5 Commits

Author SHA1 Message Date
Julien Calixte
1b3fa2c540 fix(signup): copy manifest.toml so Docker builds use the lockfile
Commit 40011e2 added manifest.toml to pin transitive deps, but the
Dockerfile only copies gleam.toml — so every Docker build still
re-resolves from scratch and can pick up incompatible versions within
the allowed ranges, defeating the lockfile's purpose.
2026-06-02 22:31:29 +02:00
Julien Calixte
40011e2003 chore(signup): bump wisp/mist to latest, lock with manifest.toml
Two prior deploy failures came from transitive deps drifting on every
fresh build (gleam_httpc 4.1.1 calling result.then, then glisten 8.0.3
calling list.range). The root cause is no manifest.toml — every build
re-resolved deps from scratch and tripped on broken combinations within
the allowed ranges.

- Bump wisp 1.x → 2.x and mist 4.x → 6.x so the resolver picks
  modern, mutually compatible versions of the whole tree
  (stdlib 1.0.3, glisten 9.0.1, httpc 5.0.0).
- Commit manifest.toml so deps are pinned by checksum.
- Adapt to wisp 2.x: json_response now takes String, not StringTree.
- Drop unused gleam/http/response import.
- Add signup/build/ to .gitignore.
2026-06-02 22:14:44 +02:00
Julien Calixte
3d95b2d491 fix(signup): bump gleam_httpc to >= 4.2.0 for result.try
gleam_httpc 4.1.1 still calls result.then, which was removed from
gleam_stdlib 0.71.0. Bumping the lower bound forces the resolver to
pick 4.2.x or later, which uses result.try. The < 5.0.0 cap is also
widened to < 6.0.0; the public API is unchanged between 4.2 and 5.0.

Long term: committing a manifest.toml lockfile would stop transitive
deps from drifting on every fresh build.
2026-06-02 22:10:09 +02:00
Julien Calixte
15ad57a7ad chore(signup): bump Gleam to v1.16.0
gleam_stdlib now requires >= 1.14.0, breaking the v1.7.0 pin during
build. Bump to v1.16.0 — a stable release with several weeks of bake
time rather than today's v1.17.0.
2026-06-02 22:07:15 +02:00
Julien Calixte
c3c75787f4 feat(signup): add Gleam signup service gated by shared invite code
A small Gleam HTTP server in signup/ exposes POST /signup that validates
a shared INVITE_CODE env var, then PUTs a user document to CouchDB's
_users database using the existing admin credentials. The frontend gets
back 201 + the username and is expected to call /_session itself to
obtain the AuthSession cookie (chosen over server-side cookie forwarding
because vaquant.at and couch.apoena.dev are different sites and the
cross-site cookie path is fragile under modern browser privacy modes).

Wired into docker-compose as a second service, reachable on
signup-couch.apoena.dev with its own Traefik labels and the same
hardcoded UUID network attachment as couchdb. Reuses COUCHDB_USER /
COUCHDB_PASSWORD for the admin call. INVITE_CODE must be set in Coolify
env vars.
2026-06-01 22:16:29 +02:00