diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 941deb52..736632f0 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -97,6 +97,10 @@ services: - PUBLIC_CHAT_URL=${PUBLIC_CHAT_URL:-} # Frontend URL for post-OAuth redirects - FRONTEND_URL=${FRONTEND_URL:-} + # CORS — comma-separated extra allowed origins (read by config.py via + # EXTRA_CORS_ORIGINS). Mirrors docker-compose.yml; without this line the + # .env value is inert in prod (the #1039 packaging-gap class). + - EXTRA_CORS_ORIGINS=${EXTRA_CORS_ORIGINS:-} # Backend's own public origin — used to build OAuth redirect URIs # ({BACKEND_URL}/api/oauth/{provider}/callback, read by config.py). Mirrors # docker-compose.yml; without this line the .env value is inert in prod (the @@ -121,6 +125,18 @@ services: # packaging-gap class). - TELEMETRY_CONTAINER_STATS_TTL=${TELEMETRY_CONTAINER_STATS_TTL:-10} - TELEMETRY_DOCKER_POOL_SIZE=${TELEMETRY_DOCKER_POOL_SIZE:-16} + # SSH access host override (read by services/ssh_service.py). Mirrors + # docker-compose.yml; without this line the .env value is inert in prod (the + # #1039 packaging-gap class) and SSH host detection falls back to localhost. + - SSH_HOST=${SSH_HOST:-} + # Log retention & archival (services/log_archive_service.py). Mirrors + # docker-compose.yml; without these lines the .env knobs are inert in prod + # (the #1039 packaging-gap class). LOG_ARCHIVE_PATH is intentionally omitted: + # the code default (/data/archives) already lands in the TRINITY_DATA_PATH + # bind mount (/data), so no new volume is needed. + - LOG_ARCHIVE_ENABLED=${LOG_ARCHIVE_ENABLED:-true} + - LOG_RETENTION_DAYS=${LOG_RETENTION_DAYS:-90} + - LOG_CLEANUP_HOUR=${LOG_CLEANUP_HOUR:-3} volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./config/agent-templates:/agent-configs/templates:ro @@ -128,6 +144,10 @@ services: - ./config/process-docs:/app/config/process-docs:ro - agent-configs:/agent-configs - ${TRINITY_DATA_PATH:-./trinity-data}:/data + # Read-only access to Vector's logs so log_archive_service.py (reads + # /data/logs) can run in prod. Mirrors docker-compose.yml; without it the + # forwarded LOG_* knobs are inert (LOG_DIR not found) — the #1039 class. + - trinity-logs:/data/logs:ro depends_on: redis: condition: service_healthy @@ -364,6 +384,12 @@ services: # Fail-loud at compose render rather than silently use a well-known fallback (issue #692). - "TRINITY_PASSWORD=${ADMIN_PASSWORD:?ADMIN_PASSWORD must be set in .env}" - MCP_REQUIRE_API_KEY=${MCP_REQUIRE_API_KEY:-true} + # INTERNAL_API_SECRET (SEC-001) — shared secret for POST /api/internal/audit + # so MCP tool-call audit reaches the backend. Mirrors docker-compose.yml; + # without it audit.ts (postAudit) early-returns and ALL MCP tool-call audit + # is silently dropped in prod (the #1039 packaging-gap class). No default — + # matches the backend/scheduler prod style. + - INTERNAL_API_SECRET=${INTERNAL_API_SECRET} # No REDIS_URL: src/mcp-server/ (TypeScript) has zero Redis imports. # Don't hand a credential to a process that has no use for it. depends_on: diff --git a/src/frontend/src/components/HostTelemetry.vue b/src/frontend/src/components/HostTelemetry.vue index b1520944..7f53550d 100644 --- a/src/frontend/src/components/HostTelemetry.vue +++ b/src/frontend/src/components/HostTelemetry.vue @@ -2,7 +2,11 @@ import { ref, onMounted, onUnmounted } from 'vue' import SparklineChart from './SparklineChart.vue' -const API_BASE = import.meta.env.VITE_API_BASE || '' +// Relative, same-origin API base (nginx/Vite proxy) — matches api.js baseURL: ''. +// Intentionally not an env var: VITE_API_BASE was never set anywhere, so this was +// always '' (see #722 — do not point it at VITE_API_URL, that build-defaults to +// http://localhost:8000 and would break same-origin calls). +const API_BASE = '' // History configuration: 60 samples at 5s intervals = 5 minutes const MAX_POINTS = 60