2 Commits

Author	SHA1	Message	Date
josh	23bd0f0c6a	fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod ... Every cookie was flagged Secure whenever NODE_ENV=production. Over plain HTTP (single-host compose deploy without TLS) browsers silently discard Secure cookies, so the access token, refresh token, and CSRF cookie all vanished after login — producing 401 Unauthorized on every GET and 403 "CSRF token missing or invalid" on every mutation. Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to NODE_ENV === 'production' when unset. Controllers and middleware now read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose file sets it to false by default with a comment to flip once TLS is in front; HTTPS deployments can override via .env or drop the override to pick up the secure default.	2026-04-17 08:31:12 -04:00
josh	7c0d422228	chore: initial Vector 2.0 monorepo ... Ground-up TypeScript rewrite of the Vector hardware parts inventory system. Ships the full roadmap (Phases 0-8) in one initial commit: - pnpm + Turbo monorepo: apps/{api,web,e2e}, packages/{db,shared,ui,config} - Express 5 + Prisma 5 + zod validation + JWT w/ refresh-token rotation - React 19 + Vite + shadcn/ui + TanStack Query/Table + nuqs URL state - Repair/RMA, tags, bulk ops, saved views, CSV audit export - Analytics dashboard on Recharts + EOL tracking - Signed webhook subscriptions (HMAC-SHA256) with in-process emitter - Vitest unit tests (shared schemas, api services/helpers) + Playwright skeleton - Gitea Actions CI (lint, typecheck, test+coverage, build) + Renovate Deferred follow-ups: Postgres cutover (data-migration script ready), BullMQ worker for webhook delivery, @react-pdf PDF export, CSV import wizard.	2026-04-16 20:52:32 -04:00