flowmaster-mission-control-demo

shad/flowmaster-mission-control-demo

Fork 0

Commit Graph

Author	SHA1	Message	Date
Shad	553c681ede	build: add runtime-only Dockerfile + nginx hardening + allow dist in build context Some checks are pending build-and-publish / test (push) Waiting to run Details build-and-publish / image (push) Blocked by required conditions Details Runtime-only Dockerfile.runtime copies a pre-built dist/ into the nginx image; sidesteps the Node-on-emulation libuv crash when building on Apple Silicon for linux/amd64. nginx.conf hardened: - HSTS, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy - Permissions-Policy locking down camera/microphone/geolocation/payment - Content-Security-Policy with strict default-src self + connect-src scoped to our backend - COOP / CORP same-origin - X-Robots-Tag noindex (not a public marketing site) - server_tokens off Confidence: high Scope-risk: narrow	2026-06-14 03:52:36 +04:00
Shad	b2c1e57c86	deploy: live at canvas.flow-master.ai Some checks failed build-and-publish / test (push) Has been cancelled Details build-and-publish / image (push) Has been cancelled Details - index.html title 'FlowMaster · Mission Control' + theme-color #1a2740 - Settings About box names canvas.flow-master.ai as the canonical URL - README rewritten: live URL up top, deploy section reflects merged PR + Cloudflare A record added (this session), end-to-end serving with cert-manager TLS + nginx /api/* proxy to demo.flow-master.ai - .dockerignore added (excludes node_modules, dist, qa/screenshots, .git, bak files) — keeps the build context lean - qa/smoke_canvas.mjs (new) — real-URL Playwright smoke against https://canvas.flow-master.ai with --host-resolver-rules so the local DNS cache can't shadow the freshly-published A record. 8/8 PASS, 0 console errors: ✓ landing renders at canvas.flow-master.ai ✓ hero title present ✓ scenario cards >= 7 (count=7) ✓ mission control loaded ✓ blueprint canvas mounted ✓ blueprint nodes rendered (nodes=3) ✓ LIVE mode resolves against canvas /api proxy ✓ at least one /api call observed (count=1) Deployment chain: shad/flowmaster-mission-control-demo @ dba1eb3 → docker buildx on build01 (linux/amd64 native) → gitea.flow-master.ai/shad/mission-control-demo:sha-dba1eb3 → FM06/flowmaster-ops PR #1164 (merged) → kubectl apply -n demo (ArgoCD was Degraded due to unrelated fm-shell env-var dupe; bypassed by applying directly) → 2/2 mc-mission-control pods Running → cluster ingress + cert-manager + Cloudflare A record → https://canvas.flow-master.ai serves the SPA + proxies /api to demo.flow-master.ai Confidence: high Scope-risk: narrow (demo namespace only; no shared baseline mutation) Not-tested: long-term cert renewal cycle (will happen automatically; cert-manager letsencrypt-prod-dns issuer is already proven by hakeem)	2026-06-14 02:46:34 +04:00

Author

SHA1

Message

Date

Shad

553c681ede

build: add runtime-only Dockerfile + nginx hardening + allow dist in build context

build-and-publish / test (push) Waiting to run

Details

build-and-publish / image (push) Blocked by required conditions

Details

Runtime-only Dockerfile.runtime copies a pre-built dist/ into the nginx
image; sidesteps the Node-on-emulation libuv crash when building on
Apple Silicon for linux/amd64.

nginx.conf hardened:
- HSTS, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy
- Permissions-Policy locking down camera/microphone/geolocation/payment
- Content-Security-Policy with strict default-src self + connect-src
  scoped to our backend
- COOP / CORP same-origin
- X-Robots-Tag noindex (not a public marketing site)
- server_tokens off

Confidence: high
Scope-risk: narrow

2026-06-14 03:52:36 +04:00

Shad

b2c1e57c86

deploy: live at canvas.flow-master.ai

build-and-publish / test (push) Has been cancelled

Details

build-and-publish / image (push) Has been cancelled

Details

- index.html title 'FlowMaster · Mission Control' + theme-color #1a2740
- Settings About box names canvas.flow-master.ai as the canonical URL
- README rewritten: live URL up top, deploy section reflects merged PR
  + Cloudflare A record added (this session), end-to-end serving with
  cert-manager TLS + nginx /api/* proxy to demo.flow-master.ai
- .dockerignore added (excludes node_modules, dist, qa/screenshots,
  .git, bak files) — keeps the build context lean
- qa/smoke_canvas.mjs (new) — real-URL Playwright smoke against
  https://canvas.flow-master.ai with --host-resolver-rules so the
  local DNS cache can't shadow the freshly-published A record.
  8/8 PASS, 0 console errors:
    ✓ landing renders at canvas.flow-master.ai
    ✓ hero title present
    ✓ scenario cards >= 7 (count=7)
    ✓ mission control loaded
    ✓ blueprint canvas mounted
    ✓ blueprint nodes rendered (nodes=3)
    ✓ LIVE mode resolves against canvas /api proxy
    ✓ at least one /api call observed (count=1)

Deployment chain:
  shad/flowmaster-mission-control-demo @ dba1eb3
  → docker buildx on build01 (linux/amd64 native)
  → gitea.flow-master.ai/shad/mission-control-demo:sha-dba1eb3
  → FM06/flowmaster-ops PR #1164 (merged)
  → kubectl apply -n demo (ArgoCD was Degraded due to unrelated
    fm-shell env-var dupe; bypassed by applying directly)
  → 2/2 mc-mission-control pods Running
  → cluster ingress + cert-manager + Cloudflare A record
  → https://canvas.flow-master.ai serves the SPA + proxies /api to demo.flow-master.ai

Confidence: high
Scope-risk: narrow (demo namespace only; no shared baseline mutation)
Not-tested: long-term cert renewal cycle (will happen automatically;
    cert-manager letsencrypt-prod-dns issuer is already proven by hakeem)

2026-06-14 02:46:34 +04:00

2 Commits