chore(compose): add repro smoke gate and GHCR prod-like docs

Author: sanchojaf

README.md

@@ -128,12 +128,58 @@ This uses:
 - `docker-compose.yml` + `docker-compose.prod.yml`
 - published images from GHCR (`pull_policy` defaults to `missing`)
 
+GHCR tag policy (from publish workflows):
+
+- `master` branch -> `ghcr.io/cenit-io/cenit:latest` and `ghcr.io/cenit-io/ui:latest`
+- `develop` branch -> `ghcr.io/cenit-io/cenit:develop` and `ghcr.io/cenit-io/ui:develop`
+- release tags `v*.*.*` -> semver tags
+- every publish -> immutable `sha-<gitsha>` tag
+
+Run prod-like using `develop` images:
+
+```bash
+CENIT_SERVER_IMAGE=ghcr.io/cenit-io/cenit:develop \
+CENIT_UI_IMAGE=ghcr.io/cenit-io/ui:develop \
+scripts/compose-prod.sh up -d
+```
+
+Run prod-like pinned to immutable SHA tags:
+
+```bash
+CENIT_SERVER_IMAGE=ghcr.io/cenit-io/cenit:sha-<server_sha> \
+CENIT_UI_IMAGE=ghcr.io/cenit-io/ui:sha-<ui_sha> \
+scripts/compose-prod.sh up -d
+```
+
 For strict refresh from registry each run:
 
 ```bash
 CENIT_PULL_POLICY=always scripts/compose-prod.sh up -d
 ```
 
+### 2.3) Repro mode with non-default host ports (redirect/debug)
+
+Use this to reproduce host/port redirect issues (for example, verify UI does not fall back to `localhost:3000`).
+
+```bash
+cd /path/to/cenit
+REPRO_SERVER_PORT=13000 REPRO_UI_PORT=13002 scripts/compose-repro.sh up -d
+REPRO_SERVER_PORT=13000 REPRO_UI_PORT=13002 scripts/smoke/repro_runtime_ports.sh
+```
+
+Default repro port mapping:
+
+- Backend host port: `13000 -> container 8080`
+- UI host port: `13002 -> container 80`
+
+Optional public URL overrides (if not using localhost):
+
+```bash
+REPRO_SERVER_PUBLIC_URL=http://127.0.0.1:13000 \
+REPRO_UI_PUBLIC_URL=http://127.0.0.1:13002 \
+scripts/smoke/repro_runtime_ports.sh
+```
+
 ### 3) Verify services
 
 ```bash
@@ -183,11 +229,16 @@ Important environment knobs used by local scripts:
 - `CENIT_BASE_COMPOSE_FILE` (helper override for base file)
 - `CENIT_DEV_COMPOSE_FILE` (helper override for dev file)
 - `CENIT_PROD_COMPOSE_FILE` (helper override for prod-like file)
+- `CENIT_REPRO_COMPOSE_FILE` (helper override for repro file)
 - `CENIT_E2E_AUTOSTART` (`1` to auto-start stack in E2E scripts)
 - `CENIT_E2E_RESET_STACK` (`1` to reset containers/volumes before E2E)
 - `CENIT_E2E_BUILD_STACK` (`1` to rebuild images before E2E, default `0`)
 - `CENIT_E2E_HEADED` (`1` for headed browser runs)
 
+Image labels:
+
+- GHCR images are published with OCI metadata labels (source/revision/created) via `docker/metadata-action`.
+
 ## Testing and quality checks
 
 ### Login E2E smoke
@@ -196,6 +247,26 @@ Important environment knobs used by local scripts:
 scripts/e2e/cenit_ui_login.sh
 ```
 
+### Browser smoke: no localhost redirect during auth bootstrap
+
+```bash
+# Default URL
+scripts/smoke/cenit_ui_no_localhost_redirect.sh
+
+# Repro stack URL
+CENIT_UI_URL=http://localhost:13002 scripts/smoke/cenit_ui_no_localhost_redirect.sh
+```
+
+This smoke fails if any browser request hits `http://localhost:3000` during initial auth flow.
+
+### Pre-apply repro gate (runtime + browser checks)
+
+```bash
+REPRO_SERVER_PORT=13000 REPRO_UI_PORT=13002 scripts/smoke/repro_preapply_gate.sh
+```
+
+Use this as the required gate before Terraform apply or other deploy steps when validating the localhost redirect fix path.
+
 ### Contact data type + records E2E
 
 ```bash

docker-compose.repro.yml

@@ -0,0 +1,13 @@
+services:
+  ui:
+    environment:
+      - REACT_APP_USE_ENVIRONMENT_CONFIG=true
+      - REACT_APP_TIMEOUT_SPAN=300000
+      - REACT_APP_APP_ID=admin
+      - REACT_APP_LOCALHOST=${REPRO_UI_PUBLIC_URL:-http://localhost:${REPRO_UI_PORT:-13002}}
+      - REACT_APP_CENIT_HOST=${REPRO_SERVER_PUBLIC_URL:-http://localhost:${REPRO_SERVER_PORT:-13000}}
+
+  server:
+    environment:
+      - HOMEPAGE=${REPRO_SERVER_PUBLIC_URL:-http://localhost:${REPRO_SERVER_PORT:-13000}}
+      - CENIT_UI=${REPRO_UI_PUBLIC_URL:-http://localhost:${REPRO_UI_PORT:-13002}}

scripts/compose-repro.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+BASE_FILE="${CENIT_BASE_COMPOSE_FILE:-$ROOT_DIR/docker-compose.yml}"
+DEV_FILE="${CENIT_DEV_COMPOSE_FILE:-$ROOT_DIR/docker-compose.dev.yml}"
+REPRO_FILE="${CENIT_REPRO_COMPOSE_FILE:-$ROOT_DIR/docker-compose.repro.yml}"
+
+REPRO_SERVER_PORT="${REPRO_SERVER_PORT:-13000}"
+REPRO_UI_PORT="${REPRO_UI_PORT:-13002}"
+
+# Force base compose interpolation to repro ports, avoiding accidental 3000/3002 publishes.
+export SERVER_PORT="${SERVER_PORT:-$REPRO_SERVER_PORT}"
+export UI_PORT="${UI_PORT:-$REPRO_UI_PORT}"
+
+if [[ $# -eq 0 ]]; then
+  echo "Usage: scripts/compose-repro.sh <docker compose args...>" >&2
+  echo "Example: REPRO_SERVER_PORT=13000 REPRO_UI_PORT=13002 scripts/compose-repro.sh up -d" >&2
+  exit 1
+fi
+
+exec docker compose -f "$BASE_FILE" -f "$DEV_FILE" -f "$REPRO_FILE" "$@"

scripts/smoke/cenit_ui_no_localhost_redirect.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+if ! command -v node >/dev/null 2>&1; then
+  echo "Node.js is required to run this smoke test." >&2
+  exit 1
+fi
+
+if ! node -e "require.resolve('playwright')" >/dev/null 2>&1; then
+  echo "The 'playwright' package is required for this smoke test." >&2
+  echo "Install it with: npm install --no-save playwright@1.52.0" >&2
+  exit 1
+fi
+
+node "$ROOT_DIR/scripts/smoke/cenit_ui_no_localhost_redirect_playwright.mjs"

scripts/smoke/cenit_ui_no_localhost_redirect_playwright.mjs

@@ -0,0 +1,106 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { chromium } from "playwright";
+
+const uiUrl = process.env.CENIT_UI_URL || process.env.REPRO_UI_PUBLIC_URL || "http://localhost:3002";
+const forbiddenBase = process.env.CENIT_FORBIDDEN_BASE_URL || "http://localhost:3000";
+const outputDir = process.env.CENIT_E2E_OUTPUT_DIR || path.resolve(process.cwd(), "output/playwright");
+const stamp = process.env.CENIT_E2E_TIMESTAMP || new Date().toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
+
+fs.mkdirSync(outputDir, { recursive: true });
+
+const screenshotPath = path.join(outputDir, `cenit-ui-no-localhost-redirect-${stamp}.png`);
+const htmlPath = path.join(outputDir, `cenit-ui-no-localhost-redirect-${stamp}.html`);
+const requestsPath = path.join(outputDir, `cenit-ui-no-localhost-redirect-requests-${stamp}.json`);
+
+const forbiddenRequests = [];
+
+const browser = await chromium.launch({ headless: true });
+const context = await browser.newContext();
+const page = await context.newPage();
+
+page.on("request", (request) => {
+  const url = request.url();
+  if (url.startsWith(forbiddenBase)) {
+    forbiddenRequests.push({
+      method: request.method(),
+      url,
+      resourceType: request.resourceType(),
+    });
+  }
+});
+
+let exitCode = 0;
+let failureReason = "";
+
+try {
+  await page.goto(uiUrl, { waitUntil: "domcontentloaded", timeout: 120000 });
+  await page.waitForLoadState("networkidle", { timeout: 30000 }).catch(() => {});
+  await page.waitForTimeout(5000);
+
+  const finalUrl = page.url();
+  const finalForbidden = finalUrl.startsWith(forbiddenBase);
+  fs.writeFileSync(
+    requestsPath,
+    JSON.stringify(
+      {
+        uiUrl,
+        forbiddenBase,
+        finalUrl,
+        forbiddenRequests,
+      },
+      null,
+      2
+    )
+  );
+
+  if (finalForbidden || forbiddenRequests.length > 0) {
+    exitCode = 1;
+    failureReason = finalForbidden
+      ? `Final URL redirected to forbidden base: ${finalUrl}`
+      : `Forbidden request(s) detected to ${forbiddenBase}`;
+    await page.screenshot({ path: screenshotPath, fullPage: true });
+    fs.writeFileSync(htmlPath, await page.content());
+  }
+
+  if (exitCode === 0) {
+    console.log(`PASS: no requests to ${forbiddenBase} during initial auth flow.`);
+    console.log(`Final URL: ${finalUrl}`);
+    console.log(`Requests artifact: ${requestsPath}`);
+  } else {
+    console.error(`FAIL: ${failureReason}`);
+    console.error(`Final URL: ${finalUrl}`);
+    console.error(`Forbidden requests: ${forbiddenRequests.length}`);
+    console.error(`Screenshot: ${screenshotPath}`);
+    console.error(`HTML: ${htmlPath}`);
+    console.error(`Requests artifact: ${requestsPath}`);
+  }
+} catch (error) {
+  exitCode = 1;
+  console.error(`FAIL: browser smoke execution error: ${error?.message || error}`);
+  try {
+    await page.screenshot({ path: screenshotPath, fullPage: true });
+    fs.writeFileSync(htmlPath, await page.content());
+  } catch (_) {}
+  fs.writeFileSync(
+    requestsPath,
+    JSON.stringify(
+      {
+        uiUrl,
+        forbiddenBase,
+        error: String(error),
+        forbiddenRequests,
+      },
+      null,
+      2
+    )
+  );
+  console.error(`Screenshot: ${screenshotPath}`);
+  console.error(`HTML: ${htmlPath}`);
+  console.error(`Requests artifact: ${requestsPath}`);
+} finally {
+  await browser.close();
+}
+
+process.exit(exitCode);

scripts/smoke/repro_preapply_gate.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+echo "Pre-apply repro gate"
+echo "  REPRO_SERVER_PORT=${REPRO_SERVER_PORT:-13000}"
+echo "  REPRO_UI_PORT=${REPRO_UI_PORT:-13002}"
+
+"$ROOT_DIR/scripts/smoke/repro_runtime_ports.sh"
+
+ui_url="${CENIT_UI_URL:-http://localhost:${REPRO_UI_PORT:-13002}}"
+CENIT_UI_URL="$ui_url" "$ROOT_DIR/scripts/smoke/cenit_ui_no_localhost_redirect.sh"
+
+echo "PASS: pre-apply repro gate checks completed."

scripts/smoke/repro_runtime_ports.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+REPRO_SERVER_PORT="${REPRO_SERVER_PORT:-13000}"
+REPRO_UI_PORT="${REPRO_UI_PORT:-13002}"
+
+UI_URL="${REPRO_UI_PUBLIC_URL:-http://localhost:${REPRO_UI_PORT}}"
+SERVER_URL="${REPRO_SERVER_PUBLIC_URL:-http://localhost:${REPRO_SERVER_PORT}}"
+
+CONFIG_URL="${UI_URL}/config.js"
+CREDENTIALS_URL="${SERVER_URL}/app/admin/oauth2/client/credentials"
+SIGN_IN_URL="${SERVER_URL}/users/sign_in"
+
+tmp_config="$(mktemp)"
+trap 'rm -f "$tmp_config"' EXIT
+
+retry_curl() {
+  local url="$1"
+  local tries="${2:-40}"
+  local sleep_seconds="${3:-2}"
+  local i
+  for ((i = 1; i <= tries; i += 1)); do
+    if curl -fsS "$url" >/dev/null 2>&1; then
+      return 0
+    fi
+    sleep "$sleep_seconds"
+  done
+  return 1
+}
+
+assert_contains() {
+  local file="$1"
+  local pattern="$2"
+  if ! rg -q "$pattern" "$file"; then
+    echo "Expected pattern not found: $pattern" >&2
+    return 1
+  fi
+}
+
+echo "Runtime repro smoke checks"
+echo "  UI_URL=${UI_URL}"
+echo "  SERVER_URL=${SERVER_URL}"
+
+# Guardrail: repro stack must not still publish default ports 3000/3002.
+if command -v docker >/dev/null 2>&1; then
+  server_ports="$(docker ps --format '{{.Names}} {{.Ports}}' | grep '^cenit-server-1 ' || true)"
+  ui_ports="$(docker ps --format '{{.Names}} {{.Ports}}' | grep '^cenit-ui-1 ' || true)"
+  if [[ "$server_ports" == *":3000->"* ]]; then
+    echo "Repro stack is also publishing port 3000 (ambiguous host routing): $server_ports" >&2
+    echo "Run: scripts/compose-repro.sh down && scripts/compose-repro.sh up -d --build --force-recreate" >&2
+    exit 1
+  fi
+  if [[ "$ui_ports" == *":3002->"* ]]; then
+    echo "Repro stack is also publishing port 3002 (ambiguous host routing): $ui_ports" >&2
+    echo "Run: scripts/compose-repro.sh down && scripts/compose-repro.sh up -d --build --force-recreate" >&2
+    exit 1
+  fi
+fi
+
+if ! retry_curl "${CONFIG_URL}" 30 2; then
+  echo "UI config endpoint is unreachable: ${CONFIG_URL}" >&2
+  echo "Start stack with: ${ROOT_DIR}/scripts/compose-repro.sh up -d" >&2
+  exit 1
+fi
+
+curl -fsS "${CONFIG_URL}" > "$tmp_config"
+
+expected_server="REACT_APP_CENIT_HOST: \"${SERVER_URL}\""
+expected_ui="REACT_APP_LOCALHOST: \"${UI_URL}\""
+
+assert_contains "$tmp_config" "$expected_server"
+assert_contains "$tmp_config" "$expected_ui"
+
+if rg -q 'REACT_APP_CENIT_HOST: "http://localhost:3000"' "$tmp_config"; then
+  echo "config.js still points to localhost:3000, repro override not applied." >&2
+  exit 1
+fi
+
+if ! retry_curl "${SIGN_IN_URL}" 30 2; then
+  echo "Backend sign-in endpoint is unreachable: ${SIGN_IN_URL}" >&2
+  exit 1
+fi
+
+credentials_body="$(curl -fsS "${CREDENTIALS_URL}" || true)"
+if [[ -z "$credentials_body" ]]; then
+  echo "Credentials endpoint returned empty response: ${CREDENTIALS_URL}" >&2
+  exit 1
+fi
+
+if ! rg -q '"client_id"|"client_token"' <<<"$credentials_body"; then
+  echo "Credentials endpoint did not return expected client payload (client_id or client_token)." >&2
+  echo "Response: $credentials_body" >&2
+  exit 1
+fi
+
+echo "PASS: runtime config and backend endpoints match repro ports."