When user has artdag_session cookie, periodically (every 30s) check
account's /auth/internal/check-device endpoint. If account says the
device is no longer active (SSO logout), clear the cookie immediately.
Prevents stale sign-in after logging out from another app.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add /health endpoint (returns 200, skips auth middleware)
- Healthcheck now hits /health instead of / (which 302s to OAuth)
- Advisory lock in db.init_pool() prevents deadlock when 4 uvicorn
workers race to run schema DDL
- CI: --resolve-image always on docker stack deploy to force re-pull
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The server-to-server token exchange was hitting the external URL
(https://account.rose-ash.com/...) which can fail from inside Docker
due to DNS/hairpin NAT. Now uses INTERNAL_URL_ACCOUNT (already set in
both docker-compose files) for the POST. Adds logging at all three
failure points so silent redirects are diagnosable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Existing sessions have email=None since the field was just added.
Username IS the email in Art-DAG (OAuth returns user.email as username).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Dockerfiles use monorepo root as build context
- common/ and core/ installed as local packages (no git+https)
- Client tarball built from local client/ dir
- Unified CI with change detection: common/core -> rebuild both
- Per-repo CI workflows removed
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
