @@ See [DEPLOYMENT.md](./DEPLOYMENT.md) for detailed deployment instructions. Deploy as a ByteLyst product: - Product ID: `devops-internal` -- Backend port: 4004 -- Web port: 3000 +- Backend port: 4004 (host) / 4004 (container) +- Web port: 3000 (container) — exposed on host as **`localhost:3049`** under Docker Compose; dev mode (`pnpm dev`) listens directly on `localhost:3000`. See [`DEPLOYMENT.md`](./DEPLOYMENT.md) for the full port table. - Use existing deployment scripts in parent directory - Public API base: `https://api.bytelyst.com/devops` diff --git a/dashboard/REVIEW_ACTIONS.md b/dashboard/REVIEW_ACTIONS.md index 7be3bd4..9343972 100644 --- a/dashboard/REVIEW_ACTIONS.md +++ b/dashboard/REVIEW_ACTIONS.md @@ -39,12 +39,11 @@ Backend has 12 modules (`services`, `deployments`, `health`, `audit`, `backup`, ### 4. SSE deployment-log streaming is disabled — RESOLVED (removed) The TODO has been resolved by **removing the SSE claim**, not by shipping it: the `fastify-sse-v2` dependency is gone from `backend/package.json`, the commented-out import + plugin registration are gone from `backend/src/server.ts`, and the deployment-log endpoint is now documented as JSON-polled. The web client never used `EventSource` (`web/src/lib/api.ts` already polls `/api/deployments/:id/logs` via the normal `apiRequest` helper), so no UI change was required. README/DEPLOYMENT.md updated to match. If a real-time stream is wanted later, ship it explicitly via `reply.raw` and update the docs in the same change. -### 5. Documentation drift -- `README.md` says "Web port: 3000" but `docker-compose.yml` exposes web as `3049:3000`. -- `README.md` lists API endpoints inline; `ENDPOINTS.md` is the canonical source and contradicts in places (e.g. note about `https://api.bytelyst.com/api/devops` vs `https://api.bytelyst.com/devops`). -- `DEPLOYMENT.md` and `DEPLOYMENT_GUIDE.md` overlap; unclear which is canonical. - -- Action: pick `ENDPOINTS.md` as the single source for URLs and reduce `README.md` to a pointer. Merge the two deployment docs into one (`DEPLOYMENT.md`) and delete the loser. Fix the 3000 vs 3049 mismatch. +### 5. Documentation drift — RESOLVED +- `DEPLOYMENT.md` is now the single canonical deployment guide; `DEPLOYMENT_GUIDE.md` is reduced to a one-line redirect for backwards compat with `deploy.sh` and external links. `deploy.sh` updated to reference `DEPLOYMENT.md`. +- `DEPLOYMENT.md` carries an explicit **Ports — quick reference** table that distinguishes container port (`:3000`), Compose host port (`:3049`), and the Traefik production URL — so the 3000-vs-3049 question has one truthful answer per deployment mode rather than three contradictory prose claims. +- `README.md` "Web port: 3000" rewritten to call out container vs Compose host vs dev-mode explicitly and link to the port table. +- `ENDPOINTS.md` got a top-of-file note: every `localhost:3000` URL in the file refers to `pnpm dev`; substitute `:3049` for the Dockerized stack. The `https://api.bytelyst.com/api/devops` vs `/devops` ambiguity was already resolved by the existing "URL Note" section (kept). ### 6. Docker socket + host log mounts are very privileged `docker-compose.yml` mounts `/var/run/docker.sock`, the host `scripts` directory, and three host log paths into `devops-backend`. This is the same risk profile as Portainer but with custom code reading/writing those mounts. There is no documentation of which backend module talks to the docker socket or what commands it issues. diff --git a/dashboard/deploy.sh b/dashboard/deploy.sh index 4916f27..f2254c0 100755 --- a/dashboard/deploy.sh +++ b/dashboard/deploy.sh @@ -190,7 +190,7 @@ show_info() { echo "2. Configure SSL certificates in Traefik" echo "3. Grant user access via platform-service memberships" echo "" - echo "See DEPLOYMENT_GUIDE.md for detailed instructions" + echo "See DEPLOYMENT.md for detailed instructions" } # Main deployment flow diff --git a/docs/hermes_dashboard_v2_roadmap.md b/docs/hermes_dashboard_v2_roadmap.md index f661250..101598a 100644 --- a/docs/hermes_dashboard_v2_roadmap.md +++ b/docs/hermes_dashboard_v2_roadmap.md @@ -124,7 +124,7 @@ This is the biggest operational asymmetry and the reason half the ops-panel warn - [x] **P0:** Replace the no-op `lint` echo with real linting (`next lint` for web, minimal ESLint for backend); make `pnpm lint` fail on bad code. - [x] **P1:** Add tests for `auth`, `csrf`, `deployments/orchestrator`, `health`, **and `hermes-ops`**; add `pnpm test:coverage` gate. *(35 new unit tests; v8 coverage thresholds gated on the six tested files in `backend/vitest.config.ts` (≥85% lines/funcs/stmts, ≥65% branches), wired into Gitea CI as a dedicated step. Today's actuals: ≥95% lines on every gated file. Ratchet up as more modules get tested.)* - [x] **P1:** Resolve the SSE TODO — either ship a Fastify-5-compatible log-stream or remove the SSE claim from docs/UI. *(Chose **remove**: dropped `fastify-sse-v2` dep, deleted commented-out plugin import + TODO from `server.ts` and `deployments/routes.ts`, rewrote the README/DEPLOYMENT.md "Log Streaming" section as "Logs (JSON-polled, no SSE)". Web client already polls `/deployments/:id/logs` via `apiRequest` — no UI change needed. If a real-time stream is wanted later, implement via `reply.raw` and update docs in the same change.)* -- [ ] **P1:** Fix doc drift (web port 3000 vs 3049; endpoint URLs; merge duplicate deployment docs). +- [x] **P1:** Fix doc drift (web port 3000 vs 3049; endpoint URLs; merge duplicate deployment docs). *(`DEPLOYMENT.md` is now canonical; `DEPLOYMENT_GUIDE.md` reduced to a redirect stub; `deploy.sh` updated. Added an explicit "Ports — quick reference" table to `DEPLOYMENT.md` distinguishing container `:3000`, Compose host `:3049`, Traefik production. README and ENDPOINTS.md cross-link to it. Marks REVIEW_ACTIONS #5 resolved.)* - [ ] **P1:** Document the docker-socket + host-log/script mount privilege surface (the backend reads cross-user/host paths — blast radius must be written down; consider an allow-list wrapper over the raw socket). - [ ] **P2:** Structured backend logging (pino → stdout); wire E2E (`hermes.spec.ts`) into CI with a started stack.