Without this, pnpm install --prod in the production stage doesn't know
about referral-service dependencies (@nestjs/core etc.) and they are missing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pnpm does not hoist workspace package binaries to /app/node_modules/.bin;
each package's .bin/ is only available within that package's node_modules.
Use 'pnpm exec prisma generate' from the service directory so pnpm can
resolve the prisma binary from the local node_modules/.bin symlink.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two fixes for Prisma on Alpine Linux:
1. Use /app/node_modules/.bin/prisma (workspace root) instead of
node_modules/.bin/prisma — pnpm does not hoist binaries into each
service's local node_modules/.bin, so the previous command silently
skipped via || true, leaving only the default linux-musl (libssl 1.1) binary.
2. Add openssl to apk packages so Prisma can run 'openssl version' at
runtime to detect OpenSSL 3.x and load the linux-musl-openssl-3.0.x
engine binary instead of defaulting to the missing libssl.so.1.1 variant.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move prisma from devDependencies to dependencies so it is available
after pnpm install --prod in the Dockerfile production stage
- Replace failed COPY of /app/node_modules/.prisma (pnpm virtual store
path differs) with: COPY schema.prisma + RUN prisma generate in stage-1
- Only runs if schema.prisma exists (safe for all other services)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@prisma/client requires files generated by 'prisma generate' (.prisma/client/).
pnpm install --prod skips build scripts so the generated client is missing
in the production stage. Copy /app/node_modules/.prisma from builder to fix.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Dockerfile.service: add COPY lines for billing-service/package.json in
both build and production stages so pnpm install includes its deps
(omission caused 'node_modules missing' turbo build error)
- pnpm-lock.yaml: regenerated after running pnpm install to include all
billing-service dependencies (stripe, alipay-sdk, wechat-pay-v3, etc.)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ensure /data/versions/android and /data/versions/ios directories are
created with correct appuser ownership during image build, fixing
EACCES permission error when version-service starts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove iproute2/NET_ADMIN (no longer needed)
- Remove ip route hack from entrypoint.sh
- rwa-colocation-2 server record updated to use Docker gateway IP
since 14.215.128.96 is a host-local NIC on the IT0 server
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bind-mounted SSH key is owned by host uid (1000/node) but the
service runs as appuser (uid 1001). Use su-exec in entrypoint.sh
to copy the key as root, fix ownership, then drop privileges.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mount host key to /tmp/host-ssh-key (read-only), then copy to
appuser's .ssh directory with correct ownership at container start.
Fixes "Permission denied" due to uid mismatch on bind mount.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add openssh-client to Dockerfile.service (alpine)
- Create .ssh directory with correct permissions for appuser
- Mount host SSH key into agent-service container (read-only)
This allows the Agent SDK to SSH into managed servers using the Bash tool.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without this, the SDK engine fails to create tenant HOME directories
because the Docker volume mount point doesn't exist and appuser lacks
write permissions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Claude Agent SDK Bash tool requires a POSIX shell. Alpine only has
busybox ash, causing "No suitable shell found" errors. Install bash
and set SHELL=/bin/bash.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SDK blocks bypassPermissions when running as root for security.
Add non-root 'appuser' to Dockerfile.service and update volume
mounts to use /home/appuser/.claude paths.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker Hub is unreachable from server, so node:20 can't be pulled.
Reverting to node:18-alpine (already cached) and using
--experimental-global-webcrypto to enable globalThis.crypto.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
crypto.randomUUID() is used throughout services but crypto is not
a global in Node.js 18. Node.js 20 provides globalThis.crypto.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Dockerfile.service: fix entry point path (dist/services/{name}/src/main)
due to tsconfig paths widening rootDir during compilation
- Kong config: remove unsupported ws/wss protocols (WebSocket works
automatically over http/https in Kong 3.7)
- voice-service: fix pipecat import path for v0.0.30 API
(pipecat.transports.network.websocket_server with lowercase class names)
- voice-service: add openai dependency required by pipecat anthropic service
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add shared Dockerfile.service for all 7 NestJS microservices using
multi-stage build with pnpm workspace support
- Add Dockerfile for web-admin (Next.js standalone output)
- Add .dockerignore files for root and web-admin
- Fix docker-compose.yml: use monorepo root as build context with
SERVICE_NAME build arg instead of per-service Dockerfiles
- Fix postgres/redis missing network config (services couldn't reach them)
- Use .env variables for DB credentials instead of hardcoded values
- Add JWT_REFRESH_SECRET and REDIS_URL to services that were missing them
- Add DB init script volume mount for postgres
- Remove deprecated version: '3.8' from all compose files
- Add output: 'standalone' to next.config.js for optimized Docker builds
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hailin