From b472c149b4f881fbe3d98405547930f8ed2bf0cd Mon Sep 17 00:00:00 2001 From: Hardik Date: Fri, 19 Jun 2026 11:59:25 +0530 Subject: [PATCH] feat(automation): lock staging to SSH tunnel + dev banner + desktop shortcut - staging-up.sh binds the dev server to 127.0.0.1 (tunnel-only, no public access) and sets NEXT_PUBLIC_ENV_LABEL so the 'INTERNAL DEV / STAGING - NOT PRODUCTION' banner shows. - staging-tunnel.cmd: Windows launcher that opens the SSH tunnel + browser (wired to a desktop shortcut). Co-Authored-By: Claude Opus 4.8 --- automation/README.md | 12 ++++++++---- automation/staging-tunnel.cmd | 15 +++++++++++++++ automation/staging-up.sh | 5 ++++- 3 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 automation/staging-tunnel.cmd diff --git a/automation/README.md b/automation/README.md index 1182734..8f938cc 100644 --- a/automation/README.md +++ b/automation/README.md @@ -93,10 +93,14 @@ before a release tag deploys them to prod. (`pelagia_test`), safe dev mode (console email, local storage, SSO disabled). - Refresh to newer master + restart: re-run `~/issue-watcher/staging-up.sh`. - Stop: `pm2 delete ppms-staging`. -- Access: bound to all interfaces, so reachable at `http://:3200`. This is - **plain HTTP with prod-mirror data behind login** — for a private setup, restrict - to localhost (`pnpm dev -p 3200 -H 127.0.0.1` in `run-staging.sh`) and reach it via - `ssh -L 3200:localhost:3200 …` instead. +- **Access is SSH-tunnel only** — the dev server binds to `127.0.0.1:3200`, so it is + not reachable from the public internet. Open a tunnel and browse `http://localhost:3200`: + `ssh -L 3200:localhost:3200 shad0w@`. On Windows, the desktop shortcut + **"Pelagia Staging (tunnel)"** (`automation/staging-tunnel.cmd`) opens the tunnel and + the browser in one click. +- A fixed banner **"INTERNAL DEV / STAGING - NOT PRODUCTION"** is shown (driven by + `NEXT_PUBLIC_ENV_LABEL` in the staging `.env`; the `EnvBanner` component renders nothing + when the var is unset, so production is unaffected). - Log in with a password user (SSO is off here), e.g. `admin@pelagiamarine.com`. ## Issue label lifecycle diff --git a/automation/staging-tunnel.cmd b/automation/staging-tunnel.cmd new file mode 100644 index 0000000..91197da --- /dev/null +++ b/automation/staging-tunnel.cmd @@ -0,0 +1,15 @@ +@echo off +title Pelagia Staging Tunnel (localhost:3200) +echo ============================================================ +echo Pelagia Portal - STAGING (internal dev only) +echo Tunneling pms1 port 3200 to http://localhost:3200 +echo Keep this window OPEN while testing. Close it to disconnect. +echo ============================================================ +echo. +echo Connecting... your browser will open in a few seconds. +REM Open the browser shortly after the tunnel comes up. +start "" cmd /c "ping -n 6 127.0.0.1 >nul & explorer http://localhost:3200" +ssh -i "%USERPROFILE%\.ssh\peliagia_portal_ubuntu22_ed25519" -o StrictHostKeyChecking=accept-new -N -L 3200:localhost:3200 shad0w@87.76.191.133 +echo. +echo Tunnel closed. You can close this window. +pause diff --git a/automation/staging-up.sh b/automation/staging-up.sh index ec8a64c..8625bb9 100644 --- a/automation/staging-up.sh +++ b/automation/staging-up.sh @@ -42,17 +42,20 @@ AZURE_AD_CLIENT_SECRET="dev-placeholder" AZURE_AD_TENANT_ID="dev-placeholder" DATABASE_URL="$TEST_URL" GST_SERVICE_URL="http://localhost:3003" +NEXT_PUBLIC_ENV_LABEL="INTERNAL DEV / STAGING - NOT PRODUCTION" PORT=$PORT EOF chmod 600 "$DIR/App/.env" fi # pm2-run wrapper so the dev server always gets nvm on PATH and the right port. +# Bind to 127.0.0.1 only -- staging is reachable solely via SSH tunnel +# (ssh -L 3200:localhost:3200 ...), never directly from the public internet. cat > "$DIR/App/run-staging.sh" <