@semiont/cli 0.2.26 → 0.2.27

package/dist/cli.mjs

@@ -17811,9 +17811,7 @@ var init_frontend_provision = __esm({
       }
       const nextAuthSecret = crypto3.randomBytes(32).toString("base64");
       const config2 = service.config;
-      const frontendUrl = config2.url;
       const port = config2.port;
-      const semiontEnv = service.environment;
       const siteName = config2.siteName;
       const backendService = service.environmentConfig.services["backend"];
       if (!backendService) {
@@ -17823,14 +17821,14 @@ var init_frontend_provision = __esm({
           metadata: { serviceType: "frontend" }
         };
       }
-      const backendUrl = backendService.publicURL;
-      if (!backendUrl) {
+      if (!backendService.port) {
         return {
           success: false,
-          error: "Backend publicURL not configured",
+          error: "Backend port not configured",
           metadata: { serviceType: "frontend" }
         };
       }
+      const backendUrl = `http://localhost:${backendService.port}`;
       if (!siteName) {
         return {
           success: false,
@@ -17839,15 +17837,37 @@ var init_frontend_provision = __esm({
         };
       }
       const oauthAllowedDomains = service.environmentConfig.site?.oauthAllowedDomains || [];
+      const frontendService = service.environmentConfig.services["frontend"];
+      if (!frontendService) {
+        return {
+          success: false,
+          error: "Frontend service not found in environment configuration",
+          metadata: { serviceType: "frontend" }
+        };
+      }
+      if (!frontendService.publicURL) {
+        return {
+          success: false,
+          error: "Frontend publicURL not configured - required for NextAuth",
+          metadata: { serviceType: "frontend" }
+        };
+      }
+      const frontendUrl = frontendService.publicURL;
+      const allowedOrigins = [];
+      if (frontendService.allowedOrigins && Array.isArray(frontendService.allowedOrigins)) {
+        allowedOrigins.push(...frontendService.allowedOrigins);
+      }
+      const publicUrl = new URL(frontendService.publicURL);
+      allowedOrigins.push(publicUrl.host);
       const envUpdates = {
         "NODE_ENV": "development",
         "PORT": port.toString(),
         "NEXTAUTH_URL": frontendUrl,
         "NEXTAUTH_SECRET": nextAuthSecret,
-        "SEMIONT_ENV": semiontEnv,
-        "NEXT_PUBLIC_API_URL": backendUrl,
+        "SERVER_API_URL": backendUrl,
         "NEXT_PUBLIC_SITE_NAME": siteName,
-        "NEXT_PUBLIC_OAUTH_ALLOWED_DOMAINS": oauthAllowedDomains.join(",")
+        "NEXT_PUBLIC_OAUTH_ALLOWED_DOMAINS": oauthAllowedDomains.join(","),
+        "NEXT_PUBLIC_ALLOWED_ORIGINS": allowedOrigins.join(",")
       };
       if (fs20.existsSync(envExamplePath)) {
         let envContent = fs20.readFileSync(envExamplePath, "utf-8");
@@ -17879,11 +17899,8 @@ PORT=${port}
 NEXTAUTH_URL=${frontendUrl}
 NEXTAUTH_SECRET=${nextAuthSecret}
 
-# Semiont Configuration System
-SEMIONT_ENV=${semiontEnv}
-
-# Backend API URL (from backend.publicURL in environment config)
-NEXT_PUBLIC_API_URL=${backendUrl}
+# Backend API URL for server-side calls (uses localhost for POSIX platform)
+SERVER_API_URL=${backendUrl}
 
 # Site name (from frontend.siteName in environment config)
 NEXT_PUBLIC_SITE_NAME=${siteName}
@@ -17977,7 +17994,7 @@ This directory contains runtime files for the frontend service.
 ## Configuration
 
 Edit \`.env.local\` to configure:
-- API URL (NEXT_PUBLIC_API_URL)
+- Server API URL (SERVER_API_URL) - set to localhost for POSIX platform
 - Port (PORT)
 - Other environment-specific settings
 
@@ -24938,8 +24955,6 @@ var init_ecs_publish = __esm({
       const buildEnv = { ...process.env };
       if (service.name === "frontend") {
         const domain2 = envConfig.site.domain || service.config?.domain || (service.environment === "production" ? "semiont.com" : `${service.environment}.semiont.com`);
-        const apiUrl = `https://${domain2}`;
-        buildEnv.NEXT_PUBLIC_API_URL = apiUrl;
         buildEnv.NEXT_PUBLIC_APP_NAME = envConfig.site.siteName || "Semiont";
         buildEnv.NEXT_PUBLIC_SITE_NAME = envConfig.site.siteName || "Semiont";
         buildEnv.NEXT_PUBLIC_DOMAIN = domain2;
@@ -24948,9 +24963,9 @@ var init_ecs_publish = __esm({
         buildEnv.NEXT_TELEMETRY_DISABLED = "1";
         if (!service.quiet && service.verbose) {
           printInfo(`Frontend build configuration:`);
-          printInfo(`  API URL: ${apiUrl}`);
           printInfo(`  Domain: ${domain2}`);
           printInfo(`  Site Name: ${buildEnv.NEXT_PUBLIC_SITE_NAME}`);
+          printInfo(`  API Routing: ALB routes /resources/*, /annotations/*, etc. to backend (runtime)`);
           printInfo(`  OAuth Domains: ${envConfig.site.oauthAllowedDomains?.join(", ") || "(none)"} (set at runtime)`);
         }
       }
@@ -40305,7 +40320,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@semiont/cli",
-      version: "0.2.26",
+      version: "0.2.27",
       description: "Semiont CLI - Unified environment management tool",
       _comment: "AWS SDK dependencies (@aws-sdk/*) are only used by platforms/aws",
       type: "module",
@@ -40370,8 +40385,8 @@ var require_package = __commonJS({
         "@aws-sdk/client-sts": "^3.859.0",
         "@aws-sdk/client-wafv2": "^3.859.0",
         "@prisma/client": "^6.13.0",
-        "@semiont/api-client": "^0.2.26",
-        "@semiont/core": "^0.2.26",
+        "@semiont/api-client": "^0.2.27",
+        "@semiont/core": "^0.2.27",
         "@testcontainers/postgresql": "^11.5.1",
         arg: "^5.0.2",
         bcrypt: "^5.1.1",

package/dist/templates/cdk/app-stack.ts

@@ -362,17 +362,17 @@ export class SemiontAppStack extends cdk.Stack {
         PORT: '3000',
         HOSTNAME: '0.0.0.0',
         // Public environment variables (available to browser)
-        NEXT_PUBLIC_API_URL: `https://${domainName}`,
         NEXT_PUBLIC_SITE_NAME: siteName,
         NEXT_PUBLIC_DOMAIN: domainName,
         // OAuth domains for server-side NextAuth validation
         OAUTH_ALLOWED_DOMAINS: Array.isArray(oauthAllowedDomains) ? oauthAllowedDomains.join(',') : oauthAllowedDomains,
         // NextAuth configuration
         NEXTAUTH_URL: `https://${domainName}`,
-        // Backend URL for server-side authentication calls (Service Connect DNS)
-        // Used by frontend's NextAuth to communicate with backend container-to-container
+        // Backend URL for server-side API calls (Service Connect DNS)
+        // Used by frontend's NextAuth and API routes for container-to-container communication
         // This is NOT the public URL - it's the internal AWS Service Connect address
-        BACKEND_INTERNAL_URL: 'http://backend:4000',
+        // Client-side browser calls use relative URLs - ALB routes to backend
+        SERVER_API_URL: 'http://backend:4000',
       },
       secrets: {
         NEXTAUTH_SECRET: ecs.Secret.fromSecretsManager(appSecrets, 'nextAuthSecret'),

package/dist/templates/docker-compose.yml

@@ -0,0 +1,53 @@
+# Docker Compose configuration with Envoy proxy for local development
+version: '3.8'
+
+services:
+  envoy:
+    image: envoyproxy/envoy:v1.28-latest
+    ports:
+      - "80:80"
+      - "9901:9901"  # Admin interface
+    volumes:
+      - ./apps/cli/templates/envoy.yaml:/etc/envoy/envoy.yaml:ro
+    depends_on:
+      - frontend
+      - backend
+    networks:
+      - semiont
+
+  frontend:
+    image: ghcr.io/the-ai-alliance/semiont-frontend:dev
+    environment:
+      - SERVER_API_URL=http://backend:4000
+      - NEXTAUTH_URL=http://localhost
+      - NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
+      - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}
+      - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}
+    networks:
+      - semiont
+
+  backend:
+    image: ghcr.io/the-ai-alliance/semiont-backend:dev
+    environment:
+      - DATABASE_URL=${DATABASE_URL}
+      - JWT_SECRET=${JWT_SECRET}
+    networks:
+      - semiont
+
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_DB=semiont
+      - POSTGRES_USER=semiont
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - semiont
+
+networks:
+  semiont:
+    driver: bridge
+
+volumes:
+  postgres_data:

package/dist/templates/envoy.yaml

@@ -0,0 +1,152 @@
+# Envoy proxy configuration for local development and Codespaces
+# Routes traffic between frontend (Next.js) and backend (Hono API)
+#
+# Routing rules (order matters - first match wins):
+# 1. /api/auth/*      → frontend (NextAuth)
+# 2. /api/cookies/*   → frontend (cookie consent/export)
+# 3. /api/resources/* → frontend (authenticated proxy for images/files)
+# 4. /resources/*     → backend (main API)
+# 5. /annotations/*   → backend (main API)
+# 6. /admin/*         → backend (main API)
+# 7. /api/*           → backend (OpenAPI docs, spec)
+# 8. /*               → frontend (Next.js pages)
+
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 80
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              # Frontend Next.js API routes (must come before backend /api/*)
+              - match:
+                  prefix: "/api/auth/"
+                route:
+                  cluster: frontend
+                  timeout: 30s
+              - match:
+                  prefix: "/api/cookies/"
+                route:
+                  cluster: frontend
+                  timeout: 30s
+              - match:
+                  prefix: "/api/resources/"
+                route:
+                  cluster: frontend
+                  timeout: 30s
+
+              # Backend API routes (without /api prefix)
+              - match:
+                  prefix: "/resources/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/annotations/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/admin/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/entity-types/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/jobs/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/users/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/tokens/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/health"
+                route:
+                  cluster: backend
+                  timeout: 30s
+              - match:
+                  prefix: "/status"
+                route:
+                  cluster: backend
+                  timeout: 30s
+
+              # Backend OpenAPI documentation routes
+              - match:
+                  prefix: "/api/"
+                route:
+                  cluster: backend
+                  timeout: 30s
+
+              # Everything else goes to frontend (Next.js pages)
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: frontend
+                  timeout: 30s
+
+  clusters:
+  - name: backend
+    connect_timeout: 5s
+    type: STRICT_DNS
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: backend
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: backend
+                port_value: 4000
+
+  - name: frontend
+    connect_timeout: 5s
+    type: STRICT_DNS
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: frontend
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: frontend
+                port_value: 3000
+
+admin:
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 9901

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@semiont/cli",
-  "version": "0.2.26",
+  "version": "0.2.27",
   "description": "Semiont CLI - Unified environment management tool",
   "_comment": "AWS SDK dependencies (@aws-sdk/*) are only used by platforms/aws",
   "type": "module",
@@ -65,8 +65,8 @@
     "@aws-sdk/client-sts": "^3.859.0",
     "@aws-sdk/client-wafv2": "^3.859.0",
     "@prisma/client": "^6.13.0",
-    "@semiont/api-client": "0.2.26",
-    "@semiont/core": "0.2.26",
+    "@semiont/api-client": "0.2.27",
+    "@semiont/core": "0.2.27",
     "@testcontainers/postgresql": "^11.5.1",
     "arg": "^5.0.2",
     "bcrypt": "^5.1.1",