diff --git a/.claude/handoffs/2026-04-24-195210-toolbar-workspace-dark-refresh-deploy.md b/.claude/handoffs/2026-04-24-195210-toolbar-workspace-dark-refresh-deploy.md index a2667d6..6f84235 100644 --- a/.claude/handoffs/2026-04-24-195210-toolbar-workspace-dark-refresh-deploy.md +++ b/.claude/handoffs/2026-04-24-195210-toolbar-workspace-dark-refresh-deploy.md @@ -116,8 +116,8 @@ ttyd serves only `--index /opt/sethmux/index.html` and the websocket — **toolb ## Important Context -- **Deployments are MANUAL.** Editing `static/toolbar.js` does not ship until `sudo cp static/toolbar.js /opt/sethmux/toolbar.js`. The Mar 26 → Mar 28 drift this session uncovered (3 toolbar fixes committed but never deployed) suggests this footgun has been hit before. -- **toolbar.js is served by Caddy from `/opt/sethmux/`, not by ttyd.** The systemd unit's `--index /opt/sethmux/index.html` only sets ttyd's index page; everything else under `/opt/sethmux/` is `file_server`'d by Caddy. Consequence: no daemon restart on toolbar changes. +- **Deployments are MANUAL and split across TWO hosts.** Static assets Caddy serves directly (`toolbar.js`, `manifest.json`, `icon-*.png`) live in `/opt/sethmux/` on **caddy CT** (192.168.0.185). Index and notify-server live in `/opt/sethmux/` on **steel141**. Same path, different filesystems. **First deploy this session went to the wrong host** (steel141 only) — symptom was "looks the same" because Caddy was still serving the old file from its own /opt/sethmux/. Correct deploy: `scp static/toolbar.js caddy:/opt/sethmux/`. The Mar 26 → Mar 28 drift this session uncovered (3 toolbar fixes committed but never deployed) suggests this footgun has been hit before — same root cause. +- **toolbar.js is served by Caddy from caddy-CT's `/opt/sethmux/`, not by ttyd.** The systemd unit's `--index /opt/sethmux/index.html` (on steel141) only sets ttyd's index page; static assets are `file_server`'d by Caddy, on Caddy's own filesystem. No daemon restart on toolbar changes. - **The pre-commit hook (`detect-secrets-hook`, configured at `~/.config/git/hooks/pre-commit`) flags SRI hashes as base64 high-entropy strings.** When adding new HTML with `integrity="sha384-..."` script tags, regenerate baseline with `detect-secrets scan --all-files --exclude-files '\.git/|\.secrets\.baseline$' > .secrets.baseline` before committing. NEVER use `--no-verify` — global rule. - **The compose bar and the helper-textarea hardening are complementary, not redundant.** Compose bar = autocorrect-friendly typing surface. Helper-textarea hardening = prevents Gboard from corrupting per-keystroke chord/arrow taps. Both stay. - **Authentik blocks unauthenticated curl** to mux.sethpc.xyz. To verify deploys via HTTP, you'd need an auth token; otherwise, file-hash on disk is the verification path. diff --git a/DECISIONS.md b/DECISIONS.md index 2815cd2..f7aac78 100644 --- a/DECISIONS.md +++ b/DECISIONS.md @@ -12,7 +12,19 @@ Format: `YYYY-MM-DD: ` - **Visual system: Google Workspace dark vocabulary, sethmux orange accent.** Tokens: bar `#202124`, button surface `#303134`, hairline `#3c4043`, primary text `#e8eaed`, accent `#D35400` (replaces Google blue), Roboto 12/500 + Roboto Mono 12/400 for chord keys. **Why:** the previous palette (`#111`/`#222`/2px orange top border) read as a generic terminal toolbar; the Workspace vocabulary makes the bar feel like a deliberate productivity surface while keeping `#D35400` as sethmux brand identity. -- **Manual deploy: `cp static/* /opt/sethmux/`.** No rsync, no auto-reload. **Why:** static assets only, served directly by Caddy from `/opt/sethmux/`. No daemon restart needed — ttyd doesn't serve `toolbar.js` (only `--index /opt/sethmux/index.html`); the rest is Caddy's `file_server` handler. Keep deploy explicit so we never ship in-progress edits. +- **Manual deploy is split across TWO hosts.** Static assets that Caddy serves directly (`toolbar.js`, `manifest.json`, `icon-*.png`) live in `/opt/sethmux/` on the **caddy CT** (192.168.0.185, `ssh caddy`). The ttyd index (`index.html`) and notify-server (`notify-server.py`) live in `/opt/sethmux/` on **steel141** (192.168.0.141), where the systemd units run. Both hosts happen to use `/opt/sethmux/` — easy to confuse. **Why:** Caddy's `handle /toolbar.js { root * /opt/sethmux; file_server }` resolves the root against **Caddy's own filesystem**, not the upstream's. Caddy is on the caddy CT, so that's where the file must live. Catch-all `handle { reverse_proxy 192.168.0.141:7683 }` proxies the index page request to ttyd on steel141, which serves `--index /opt/sethmux/index.html` from its own disk. + + **Deploy commands:** + ```bash + # Static assets served by Caddy → caddy CT + scp static/toolbar.js static/manifest.json static/icon-*.png caddy:/opt/sethmux/ + + # ttyd index + notify-server → steel141 (this host) + sudo cp static/index.html /opt/sethmux/ + sudo cp notify-server.py /opt/sethmux/ + ``` + + No daemon restart needed for static-asset changes. Restart `sethmux.service` (steel141) only when changing ttyd args or `index.html`. ## Deferred / Rejected