bump

.cursor/rules/protect-authelia-bypass-routes.mdc

@@ -0,0 +1,19 @@
+---
+description: Never remove /success or other Stripe/auth bypass routes from Authelia
+alwaysApply: true
+---
+
+# Authelia bypass routes must not be reverted
+
+**Recurring issue:** After Stripe checkout, users are sent to `https://bc.a250.ca/success?session_id=...`. If `/success` is **not** in Authelia's **bypass** list, they get sent to login instead of the success page and provisioning breaks.
+
+**Do not:**
+
+- Remove `/success` from the bypass `resources` in `stack.yml` (the Authelia command that writes `configuration.acl.yml`).
+- Remove or merge the bypass block that contains: `^/$$`, `^/subscribe/?$$`, `^/success(/|\\?.*)?$$`, `^/webhook/stripe/?$$`, `^/resend-reset/?$$`, `^/health/?$$`, `^/version/?$$`, `^/admin/delete-user/?$$`.
+- Change the regex for success to something that no longer matches `/success?session_id=...`.
+
+**Required bypass resources for bc.a250.ca (second bypass block):**  
+`/`, `/subscribe`, `/success` (with optional query), `/webhook/stripe`, `/resend-reset`, `/health`, `/version`, `/admin/delete-user`.
+
+**If editing `stack.yml` Authelia section:** keep the entire bypass block and all of these resources; only add new paths when the user explicitly asks.

.cursor/rules/protect-subscribe-settings.mdc

@@ -5,14 +5,15 @@ alwaysApply: true
 
 # Subscribe / Stripe configuration is off-limits
 
+**Do not use .env.** All config is in `stack.yml`; do not add or rely on `.env` for deploy.
+
 **Do not under any circumstance:**
 
 - Remove, comment out, reorder, or rename the `STRIPE_*` or subscribe-related environment variables in `stack.yml` (the `ss-atlas` service `environment:` block).
-- Remove or alter the same variables in `.env`.
+- Stash, replace, or overwrite `stack.yml` in a way that drops or changes the Stripe/subscribe env vars.
-- Stash, replace, or overwrite `stack.yml` or `.env` in a way that drops or changes the Stripe/subscribe env vars.
+- Add logic that loads config from `.env` or clears these values at deploy or runtime.
-- Add logic that clears or overwrites these values at deploy or runtime.
 
 **Required subscribe-related vars in `stack.yml` for `ss-atlas`:**  
 `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_PRICE_ID`, `STRIPE_PRICE_ID_FREE`, `STRIPE_PRICE_ID_YEAR`, `STRIPE_PRICE_ID_MONTH_100`, `STRIPE_PRICE_ID_MONTH_200`, `STRIPE_PAYMENT_LINK`, `FREE_TIER_LIMIT`, `YEAR_TIER_LIMIT`, `MAX_SIGNUPS`.
 
-**If editing `stack.yml` or deploy flow:** preserve the full `ss-atlas` environment section exactly; only add new vars or change non-Stripe defaults when the user explicitly asks.
+**If editing `stack.yml` or deploy flow:** preserve the full `ss-atlas` environment section exactly; only add new vars or change values when the user explicitly asks.

scripts/deploy-stack-dev.sh

@@ -4,7 +4,7 @@ set -e
 
 cd "$(dirname "$0")/.."
 
-[ -f .env ] && set -a && . .env && set +a
+# Config is in stack.yml; do not use .env
 
 if [ -n "$(git status --porcelain)" ]; then
   echo "ERROR: Working tree is dirty. Commit your changes before deploying." >&2

stack.yml

@@ -180,22 +180,22 @@ services:
         - "traefik.http.middlewares.strip-traefik.stripprefix.prefixes=/admin/traefik"
         - "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
 
-  # SUBSCRIBE/STRIPE: Do not remove or reorder the STRIPE_* and tier env vars below.
+  # SUBSCRIBE/STRIPE: Do not remove or reorder. Values are in this file; do not use .env.
-  # They are loaded from .env at deploy time. See .cursor/rules/protect-subscribe-settings.mdc
+  # See .cursor/rules/protect-subscribe-settings.mdc
   ss-atlas:
     image: atlas-ss-atlas:latest
     environment:
-      - STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-sk_test_placeholder}
+      - STRIPE_SECRET_KEY=sk_test_51T6uRBRfasa3uSsu1EwvRHaGKhWopjeBz15aDACaI3ectJ1przHIKTX2DAqJu7DDtsBMhIuRiyVf0MY9ivtUvzk800kEZ5advL
-      - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-whsec_placeholder}
+      - STRIPE_WEBHOOK_SECRET=whsec_placeholder
-      - STRIPE_PRICE_ID=${STRIPE_PRICE_ID:-}
+      - STRIPE_PRICE_ID=price_1T6v8dRfasa3uSsuCWmIC0Fn
-      - STRIPE_PRICE_ID_FREE=${STRIPE_PRICE_ID_FREE:-}
+      - STRIPE_PRICE_ID_FREE=price_1T7NOURfasa3uSsuEpbKAD1h
-      - STRIPE_PRICE_ID_YEAR=${STRIPE_PRICE_ID_YEAR:-}
+      - STRIPE_PRICE_ID_YEAR=price_1T7NOURfasa3uSsu3fB9ivyn
-      - STRIPE_PRICE_ID_MONTH_100=${STRIPE_PRICE_ID_MONTH_100:-}
+      - STRIPE_PRICE_ID_MONTH_100=price_1T7NOVRfasa3uSsuEaxzMNno
-      - STRIPE_PRICE_ID_MONTH_200=${STRIPE_PRICE_ID_MONTH_200:-}
+      - STRIPE_PRICE_ID_MONTH_200=price_1T7NOVRfasa3uSsucQRRlPCi
-      - STRIPE_PAYMENT_LINK=${STRIPE_PAYMENT_LINK:-}
+      - STRIPE_PAYMENT_LINK=
-      - FREE_TIER_LIMIT=${FREE_TIER_LIMIT:-10}
+      - FREE_TIER_LIMIT=10
-      - YEAR_TIER_LIMIT=${YEAR_TIER_LIMIT:-50}
+      - YEAR_TIER_LIMIT=50
-      - MAX_SIGNUPS=${MAX_SIGNUPS:-0}
+      - MAX_SIGNUPS=0
       - LLDAP_URL=ldap://lldap:3890
       - LLDAP_ADMIN_DN=uid=admin,ou=people,dc=a250,dc=ca
       - LLDAP_ADMIN_PASSWORD=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
@@ -210,9 +210,9 @@ services:
       - CUSTOMER_DOMAIN=bc.a250.ca
       - TEMPLATE_PATH=/app/templates
       - ARCHIVE_PATH=/archives
-      - LANDING_TAGLINE=${LANDING_TAGLINE:-Your own workspace, ready in minutes.}
+      - LANDING_TAGLINE=Your own workspace, ready in minutes.
-      - LANDING_FEATURES=${LANDING_FEATURES:-Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime}
+      - LANDING_FEATURES=Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime
-      - ADMIN_SECRET=${ADMIN_SECRET:-}
+      - ADMIN_SECRET=
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - atlas_archives:/archives