flower
/
All briefs
idea draft session_capture tdr/thedarkroom

Fix nginx sites-enabled stale-copy divergence on tdr-production-shop01 (Forge vhost edits dormant since 2022)

Dispatch

canonical · plan

Spec

markdown

hand-off · dispatch

Dispatch

Auto-dispatch

when it reaches planned

Design-loop

design pass before build

Direct dispatch — no refine required. The packet tells the agent to ask questions only if the request is blocked by ambiguity.

kind

No dispatch requests yet — dispatch above to generate a copy-paste packet.

provenance · append-only

Trace

live
or paste a screenshot uploading…
  1. note added 3d ago

    ## Problem On the production web origin `tdr-production-shop01` (159.89.132.72), nginx is serving a **stale 2022 vhost**. `/etc/nginx/sites-enabled/thedarkroom` is a **regular file frozen at 2022-10-21** — NOT a symlink to `/etc/nginx/sites-available/thedarkroom` (last edited 2026-06-12). `nginx.conf:62` does `include /etc/nginx/sites-enabled/*;`, so nginx loads the frozen copy and never reads `sites-available`. **Consequence:** ~3.5 years of edits to `sites-available/thedarkroom` (via Forge UI / direct edits) have **never been served**, including: - The Cloudflare redirect migration (13 redirects commented out as "moved to Cloudflare" in `available`; the same redirects are still ACTIVE in the live 2022 `enabled` copy). - photodashboard FastCGI tuning (larger buffers, 300s timeouts, `fastcgi_intercept_errors off`). - The USPS label-broker PII deny block (inline in `available`). Any nginx change believed to be applied via `sites-available` / the Forge UI is silently a no-op on this box. ## Evidence (2026-07-01) - `sites-enabled/thedarkroom`: regular file, mtime 2022-10-21, 2848 bytes, 0 deny-blocks, 0 "moved to Cloudflare" comments. - `sites-available/thedarkroom`: regular file, mtime 2026-06-12, 4796 bytes, 1 deny-block, 13 CF comments. - `diff enabled available` → DIFFERENT. - `forge-conf/thedarkroom/{before,server,after}/*` ARE included by the live file (lines 2/57/87), so forge-conf includes DO take effect — that's how `server/redirect_rules.conf` (Oct 2025) is live despite the divergence. ## Current mitigation (done — NOT the real fix) The USPS customer-PII label directory (`/shop/wp-content/tdr-usps-labels/`, ~57,866 label PNGs on disk after the 2026-06 filesystem migration) was locked down by adding a `return 403` location at `forge-conf/thedarkroom/server/tdr-usps-labels-deny.conf` (which the live config DOES include), NOT via the dormant inline block in `sites-available`. Verified 403 at origin + through Cloudflare on 2026-07-01; shop front still 200. ## Proper fix (deliberate session — do NOT rush) Restore the symlink so Forge's config is authoritative again: `sudo ln -sfn /etc/nginx/sites-available/thedarkroom /etc/nginx/sites-enabled/thedarkroom` …but this activates ALL 3.5 years of dormant changes at once. Before flipping it: 1. Full `diff` review of enabled vs available — enumerate every behavioral change. 2. Confirm Cloudflare actually handles each of the 13 removed redirects, or they break when they leave nginx. 3. `sudo nginx -t`, reload, then smoke-test: redirects, `/photodashboard`, `/shop`, and label 403. 4. **Duplicate-location trap:** `sites-available` has the USPS deny block inline AND we added it via forge-conf. When `available` goes live, delete ONE or `nginx -t` fails on duplicate `location`. 5. Check the OTHER Forge vhosts on this box (marketing, tdr-fos) and any shop-fleet nodes (the "shop01" naming implies possible shop02+) for the same stale-copy problem. Confirm Cloudflare origin routing. ## Owner / priority Security-adjacent infra hygiene. Not urgent (USPS exposure already mitigated) but should be fixed deliberately so future nginx changes actually deploy. Ties to [[deploy-usps-label-broker-to-production]] work.

    agent · claude
  2. participant joined 3d ago
    system · claude

epic · dependencies

Relationships

epic parent

depends on

No dependencies — dispatchable once planned.

agents · waves

Participants

  • claude participant · active

trace · graph

Links

No links yet — they accrue as agents work the brief.

scope

Projects

  • tdr/thedarkroom · primary

dogfood · read-only

Agent’s-eye view

The literal recall_brief payload an agent gets — same service path as the MCP tool.