constella 0.1.0 → 0.1.1

package/CHANGELOG.md

@@ -33,6 +33,23 @@ may still introduce breaking changes while the platform stabilises.
 
 ---
 
+## [0.1.1] — 2026-06-22 — "Remote / VPS login fix"
+
+### Fixed
+- **Login over a remote host (VPS / Tailscale) now works.** The auth client baked a hardcoded
+  `localhost:3000` base URL at build time, so a published build always POSTed sign-in to the *user's
+  own* machine (`ERR_CONNECTION_REFUSED`); it now uses the live page origin (`window.location.origin`).
+- The auth server now trusts the origin each request was actually served on, so better-auth's
+  CSRF/origin check no longer rejects a login from a Tailscale IP or LAN host. Cross-site forgery is
+  still blocked, and an explicit `BETTER_AUTH_URL` is always trusted.
+
+### Changed
+- The VPS Docker image installs the published npm package (compiled `.next`) instead of building from
+  source — the public tree ships no `src/`. `Dockerfile`, `docker-compose.yml` and `vps-install.sh`
+  updated accordingly; reach the dashboard at the sidecar's Tailscale IP.
+
+---
+
 ## [0.1.0] — 2026-06-22 — "First consolidated release"
 
 The first end-to-end release: every previously deferred capability wired into the live system, the full
@@ -295,7 +312,8 @@ bilingual documentation portal, and the release/hardware paths staged for valida
 
 ---
 
-[Unreleased]: https://github.com/gabriel7silva/constella/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/gabriel7silva/constella/compare/v0.1.1...HEAD
+[0.1.1]: https://github.com/gabriel7silva/constella/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/gabriel7silva/constella/releases/tag/v0.1.0
 [0.0.13]: https://github.com/gabriel7silva/constella/compare/v0.0.12...v0.0.13
 [0.0.12]: https://github.com/gabriel7silva/constella/compare/v0.0.11...v0.0.12

package/docs/en/VPS_MODE.md

@@ -59,8 +59,8 @@ flowchart TD
   C --> D["TS_AUTHKEY written to .env"]
   D --> E["docker compose up -d --build"]
   E --> F["tailscale sidecar joins tailnet"]
-  E --> G["constella container builds + boots"]
-  G --> H["bin/constella.mjs --vps --host 0.0.0.0 --port 3000"]
+  E --> G["constella image installs constella@npm + boots"]
+  G --> H["constella --vps --host 0.0.0.0 --port 3000"]
   H --> I["generate/persist secrets in /data/.env (chmod 600)"]
   H --> J["drizzle migrate against /data/constella.db"]
   H --> K["supervise: next start + worker"]
@@ -76,7 +76,7 @@ flowchart TD
 `docker-compose.yml` runs **two services that share one network namespace**:
 
 - **`tailscale`** — the official `tailscale/tailscale` image, acting as a sidecar. It owns `/dev/net/tun`, holds `net_admin` + `sys_module` caps, joins the tailnet headlessly with `TS_AUTHKEY`, and persists node state in the `tailscale-state` volume.
-- **`constella`** — built from the `Dockerfile`, joined to the sidecar's network with `network_mode: service:tailscale`. Because they share the namespace, Constella is reachable **only at the Tailscale IP** on port 3000 — never on the host's public interfaces.
+- **`constella`** — built from the `Dockerfile`, which **installs the published `constella` npm package** (the compiled, prebuilt `.next`) — there is **no source build**, because the public tree ships no `src/`. Joined to the sidecar's network with `network_mode: service:tailscale`; because they share the namespace, Constella is reachable **only at the Tailscale IP** on port 3000 — never on the host's public interfaces. Pin a version with `CONSTELLA_VERSION=0.1.0` in `.env` (default `latest`).
 
 ### Runtime root on a volume
 
@@ -148,7 +148,7 @@ The launcher prints only `• Secrets ready (stored in <HOME>/.env, never printe
 | Service | Image / build | Network | Volumes | Notable caps |
 | --- | --- | --- | --- | --- |
 | `tailscale` | `tailscale/tailscale:latest` | own namespace | `tailscale-state:/var/lib/tailscale` | `net_admin`, `sys_module`, `/dev/net/tun` |
-| `constella` | `build: .` (Dockerfile) | `service:tailscale` | `constella-data:/data` | runs as unprivileged `node` (uid 1000) |
+| `constella` | `build: .` (Dockerfile installs `constella@npm`) | `service:tailscale` | `constella-data:/data` | runs as unprivileged `node` (uid 1000) |
 
 ---
 
@@ -187,9 +187,15 @@ flowchart LR
 
 ## Step-by-step 🚀
 
-### 1. Provision a VPS
+### 1. Provision a VPS and clone the public repo
 
-A fresh Ubuntu Server is the assumed target (the bootstrap installs Docker via `get.docker.com` and Tailscale via `tailscale.com/install.sh`).
+A fresh **Ubuntu Server** (24.04 / 26.04 LTS) is the assumed target. Get the product tree (it carries the `Dockerfile`, `docker-compose.yml` and `scripts/vps-install.sh` — no source needed):
+
+```bash
+apt-get update && apt-get install -y git      # if git is missing
+git clone https://github.com/gabriel7silva/constella.git
+cd constella
+```
 
 ### 2. Run the bootstrap
 
@@ -197,14 +203,13 @@ A fresh Ubuntu Server is the assumed target (the bootstrap installs Docker via `
 bash scripts/vps-install.sh
 ```
 
-`scripts/vps-install.sh` does, in order:
+`scripts/vps-install.sh` does, in order (it uses `sudo` only when you're not already `root`):
 
 1. **Install Docker** if `docker` is not on `PATH` (`curl -fsSL https://get.docker.com | sh`).
-2. **Install Tailscale** if absent (`curl -fsSL https://tailscale.com/install.sh | sh`).
-3. **Join the tailnet** with `sudo tailscale up` (prints a browser auth URL if needed).
-4. **Ask for a `TS_AUTHKEY`** (so the *container* sidecar can join headlessly) and append it to `.env`.
-5. **Build + start** the stack: `sudo docker compose up -d --build`.
-6. **Print the reach URL**: `http://<tailscale-ip>:3000`.
+2. **Install Tailscale** on the host if absent (`curl -fsSL https://tailscale.com/install.sh | sh`); `tailscale up` is a **no-op if the host is already joined**.
+3. **Ask for a `TS_AUTHKEY`** for the *container sidecar* — a **separate tailnet node**, needed **even when the host already runs Tailscale** — and append it to `.env`.
+4. **Build + start** the stack: `docker compose up -d --build` (the image installs `constella` from npm).
+5. **Print the reach URL** read from the sidecar: `http://<constella-tailnet-ip>:3000`.
 
 ### 3. Create the Tailscale auth key
 
@@ -218,16 +223,34 @@ From **any device on the same tailnet**, open:
 http://<this-node's-tailscale-ip>:3000
 ```
 
-Find the IP with `tailscale ip -4` on the VPS. First load lands on `/login` (login is enforced); after sign-in, complete [ONBOARDING](./ONBOARDING.md) if it's the first run.
+Find the IP from the **sidecar** (the device named `constella` in your tailnet), not the host:
+
+```bash
+docker compose exec tailscale tailscale ip -4
+```
+
+First load lands on `/login` (login is enforced); after sign-in, complete [ONBOARDING](./ONBOARDING.md) if it's the first run.
 
 ### 5. Manual compose path (no bootstrap)
 
 ```bash
-echo "TS_AUTHKEY=tskey-auth-..." > .env
+echo "TS_AUTHKEY=tskey-auth-..." > .env     # optional: add CONSTELLA_VERSION=0.1.0 to pin the version
 docker compose up -d --build
-# then: http://<tailscale-ip>:3000
+docker compose exec tailscale tailscale ip -4    # -> http://<that-ip>:3000
 ```
 
+### 6. Direct path (no Docker, no sidecar)
+
+If the host already runs Tailscale (or you firewall port 3000 yourself), you can skip Docker entirely and run the published package straight on the host — it binds `0.0.0.0`, reachable at the **host's** tailnet IP:
+
+```bash
+curl -fsSL https://deb.nodesource.com/setup_22.x | bash -    # Node 20+ if missing
+apt-get install -y nodejs
+npx constella@latest --vps --host 0.0.0.0 --port 3000        # reach: http://<host-tailscale-ip>:3000
+```
+
+> ⚠️ Without the sidecar, `0.0.0.0` is **not** tailnet-private by itself. Only use this when the host has no public route to port 3000 (firewall / security group), or stay on the Docker path, which keeps the bind inside the Tailscale namespace.
+
 ---
 
 ## Examples 🪐
@@ -238,10 +261,10 @@ docker compose up -d --build
 node bin/constella.mjs --vps --host 0.0.0.0 --port 3000
 ```
 
-**The exact container command (from the `Dockerfile`):**
+**The exact container command (from the `Dockerfile`, after it installs `constella` from npm):**
 
 ```dockerfile
-CMD ["node", "bin/constella.mjs", "--vps", "--host", "0.0.0.0", "--port", "3000"]
+CMD ["constella", "--vps", "--host", "0.0.0.0", "--port", "3000"]
 ```
 
 **Confirm the run context the app sees:**

package/docs/pt/VPS_MODE.md

@@ -59,8 +59,8 @@ flowchart TD
   C --> D["TS_AUTHKEY gravado em .env"]
   D --> E["docker compose up -d --build"]
   E --> F["sidecar tailscale entra na tailnet"]
-  E --> G["contêiner constella compila + inicia"]
-  G --> H["bin/constella.mjs --vps --host 0.0.0.0 --port 3000"]
+  E --> G["imagem constella instala constella@npm + inicia"]
+  G --> H["constella --vps --host 0.0.0.0 --port 3000"]
   H --> I["gera/persiste segredos em /data/.env (chmod 600)"]
   H --> J["drizzle migrate contra /data/constella.db"]
   H --> K["supervisiona: next start + worker"]
@@ -76,7 +76,7 @@ flowchart TD
 O `docker-compose.yml` roda **dois serviços que compartilham um único namespace de rede**:
 
 - **`tailscale`** — a imagem oficial `tailscale/tailscale`, atuando como sidecar. Ela controla `/dev/net/tun`, possui as capabilities `net_admin` + `sys_module`, entra na tailnet de forma headless com `TS_AUTHKEY` e persiste o estado do nó no volume `tailscale-state`.
-- **`constella`** — construída a partir do `Dockerfile`, ligada à rede do sidecar com `network_mode: service:tailscale`. Como compartilham o namespace, o Constella fica acessível **apenas no IP do Tailscale** na porta 3000 — nunca nas interfaces públicas do host.
+- **`constella`** — construída a partir do `Dockerfile`, que **instala o pacote npm publicado `constella`** (o `.next` compilado e pré-buildado) — **não há build de fonte**, porque a árvore pública não inclui `src/`. Ligada à rede do sidecar com `network_mode: service:tailscale`; como compartilham o namespace, o Constella fica acessível **apenas no IP do Tailscale** na porta 3000 — nunca nas interfaces públicas do host. Fixe uma versão com `CONSTELLA_VERSION=0.1.0` no `.env` (padrão `latest`).
 
 ### Raiz de runtime em um volume
 
@@ -148,7 +148,7 @@ O launcher imprime apenas `• Secrets ready (stored in <HOME>/.env, never print
 | Serviço | Imagem / build | Rede | Volumes | Capabilities notáveis |
 | --- | --- | --- | --- | --- |
 | `tailscale` | `tailscale/tailscale:latest` | namespace próprio | `tailscale-state:/var/lib/tailscale` | `net_admin`, `sys_module`, `/dev/net/tun` |
-| `constella` | `build: .` (Dockerfile) | `service:tailscale` | `constella-data:/data` | roda como `node` sem privilégios (uid 1000) |
+| `constella` | `build: .` (Dockerfile instala `constella@npm`) | `service:tailscale` | `constella-data:/data` | roda como `node` sem privilégios (uid 1000) |
 
 ---
 
@@ -187,9 +187,15 @@ flowchart LR
 
 ## Passo a passo 🚀
 
-### 1. Provisione uma VPS
+### 1. Provisione uma VPS e clone o repo público
 
-Um Ubuntu Server novo é o alvo assumido (o bootstrap instala o Docker via `get.docker.com` e o Tailscale via `tailscale.com/install.sh`).
+Um **Ubuntu Server** novo (24.04 / 26.04 LTS) é o alvo assumido. Pegue a árvore do produto (ela carrega o `Dockerfile`, o `docker-compose.yml` e o `scripts/vps-install.sh` — sem precisar de fonte):
+
+```bash
+apt-get update && apt-get install -y git      # se o git faltar
+git clone https://github.com/gabriel7silva/constella.git
+cd constella
+```
 
 ### 2. Rode o bootstrap
 
@@ -197,14 +203,13 @@ Um Ubuntu Server novo é o alvo assumido (o bootstrap instala o Docker via `get.
 bash scripts/vps-install.sh
 ```
 
-O `scripts/vps-install.sh` faz, em ordem:
+O `scripts/vps-install.sh` faz, em ordem (usa `sudo` só quando você não é `root`):
 
 1. **Instala o Docker** se `docker` não estiver no `PATH` (`curl -fsSL https://get.docker.com | sh`).
-2. **Instala o Tailscale** se ausente (`curl -fsSL https://tailscale.com/install.sh | sh`).
-3. **Entra na tailnet** com `sudo tailscale up` (imprime uma URL de auth no navegador se necessário).
-4. **Pede um `TS_AUTHKEY`** (para que o sidecar do *contêiner* entre de forma headless) e o anexa ao `.env`.
-5. **Constrói + inicia** a stack: `sudo docker compose up -d --build`.
-6. **Imprime a URL de acesso**: `http://<tailscale-ip>:3000`.
+2. **Instala o Tailscale** no host se ausente (`curl -fsSL https://tailscale.com/install.sh | sh`); `tailscale up` é **no-op se o host já está na tailnet**.
+3. **Pede um `TS_AUTHKEY`** para o *sidecar do contêiner* — um **nó de tailnet separado**, necessário **mesmo quando o host já roda Tailscale** — e o anexa ao `.env`.
+4. **Constrói + inicia** a stack: `docker compose up -d --build` (a imagem instala o `constella` do npm).
+5. **Imprime a URL de acesso** lida do sidecar: `http://<ip-tailnet-do-constella>:3000`.
 
 ### 3. Crie a auth key do Tailscale
 
@@ -218,16 +223,34 @@ De **qualquer dispositivo na mesma tailnet**, abra:
 http://<ip-tailscale-deste-nó>:3000
 ```
 
-Encontre o IP com `tailscale ip -4` na VPS. O primeiro carregamento cai em `/login` (login é obrigatório); após entrar, complete o [ONBOARDING](./ONBOARDING.md) se for o primeiro boot.
+Encontre o IP no **sidecar** (o dispositivo chamado `constella` na sua tailnet), não no host:
+
+```bash
+docker compose exec tailscale tailscale ip -4
+```
+
+O primeiro carregamento cai em `/login` (login é obrigatório); após entrar, complete o [ONBOARDING](./ONBOARDING.md) se for o primeiro boot.
 
 ### 5. Caminho manual com compose (sem o bootstrap)
 
 ```bash
-echo "TS_AUTHKEY=tskey-auth-..." > .env
+echo "TS_AUTHKEY=tskey-auth-..." > .env     # opcional: adicione CONSTELLA_VERSION=0.1.0 para fixar a versão
 docker compose up -d --build
-# depois: http://<tailscale-ip>:3000
+docker compose exec tailscale tailscale ip -4    # -> http://<esse-ip>:3000
 ```
 
+### 6. Caminho direto (sem Docker, sem sidecar)
+
+Se o host já roda Tailscale (ou você mesmo bloqueia a porta 3000 no firewall), dá para pular o Docker inteiro e rodar o pacote publicado direto no host — ele vincula `0.0.0.0`, acessível no IP de tailnet **do host**:
+
+```bash
+curl -fsSL https://deb.nodesource.com/setup_22.x | bash -    # Node 20+ se faltar
+apt-get install -y nodejs
+npx constella@latest --vps --host 0.0.0.0 --port 3000        # acesso: http://<ip-tailscale-do-host>:3000
+```
+
+> ⚠️ Sem o sidecar, `0.0.0.0` **não** é privado por tailnet sozinho. Só use isto quando o host não tiver rota pública para a porta 3000 (firewall / security group), ou fique no caminho Docker, que mantém o bind dentro do namespace do Tailscale.
+
 ---
 
 ## Exemplos 🪐
@@ -238,10 +261,10 @@ docker compose up -d --build
 node bin/constella.mjs --vps --host 0.0.0.0 --port 3000
 ```
 
-**O comando exato do contêiner (do `Dockerfile`):**
+**O comando exato do contêiner (do `Dockerfile`, depois que ele instala o `constella` do npm):**
 
 ```dockerfile
-CMD ["node", "bin/constella.mjs", "--vps", "--host", "0.0.0.0", "--port", "3000"]
+CMD ["constella", "--vps", "--host", "0.0.0.0", "--port", "3000"]
 ```
 
 **Confirmar o contexto de execução que o app enxerga:**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "constella",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Constella — run autonomous AI agent-companies locally: real claude/codex agents, Goals → Specs → Issues → Plans, local models, GitHub & Telegram, all from one cosmic control plane.",
   "//name": "Unscoped so `npx constella` works. If the name is taken on npm, fall back to `@constella/cli` (then commands become `npx @constella/cli`).",
   "license": "MIT",

package/scripts/vps-install.sh

@@ -1,26 +1,35 @@
 #!/usr/bin/env bash
-# Constella VPS bootstrap (Ubuntu Server). Installs Docker + Tailscale, joins the tailnet, and brings
-# up Constella over Tailscale. Run on a fresh VPS:  curl ... | bash  — or  bash scripts/vps-install.sh
+# Constella VPS bootstrap (Ubuntu Server). Installs Docker + Tailscale (skips either if already
+# present), then builds + runs Constella over Tailscale. The image installs the PUBLISHED npm package
+# (compiled, prebuilt .next) — there is no source build. Run from a clone of the public repo:
+#   git clone https://github.com/gabriel7silva/constella.git && cd constella && bash scripts/vps-install.sh
 set -euo pipefail
 
 echo "✦ Constella VPS install — Docker + Tailscale"
 
+# Use sudo only when not already root (minimal Ubuntu images often have no `sudo`).
+SUDO=""
+if [ "$(id -u)" -ne 0 ]; then SUDO="sudo"; fi
+
 # 1) Docker
 if ! command -v docker >/dev/null 2>&1; then
   echo "• Installing Docker…"
-  curl -fsSL https://get.docker.com | sh
+  curl -fsSL https://get.docker.com | $SUDO sh
+else
+  echo "• Docker already installed — skipping."
 fi
 
-# 2) Tailscale
+# 2) Tailscale on the HOST (optional — the container runs its own Tailscale sidecar). Installed only
+#    if absent; `tailscale up` is a no-op when the host is already joined.
 if ! command -v tailscale >/dev/null 2>&1; then
   echo "• Installing Tailscale…"
-  curl -fsSL https://tailscale.com/install.sh | sh
+  curl -fsSL https://tailscale.com/install.sh | $SUDO sh
 fi
+echo "• Ensuring the host is on your tailnet (no-op if already joined)…"
+$SUDO tailscale up || true
 
-echo "• Joining your tailnet (a browser auth URL will be printed if needed)…"
-sudo tailscale up || true
-
-# 3) Auth key for the Tailscale container (so the compose sidecar can join headlessly)
+# 3) Auth key for the Tailscale CONTAINER sidecar (a separate tailnet node, even if the host already
+#    runs Tailscale) so compose can join it headlessly.
 if [ ! -f .env ] || ! grep -q '^TS_AUTHKEY=' .env; then
   echo
   echo "  Create a Tailscale auth key at https://login.tailscale.com/admin/settings/keys"
@@ -28,12 +37,16 @@ if [ ! -f .env ] || ! grep -q '^TS_AUTHKEY=' .env; then
   echo "TS_AUTHKEY=${TS_KEY}" >> .env
 fi
 
-# 4) Bring up the stack
+# 4) Build + start the stack (the image pulls constella from npm; pin with CONSTELLA_VERSION in .env).
 echo "• Building + starting Constella…"
-sudo docker compose up -d --build
+$SUDO docker compose up -d --build
 
-IP="$(tailscale ip -4 2>/dev/null | head -1 || true)"
+# 5) Reach URL = the SIDECAR's tailnet IP (device "constella"), not the host's. Read it from the
+#    sidecar container; fall back to a hint if it isn't up yet.
+sleep 3
+IP="$($SUDO docker compose exec -T tailscale tailscale ip -4 2>/dev/null | head -1 || true)"
 echo
 echo "✓ Constella is starting."
-echo "  Reach it on your tailnet at:  http://${IP:-<tailscale-ip>}:3000"
-echo "  (Open it from any device on the same tailnet.)"
+echo "  Reach it on your tailnet at:  http://${IP:-<constella-tailnet-ip>}:3000"
+echo "  (If the IP is blank, wait a few seconds and run: docker compose exec tailscale tailscale ip -4)"
+echo "  Open it from any device on the same tailnet. First load → /login (login is enforced in VPS mode)."