Production-readiness audit fixes — every mock fallback is now gated on
IsDevelopment; in production these paths fail loudly instead:
- ZarinPal/Tara/SnappPay init: missing credentials returned a MOCK
payment URL whose callback verified as paid — a café could activate a
paid plan without paying. Now: "Payment gateway is not configured."
- Tara/SnappPay verify: a forged MOCK-* trace/token on the callback was
accepted as a verified payment in any environment. Now rejected
outside Development.
- Taraz (سامانه مودیان): returned a fake MOCK-TARAZ tracking code as if
invoices reached the tax authority. Now returns an honest error (the
real integration is not built yet).
- Admin integrations: NextPay/Vandar removed — they were listed but have
no gateway implementation (selecting them silently used ZarinPal).
- docker-compose: ASPNETCORE_ENVIRONMENT default flipped Development →
Production so a missing env var can never run prod in dev mode.
86 tests pass.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Prevents runner workspace collisions with other projects (DrSousan etc.)
causing containers to be treated as orphans and stopped on deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docker-compose.admin.yml: RUN_MIGRATIONS was hardcoded false → now
uses ${RUN_MIGRATIONS:-true} so migrations run automatically on deploy
- Both compose files: expose Seed__SystemAdminPhone/Username/Password
env vars so the seeder sets admin credentials without manual SQL
- .env.example: document SEED_ADMIN_* variables
On next deploy: migrations run, Username='admin' is patched on the
existing admin, and password is hashed from SEED_ADMIN_PASSWORD.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The Docker daemon reaches the Nexus Docker group over the dedicated
connector port 8087 (its registry mirror), not the main 8081 HTTP port,
which caused HTTPS-to-HTTP pull failures in CI. Repoint all image refs to
171.22.25.73:8087 at the connector root; npm and NuGet stay on 8081.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Point Docker, NuGet, and npm pulls at the Nexus group repos on
171.22.25.73:8081 for both CI/CD and local builds, so the pipeline and
developers no longer depend on Docker Hub, MCR, nuget.org, or npmjs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rebrand the public café-discovery app: directories web/finder→web/koja and
docker/finder→docker/koja, plus all service wiring (docker-compose, Caddy
subdomain koja.meezi.ir, env vars KOJA_PORT / NEXT_PUBLIC_KOJA_URL, CI
workflows) and the app's display name (Koja / کجا).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- aspnet:10.0, postgres:16-alpine, redis:7-alpine all fail on first
fetch through Nexus proxy (OCI manifest format bug in Nexus)
- Change DOTNET_ASPNET_IMAGE default to mcr-mirror.liara.ir directly
- Change postgres/redis service images to docker-mirror.liara.ir
- CI service containers (api-build job) also use Liara directly
- All images parameterized so ENV_FILE can override for any registry
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- All Node Dockerfiles rewritten with NODE_IMAGE + NPM_REGISTRY build args
defaulting to local Nexus proxies (171.22.25.73:5000/library/node:20-alpine
and http://mirror:8081/repository/npm-group/)
- Add extra_hosts: mirror:host-gateway to every build section so the
mirror hostname resolves during docker build
- Replace nuget.org with nuget.docker.config (Nexus mirror) in api/admin-api
Dockerfiles to fix NuGet restore in Iranian network
- Rewrite admin-web and website Dockerfiles (were referencing non-existent
meezi-node:20-alpine base image with no npm install step)
- Update dotnet image defaults to 171.22.25.73:5002 MCR proxy in admin-api
and docker-compose.admin.yml
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All hardcoded passwords/keys replaced with env vars so .env controls
everything in both dev and production:
- DB_PASSWORD, DB_CONNECTION_STRING, JWT_KEY
- CORS_ORIGIN_*, ASPNETCORE_ENVIRONMENT
- All ZarinPal/Kavenegar/Snappfood secrets
New files for tomorrow's domain setup:
- Caddyfile → routes all subdomains with auto TLS
- docker-compose.caddy.yml → adds Caddy service to the stack
.env.example now has clear TODAY (IP) vs TOMORROW (domain) sections.
Fixed hardcoded ZarinPal MerchantId in docker-compose.full.yml.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
soroush.asadi