Acts on the audit's NEXT block — operational resilience.
Backups (N1):
- New `backup` compose service (postgres:16-alpine) runs scripts/backup-loop.sh:
immediate pg_dump on start, then nightly, gzip, 14-day rotation into
./backups on the host. Configurable via BACKUP_RETENTION_DAYS /
BACKUP_INTERVAL_SECONDS. (Offsite copy is the documented next step.)
Resource limits + healthchecks (N2):
- deploy.resources.limits.memory on postgres (2g), app (1500m), nginx (256m),
backup (256m) so no container can starve the others (the Nginx outage was a
reminder).
- Nginx now has a healthcheck hitting a new self-served `/nginx-health`
endpoint on the default_server (no upstream dependency).
Chat resilience (N3):
- buildSystemPrompt() wraps its 4 Prisma queries in try/catch with safe
defaults — if Postgres is down the assistant degrades instead of 500-ing.
- Result is cached for 60s (only on healthy builds) so we don't run 4 queries
per message; CMS edits still appear within the TTL.
- POST fails fast with 503 if OPENAI_API_KEY is missing (instead of breaking
mid-stream after headers are sent).
- streamText gets an onError handler that logs + persists an `error` AiEvent.
Idempotent submissions (N4):
- consultation/route.ts and operations.ts now wrap the email-tracking UPDATE
in try/catch — the lead/signal is already saved, so a telemetry hiccup can't
500 the request and trigger a duplicate retry. operations.ts also returns
emailError.
Performance (N5):
- Index GlobalNode(application, isActive) — backs the case-study join on every
application page. Migration 20260609130000_index_globalnode_application.
Verified: next build compiles (Docker parity, SESSION_SECRET unset),
TypeScript clean, prisma schema valid, golden tests 17/17,
`docker compose config` valid.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Acts on the verified findings from the 2026-06 audit (docs/AUDIT_2026-06_
VERIFIED.md). The audit's #1 "middleware never runs" was a false positive
(verified in prod: /hq-command redirects to login). These are the genuine
gaps:
- SEC-04 (HIGH): /api/assets (GET/POST/PUT/DELETE/PATCH) and
/api/branding/favicon (POST) had NO auth. The middleware matcher excludes
/api, so they were world-reachable — anyone could list/upload/rename/
delete CMS files or regenerate the favicon. Added a new getAdminSession()
helper (src/lib/session.ts) and a requireAdmin() guard on every handler.
- DB-01 (HIGH): the ClientUser table (B2B client portal) was defined in the
schema but NEVER created by any migration, and OperationsSignal.clientId +
its FK were missing too. B2B register/login failed at runtime; the
dashboard silently showed 0 clients. New additive migration
20260609120000_add_client_user creates the table, the unique email index,
the clientId column (IF NOT EXISTS), and the FK (duplicate-object guarded).
- SEC-05 (MED-HIGH): operations.ts generateRichEmailHtml() interpolated
item.title/sku/quantity, clientName/Company/Email/Phone and the free-text
message straight into HTML — stored XSS into the team's internal inbox.
Now escaped via escapeHtml/escapeAttr/safeMailto; file links validated to
internal paths only.
- SEC-01 (MED): removed the hardcoded SESSION_SECRET fallback in src/proxy.ts;
it now validates lazily and throws if the secret is missing (mirrors
session.ts), so a runtime env failure can't fall back to a public key.
Verified: next build compiles with SESSION_SECRET unset (Docker parity),
TypeScript clean, prisma schema valid, golden tests 17/17.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Editors can now control the order applications appear in, the same way they
already reorder Hero slides.
- Application gains an `order Int @default(0)` column (additive migration
20260605120000_add_application_order, IF NOT EXISTS, safe for deploy) plus
an (isActive, order) index.
- New reorderApplications(orderedSlugs) server action — single $transaction
renumbering, mirrors reorderHeroSlides.
- HQ applications panel: rows are now draggable by a grip handle (HTML5 DnD,
optimistic local reorder, persisted on drop, toast feedback).
- All public-facing queries now order by [order asc, createdAt asc]: home
ApplicationsDashboard + GlobalOperations, the footer apps list, and the
HQ list itself. Existing rows default to 0 so current order is preserved
until the editor drags something.
Verified: production build compiles, TypeScript clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New "Team" section — a LinkedIn-style minimal profile page for the FLUX
team, fully editable from the HQ Command Center.
Data model:
- New TeamMember model (name, role, bio, photoUrl, optional social links:
email/linkedin/x/website, order, isActive, translationsJson).
- Additive migration 20260602120000_add_team_member (IF NOT EXISTS guards).
- Name stays as written; role + bio are translatable via the AI engine.
HQ panel (/hq-command/dashboard/team):
- Drag-to-reorder (same HTML5 pattern as the Hero panel).
- Inline auto-save for name/role/visibility; expandable editor for photo
upload, bio, social links, and AI auto-translate to IT/VEC/ES/DE.
- Photo upload reuses /api/assets with a new flat "team" scope -> /public/team/.
- Dashboard tile added.
Public page (/[locale]/team):
- Responsive card grid (framer-motion stagger), portrait + name + role +
bio + social icons (only the links that exist render).
- Per-member Person JSON-LD + breadcrumb for SEO.
- Localized via getLocalizedData; new TeamPage namespace in all 5 locales.
- NavBar item "Team" inserted before "Spare Parts" (translated 5 locales).
- Added to sitemap.
Infra:
- "team" scope registered in /api/assets (SCOPE_ROOTS + FLAT_SCOPES +
buildPublicUrl) and revalidate.ts (RevalidateScope + path).
- Nginx serves /team/ from disk; docker-compose mounts public/team in both
app and nginx (rw + ro).
Verified: production build compiles, all 5 /[locale]/team routes + the HQ
panel render; TypeScript clean; 5 message files valid JSON.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Security (critical):
- SESSION_SECRET fail-fast: refuse to boot without a 32+ char secret
(src/lib/session.ts, src/app/actions/clientAuth.ts)
- Rate limit with pluggable backend: in-memory by default, auto-promotes
to Upstash Redis when REDIS_URL is set (src/lib/rateLimit.ts)
- CSRF (double-submit HMAC) + Zod validation on /api/consultation;
new /api/csrf endpoint mints tokens (src/lib/csrf.ts)
- escapeHtml + safeMailto helpers; consultation email template now
fully escapes user-controlled fields (src/lib/escapeHtml.ts)
- Magic-byte validation for /api/public-upload — rejects HTML/JS
payloads renamed to .png/.mp4 (src/lib/fileType.ts)
- Nginx: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
Permissions-Policy + 5r/m upload zone for /api/public-upload and
/api/assets (nginx/conf.d/flux.conf)
Quality:
- Delete GlobalOperations_old.tsx dead code (310 LOC)
- NavBar: replace 2s session polling with CustomEvent("flux:session-
changed") + visibilitychange listener (no more interval leaks)
- Type-safe CMS shapes via src/types/cms.ts (replaces any[] in
ApplicationsDashboard + GlobalOperations)
- /api/health now pings Postgres; docker-compose healthcheck added
- Structured JSON logger (src/lib/logger.ts) — drop-in replacement
for console.error across API routes
- Prisma indices on isActive/category/nodeType filters
FluxAI persistence + analytics:
- New models AiConversation + AiEvent with funnel stage detection
(DISCOVERY -> QUALIFY -> RECOMMEND -> HANDOFF) and OperationsSignal
back-ref so converted chats link to their consultation ticket
- /api/chat persists every user msg, ai msg, tool call, tool result;
IP is sha256-hashed with SESSION_SECRET salt; promptCacheKey wired
for when @ai-sdk/openai lands the feature
- New HQ dashboard at /hq-command/dashboard/conversations: 4 KPIs
(total, conversion rate, avg messages, avg tools), funnel + industry
breakdowns, last-50 table, per-id transcript with tool timeline
- SilentObserver sends sessionId/locale/pageUrl in transport body so
the route can stitch messages into the same conversation
- src/lib/aiSessionId.ts: localStorage UUID with sessionStorage +
in-memory fallbacks for privacy mode
- Golden tests via node --test (13 cases, no new deps);
npm run test:ai
Migration:
- prisma/migrations/20260526180000_add_indexes_and_ai_telemetry —
additive only, IF NOT EXISTS guards, safe for migrate deploy
env template hardened: SESSION_SECRET documented as required + how
to generate; REDIS_URL/REDIS_TOKEN documented as opt-in for multi-
instance deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the filesystem-scan hero (fs.readdirSync of /public/footage/main)
with a fully CMS-driven HeroSlide model. Editors can now drag-drop reorder,
toggle slides on/off, set focal points for proper mobile cropping, and
auto-translate per-slide captions.
NEW SCHEMA (additive — does not touch existing tables)
- HeroSlide: mediaUrl, mediaType, altText, order, isActive, focalPointX,
focalPointY, translationsJson, timestamps
- SiteSetting: key-value JSON store for site-wide config (favicon, logo,
footer, OG image) — wired up in next commit
- Migration 20260504120000_add_hero_slides_and_site_settings/migration.sql
uses CREATE TABLE IF NOT EXISTS, additive only
HERO REEL REFACTOR (Bug #4 — responsive mobile/iPad)
- Switches from `images: string[]` to `slides: HeroSlideData[]` while
keeping a backwards-compat path so legacy callers still work
- w-screen → w-full max-w-[100vw] (no horizontal scroll on iOS)
- h-[100vh] → h-[100svh] so iOS Safari URL bar doesn't push content
- Reduces title font sizes on small viewports (text-3xl → text-4xl
→ text-5xl → text-[5.5rem]) so the headline stays inside the canvas
- objectPosition driven by focal-point fields per slide
- Native <video> support for video slides
HQ COMMAND — /hq-command/dashboard/hero
- Drag-drop reorder, click-to-set-focal-point, inline alt-text editing
- Auto-save with "Saving…" / "Saved ✓" indicators
- Per-slide caption overrides (title, subtitle, descriptions)
- Optional one-click AI translation to IT, VEC, ES, DE
- Drop-zone uploader → /api/assets (scope=footage, flat folder)
API — /api/assets
- New flat scopes: "footage" (writes to /public/footage/main) and
"branding" (writes to /public/branding) — slug-less for site-wide assets
- New buildPublicUrl helper centralises the URL convention
- Revalidate helper expanded with branding + settings scopes
HOME PAGE
- Reads hero slides from DB first; falls back to filesystem scan when
HeroSlide table is empty (so production keeps working immediately
after migration runs but before the editor populates rows)
DEPLOY NOTES
- After git pull on VPS, run the migration ONCE:
docker compose exec app npx prisma migrate deploy
Then:
docker compose up -d --build app
Existing data (AdminUser w/ 2FA, ClientUser, GlobalNode, Application,
TimelineEvent, NewsArticle, HeritageSection, SparePart, OperationsSignal,
NotificationRoute, PageContent) is NOT touched. Migration only creates
two new tables.
davidherran