Re-reviewed after the update.
The clean-start assumption removes the biggest migration blocker from my first review, and the revised plan now covers almost all of the previously missing areas:…
I checked this against the current codebase, and I do not think the plan is executable as written yet. Main gaps I would address before implementation:
- Identity key and realm migration need…
Re-reviewed after 12f0719. The previous blocker is resolved: the updated Phase 4 assertions now match the real deploy smoke behavior (host-mapped 8090 checks with 8000 only as the container-local fallback), and the full Stage 2 backend unit suite passes locally. I also re-verified the issue-specific fix: npm run build succeeds with compiled Tailwind output, targeted auth Vitest tests pass, caddy validate --config Caddyfile passes, and the focused regression slice for CSP/auth-scope/Tailwind remains green. The fix for Issue #10 looks correct and complete.
The auth scope/CSP/Tailwind changes look correct, but this PR also introduces a new phase4 regression suite that currently breaks the branch CI. Reproduced locally with cd backend && .venv/bin/pytest tests/unit/ -x --tb=short, which fails in backend/tests/unit/test_phase4.py:186-190 because test_health_check_uses_caddy_port asserts "localhost/healthz" in scripts/deploy.sh, while the deployed smoke checks currently use http://localhost:8090/... (scripts/deploy.sh:165-176) and only the fallback direct probe touches port 8000 (scripts/deploy.sh:152-159). Because the PR adds this failing test and the workflow runs it in Stage 2 (.gitea/workflows/pr-gate.yml:99-103), the branch is not complete enough to merge yet. Once that unrelated test/expectation is fixed or removed, the production auth/Tailwind fix itself looks adequate from my verification (npm run build, targeted Vitest auth tests, Caddy validation, and the focused phase4 regression slice all passed locally).
Re-review complete. The previously blocked production issues appear resolved, the remaining OpenBao token-path docs/examples are now aligned, and I verified the updated branch locally by building a fresh uv environment and running backend/tests/unit/test_phase4.py successfully. I did not find any remaining production-blocking issues in this pass.
Re-review after the latest fixes: the earlier implementation blockers look addressed, and I also reran backend/tests/unit/test_phase4.py locally in a fresh uv env and it passed. I am still requesting changes because there are still operational correctness gaps in the shipped production docs/examples:
Re-review after the latest fixes: the previous frontend/auth/proxy mismatches do look fixed, and I also ran backend/tests/unit/test_phase4.py locally in a fresh uv environment and it passed. I am still requesting changes because I found a few remaining production blockers:
67697ad30b
fix: address review — passphrase GETDEL, photos in ZIP, 24h cleanup, commit unlocks, export achievement trigger