fix(devtools): stabilize Penpot MCP, fix S3 creds, OIDC registration

MCP server: - Replace vite build --watch + livePreview with static vite preview (watch mode was reloading the plugin iframe, killing WebSocket) - Bake WS_URI at Docker build time for production WebSocket URL - Add server-side application-level keepalive messages every 25s - Add client-side auto-reconnect with exponential backoff - Set Pingora route timeout to 86400s for WebSocket idle tolerance Penpot: - Add AWS_ACCESS_KEY_ID/SECRET env vars for S3 SDK compatibility - Set S3 region to satisfy AWS SDK credential chain - Enable OIDC registration (disable-registration blocks OIDC signup) - Fix frontend port (8080 not 80) - Add penpot bucket to seaweedfs-buckets init job
2026-04-04 15:37:45 +01:00
parent fcb80f1f37
commit 048319f70b
7 changed files with 108 additions and 46 deletions
--- a/scripts/local-seed-secrets.sh
+++ b/scripts/local-seed-secrets.sh
@@ -58,7 +58,7 @@ done
 echo "==> Setting postgres user passwords..."
 PG_POD=$(kubectl $CTX -n data get pods -l cnpg.io/cluster=postgres,role=primary -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
 if [[ -n "$PG_POD" ]]; then
-  for user in kratos hydra gitea hive docs meet drive messages conversations people find penpot; do
+  for user in kratos hydra gitea hive docs meet drive messages conversations people find penpot stalwart; do
    kubectl $CTX -n data exec "$PG_POD" -c postgres -- \
      psql -U postgres -c "ALTER USER $user WITH PASSWORD '$DB_PASSWORD';" 2>/dev/null || true
  done
@@ -130,6 +130,19 @@ create_secret lasuite people-db-credentials \
 create_secret lasuite people-django-secret \
  --from-literal=DJANGO_SECRET_KEY="local-dev-people-django-secret-key-not-for-production"

+# Stalwart namespace
+ensure_ns stalwart
+create_secret stalwart stalwart-db-credentials \
+  --from-literal=password="$DB_PASSWORD"
+
+create_secret stalwart stalwart-app-secrets \
+  --from-literal=admin-password="stalwart-local-admin-password" \
+  --from-literal=dkim-private-key="placeholder-generate-real-key-for-production"
+
+create_secret stalwart seaweedfs-s3-credentials \
+  --from-literal=S3_ACCESS_KEY="$S3_ACCESS_KEY" \
+  --from-literal=S3_SECRET_KEY="$S3_SECRET_KEY"
+
 # Media namespace
 ensure_ns media

@@ -193,6 +206,7 @@ else
      bao kv put secret/people db-password='$DB_PASSWORD' django-secret-key='local-dev-people-django-secret-key-not-for-production'
      bao kv put secret/penpot db-password='$DB_PASSWORD' secret-key='penpot-local-secret-key-not-for-production'
      bao kv put secret/livekit api-key='$LIVEKIT_API_KEY' api-secret='$LIVEKIT_API_SECRET'
+      bao kv put secret/stalwart admin-password='stalwart-local-admin-password' dkim-private-key='placeholder-generate-real-key-for-production'
    " 2>/dev/null
    echo "    Done."
  fi