- runDataCleanup() replaces maskOverdueInvestors(): now also anonymizes
never-activated invites after 90 days, deletes sessions + magic links
older than 30 days, NULLs IPs in audit logs older than 30 days, and
redacts email from audit log details JSONB for masked investors
- New /api/admin/cleanup POST endpoint for scheduled invocation
- New .gitea/workflows/pitch-cleanup.yml: daily cron at 02:00 UTC calls
the cleanup endpoint so anonymization is genuinely automatic, not lazy
- Switch masking window from first_activity_at to last_login_at (30 days
of inactivity; resets on each login)
- Both auth pages: DSGVO footer now covers all Art. 13 requirements —
data categories, retention cutoffs, Art. 15–21 rights, contact address,
LfDI Baden-Württemberg as supervisory authority
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AdminShell: shows NEXT_PUBLIC_GIT_SHA in sidebar footer
- Dockerfile + build-pitch-deck.yml: pass --build-arg GIT_SHA at build time
- FinanzplanSlide: fetch with cache:no-store to always show current DB values
- finanzplan routes: Cache-Control: no-store to prevent CDN/proxy staling
- CLAUDE.md: remove dead gitea remote (only origin exists)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
build-pitch-deck workflow now posts an HMAC-signed push event to orca's
webhook endpoint after the image is built + pushed. This avoids the race
where orca would otherwise redeploy with the old :latest image before
CI finishes pushing the new one.
Removed the obsolete deploy-coolify.yml (wrong branch, wrong system) and
stripped the deploy-coolify job from ci.yaml.
Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
Builds and pushes to registry.meghsakha.com/breakpilot/pitch-deck
on every push to main that touches pitch-deck/ files. Tags with
:latest and :SHORT_SHA.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add docker-compose.coolify.yml (17 services), .env.coolify.example,
and Gitea Action workflow for Coolify API deployment. Removes nginx,
vault, gitea, woodpecker, mailpit, and dev-only services. Adds Traefik
labels for *.breakpilot.ai domain routing with Let's Encrypt SSL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Network already exists from compliance project — use external: true
and pre-create with docker network create before docker compose up.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- backend-core Dockerfile defaults TARGETARCH=arm64, override with build arg
- Add set -e in helper container to fail fast on build errors
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act_runner cannot create /home/act_runner cache dir inside
container images. Replace actions/checkout@v4 with manual
git clone using GITHUB_SERVER_URL and GITHUB_REPOSITORY env vars.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds .gitea/workflows/ci.yaml with lint and test jobs.
Runs on gitea.meghsakha.com with Gitea Actions runner.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sharang Parnerkar
sharang