Promote synvya-staging to synvya (production)

.env.example

@@ -5,12 +5,12 @@
 DOMAIN=keycast.example.com
 
 # PostgreSQL database password (required for docker-compose)
-POSTGRES_PASSWORD=change-this-secure-password-in-production
+POSTGRES_PASSWORD=change-this-secure-password-for-nonlocal
 
 # Database connection URL
 # Local dev: postgres://postgres:password@localhost/keycast
 # Docker: postgres://postgres:${POSTGRES_PASSWORD}@postgres/keycast
-DATABASE_URL=postgres://postgres:password@localhost/keycast
+DATABASE_URL=postgres://postgres:change-this-secure-password-for-nonlocal@localhost/keycast
 
 # Allowed public keys for admin access (comma-separated)
 # Leave empty to allow any authenticated user
@@ -45,7 +45,7 @@ SENDGRID_API_KEY=
 FROM_EMAIL=noreply@keycast.example.com
 
 # Optional: From name for email notifications
-FROM_NAME=diVine
+FROM_NAME=Synvya
 
 # Optional: Base URL for email verification links (used in email templates)
 # Should match your frontend URL

.github/workflows/build-test-push-synvya.yaml

@@ -136,12 +136,21 @@ jobs:
           key: ${{ secrets.EC2_STAGING_SSH_KEY }}
           command_timeout: 30m
           script: |
+            set -euo pipefail
             cd /opt/synvya/keycast
-            git pull origin synvya-staging
+            if [ -n "$(git status --porcelain)" ]; then
+              echo "Refusing to deploy from a dirty worktree"
+              git status --short
+              exit 1
+            fi
+            git pull --ff-only origin synvya-staging
             bash scripts/load-secrets.sh staging
             if [ -n "${{ vars.DISABLE_EMAILS }}" ]; then
               echo "DISABLE_EMAILS=${{ vars.DISABLE_EMAILS }}" >> /opt/synvya/.env
             fi
+            docker system df || true
+            docker builder prune -af || true
+            docker image prune -af || true
             docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \
               build postgres redis migrate keycast
             docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \
@@ -165,12 +174,21 @@ jobs:
           key: ${{ secrets.EC2_PRODUCTION_SSH_KEY }}
           command_timeout: 30m
           script: |
+            set -euo pipefail
             cd /opt/synvya/keycast
-            git pull origin synvya
+            if [ -n "$(git status --porcelain)" ]; then
+              echo "Refusing to deploy from a dirty worktree"
+              git status --short
+              exit 1
+            fi
+            git pull --ff-only origin synvya
             bash scripts/load-secrets.sh production
             if [ -n "${{ vars.DISABLE_EMAILS }}" ]; then
               echo "DISABLE_EMAILS=${{ vars.DISABLE_EMAILS }}" >> /opt/synvya/.env
             fi
+            docker system df || true
+            docker builder prune -af || true
+            docker image prune -af || true
             docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \
               build postgres redis migrate keycast
             docker compose -f docker-compose.synvya.yml --env-file /opt/synvya/.env \

.github/workflows/build-test-push.yaml

@@ -121,7 +121,7 @@ jobs:
         env:
           AWS_SES_TEST_RECIPIENT: ${{ vars.AWS_SES_TEST_RECIPIENT }}
           FROM_EMAIL: ${{ vars.AWS_SES_FROM_EMAIL || 'noreply@divine.video' }}
-          FROM_NAME: ${{ vars.AWS_SES_FROM_NAME || 'diVine' }}
+          FROM_NAME: ${{ vars.AWS_SES_FROM_NAME || 'Synvya' }}
           BASE_URL: https://example.com
         run: |
           cargo test -p keycast_api --features aws --test aws_ses_test -- --test-threads=1

.gitignore

@@ -32,7 +32,10 @@ api/oauth-ui/
 specs/
 examples/auth-flows-demo/
 
-# Machine-specific Kamal deployment (Pi homelab only, not for production)
+# Machine-specific Kamal deployment# Environment variables
+.env
+.env.*
+!.env.example
 config/deploy.yml
 .kamal/
 scripts/deploy-to-pi.sh

AGENTS.md

@@ -0,0 +1 @@
+CLAUDE.md

CLAUDE.md

@@ -201,6 +201,9 @@ Optional:
 - `SQLX_POOL_SIZE`: Database connection pool size (should match Cloud Run concurrency, default: `50`)
 - `VITE_ALLOWED_PUBKEYS`: Comma-separated pubkeys for whitelist access (web frontend)
 - `ENABLE_EXAMPLES`: Enable `/examples` directory serving (default: `false`, set to `true` for development)
+- `DISABLE_WEB_UI`: Disable the SvelteKit web frontend (default: `false`). When `true`, non-API requests return 404 or redirect to `WEB_UI_REDIRECT_URL`. Use for deployments (e.g. Synvya) where end users should not access a keycast personal UI. `/api/*`, `/.well-known/*`, `/health*`, `/verify-email` (plus the `/_app/*` static assets it needs), and the server-rendered `/api/oauth/authorize` approval page remain available.
+- `WEB_UI_REDIRECT_URL`: When `DISABLE_WEB_UI=true`, redirect non-API requests to this URL (e.g. `https://synvya.com`). If unset, non-API requests return 404.
+- `PASSWORD_RESET_BASE_URL`: Base URL used when constructing password reset links in emails (default: `BASE_URL`). Set when the reset page is hosted on a different domain than `BASE_URL` — e.g. Synvya sets this to `https://account.synvya.com` in production and `https://account.staging.synvya.com` in staging, so the link points at the Synvya-hosted reset form that POSTs to keycast's `/api/auth/reset-password`.
 
 Development (`.env` in `/web`):
 - `VITE_ALLOWED_PUBKEYS`: Comma-separated pubkeys for dev access

Makefile

@@ -0,0 +1,103 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Keycast Development Helper
+# ─────────────────────────────────────────────────────────────────────────────
+
+.PHONY: check-prereq install-prereq setup migrate help dev test env-local env-staging docker-build docker-up docker-down docker-logs
+
+# Default target: show help
+all: help
+
+help: ## Show this help message
+	@echo "🔑 \033[1;32mSynvya Keycast\033[0m"
+	@echo "Unified Nostr key management and event signing service."
+	@echo ""
+	@echo "\033[1;34mUsage:\033[0m"
+	@echo "  make <target>"
+	@echo ""
+	@echo "\033[1;34mSetup & Environment:\033[0m"
+	@grep -E '^[-a-zA-Z0-9_]+:.*?## (Setup|Environment).*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+	@echo ""
+	@echo "\033[1;34mDevelopment & Testing:\033[0m"
+	@grep -E '^[-a-zA-Z0-9_]+:.*?## (Development|Quality).*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+	@echo ""
+	@echo "\033[1;34mDocker & Deployment:\033[0m"
+	@grep -E '^[-a-zA-Z0-9_]+:.*?## Docker.*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+	@echo ""
+
+# --- Setup & Environment ---
+
+check-prereq: ## Setup: Verify Rust, Bun, and SQLX are installed
+	@echo "==> Checking Keycast prerequisites..."
+	@command -v cargo >/dev/null 2>&1 || (echo "  ✗ cargo (Rust) not found"; exit 1)
+	@command -v bun >/dev/null 2>&1 || (echo "  ✗ bun not found"; exit 1)
+	@command -v sqlx >/dev/null 2>&1 || (echo "  ✗ sqlx-cli not found. Run 'make install-prereq'"; exit 1)
+	@echo "  ✓ All Keycast prerequisites met!"
+
+install-prereq: ## Setup: Install sqlx-cli tool (required for migrations)
+	@echo "==> Installing prerequisites..."
+	cargo install sqlx-cli --no-default-features --features postgres
+	cargo install cargo-nextest --locked
+
+setup: ## Setup: Initialize .env and generate master key
+	@echo "==> Initializing environment configuration (.env.local)..."
+	@if [ ! -f ".env.local" ]; then bash scripts/init.sh --domain localhost --file .env.local; fi
+	@if grep -q "SERVER_NSEC=$$" .env.local; then \
+		echo "==> Generating SERVER_NSEC for .env.local..."; \
+		RAND_SEC=$$(openssl rand -hex 32); \
+		sed -i '' "s/SERVER_NSEC=.*/SERVER_NSEC=$$RAND_SEC/" .env.local || sed -i "s/SERVER_NSEC=.*/SERVER_NSEC=$$RAND_SEC/" .env.local; \
+	fi
+	@if [ ! -f "master.key" ]; then bun run key:generate; fi
+	@$(MAKE) env-local
+	@echo "  ✓ Setup complete."
+
+env-local: ## Environment: Set active environment to .env.local
+	@echo "==> Setting active environment to .env.local"
+	@ln -sf .env.local .env
+
+env-staging: ## Environment: Set active environment to .env.staging
+	@echo "==> Setting active environment to .env.staging"
+	@if [ ! -f ".env.staging" ]; then echo "  ✗ .env.staging not found. Create it from .env.example"; exit 1; fi
+	@ln -sf .env.staging .env
+
+migrate: ## Environment: Run database migrations
+	@$(MAKE) env-check
+	@echo "==> Running migrations..."
+	bun run db:migrate
+
+# --- Development ---
+
+dev: ## Development: Start the local development stack (native)
+	@$(MAKE) env-check
+	bun run dev
+
+# --- Quality ---
+
+test: ## Quality: Run unit and integration tests
+	@$(MAKE) env-check
+	bun run test
+
+# --- Docker ---
+
+docker-build: ## Docker: Build the docker images
+	@$(MAKE) env-check
+	@echo "==> Building Docker images..."
+	docker compose build
+
+docker-up: ## Docker: Start the services via docker-compose
+	@$(MAKE) env-check
+	@echo "==> Starting Keycast stack..."
+	docker compose up -d
+
+docker-down: ## Docker: Stop the services
+	@$(MAKE) env-check
+	@echo "==> Stopping Keycast stack..."
+	docker compose down
+
+docker-logs: ## Docker: Follow docker logs
+	@$(MAKE) env-check
+	docker compose logs -f
+
+# --- Internal ---
+
+env-check:
+	@if [ ! -L ".env" ] && [ ! -f ".env" ]; then echo "  ✗ No .env file or symlink found. Run 'make setup'"; exit 1; fi

README.md

@@ -160,25 +160,26 @@ POST to `/api/nostr` with `Authorization: Bearer <access_token>`:
 | `nip44_encrypt` / `nip44_decrypt` | NIP-44 encryption |
 | `nip04_encrypt` / `nip04_decrypt` | NIP-04 encryption |
 
-## Self-Hosting
+## Development & Self-Hosting
+
+The fastest way to get started is using the provided `Makefile`.
 
 ```bash
 git clone https://github.com/ArcadeLabsInc/keycast.git
 cd keycast
-bun install
 
-# Generate encryption key
-bun run key:generate
+# 1. Interactive setup (generates keys, .env.local, etc.)
+make setup
 
-# Configure environment
-cp .env.example .env
-# Edit DATABASE_URL, SERVER_NSEC, ALLOWED_ORIGINS
+# 2. Run with Docker
+make docker-build
+make docker-up
 
-# Run with Docker
-docker compose up -d --build
+# 3. Run tests
+make test
 ```
 
-See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup.
+For detailed instructions on environment management, native development, and testing architecture, see **[build.README.md](./build.README.md)**.
 
 ### Environment Variables
 
@@ -196,7 +197,7 @@ See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup.
 |----------|---------|-------------|
 | `SENDGRID_API_KEY` | *(none)* | If set, uses SendGrid; otherwise logs emails to console |
 | `FROM_EMAIL` | `noreply@keycast.app` | Sender email address |
-| `FROM_NAME` | `diVine` | Sender display name |
+| `FROM_NAME` | `Synvya` | Sender display name |
 | `BASE_URL` | `https://login.divine.video` | Base URL for email verification links |
 | `DISABLE_EMAILS` | *(none)* | If set (any value), skips sending emails |
 
@@ -208,6 +209,7 @@ See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for local development setup.
 | `APP_URL` | `https://login.divine.video` | Fallback URL for OAuth callbacks |
 | `ALLOWED_PUBKEYS` | *(none)* | Comma-separated admin pubkeys whitelist |
 | `ALLOWED_ORIGINS` | *(none)* | CORS origins (comma-separated) |
+| `NODE_ENV` | `development` | Set to `production` to enable mandatory HTTPS and `Secure` cookies. |
 
 #### Multi-tenancy