Critical fixes to ensure smooth deployments and prevent future outages:
**docker-compose.yml:**
- Fixed image name: littleshop:latest → localhost:5000/littleshop:latest
- Fixed subnet: 172.21.0.0/16 → 172.23.0.0/16 (matches production)
- Fixed environment: Production → Development (matches current production)
**.gitlab-ci.yml:**
- Fixed TeleBot API URL: http://littleshop-admin:8080 → http://littleshop:5000
- Removed duplicate network flag (was causing issues)
- Added explicit network connection command for littleshop_littleshop-network
- Ensures TeleBot can communicate with LittleShop API on deployment
**CLAUDE.md:**
- Documented October 4, 2025 incident and recovery
- Added comprehensive deployment best practices
- Documented pre-deployment checklist
- Added manual deployment commands for emergencies
- Documented network architecture and container configuration
**Root Cause of Previous Failure:**
TeleBot was trying to connect to non-existent hostname "littleshop-admin"
on wrong network, causing authentication failures and data unavailability.
**Verification:**
All changes tested in production and confirmed working. TeleBot now
successfully authenticates and communicates with LittleShop API.
🤖 Generated with Claude Code
https://claude.com/claude-code
Co-Authored-By: Claude <noreply@anthropic.com>
Prevents future deployment failures by automatically applying database
schema migrations during deployment process.
Changes:
- Added migration step that runs AFTER stopping containers
- Automatically detects .sql files in LittleShop/Migrations/
- Creates timestamped backup before applying each migration
- Applies migrations using sqlite3 in Alpine container
- Properly handles volume mounting for littleshop_littleshop_data
This prevents issues like the October 4 incident where ProductVariant
schema changes were deployed without updating the database, causing
complete system outage.
Migration workflow:
1. Stop all containers
2. Check for migration files
3. Create database backup
4. Apply migrations
5. Start containers with updated schema
🤖 Generated with Claude Code
https://claude.com/claude-code
Co-Authored-By: Claude <noreply@anthropic.com>
## Issue
Previous fix enabled LittleShop__UseTor=true, which tried to route internal
Docker API calls through Tor. Tor correctly rejected these private addresses.
## Root Cause
Two separate Tor configuration flags exist:
1. Privacy__EnableTor - Controls Telegram Bot API calls (external, public)
2. LittleShop__UseTor - Controls LittleShop API calls (internal, private)
## Solution
- Set LittleShop__UseTor=false (internal calls direct - no Tor)
- Set Privacy__EnableTor=true (Telegram API calls via Tor)
## Impact
✅ Telegram Bot API calls now route through Tor (privacy protected)
✅ Internal API calls go direct (no Tor rejection errors)
✅ Proper separation of concerns
## Technical Details
TelegramBotService.cs:77 checks Privacy:EnableTor
Program.cs:63 checks LittleShop:UseTor
These control different HTTP clients for different purposes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
## Issue
TeleBot was bypassing Tor gateway despite infrastructure being available.
## Root Cause
Deployment configuration explicitly disabled Tor:
- LittleShop__UseTor=false (line 118)
## Fix
Changed deployment configuration to enable Tor routing:
- LittleShop__UseTor=true
## Impact
✅ All Telegram API calls now route through Tor network
✅ Bot's real IP hidden from Telegram servers
✅ Enhanced privacy protection
⚠️ Slight latency increase due to Tor overhead
## Verification Required
Monitor tor-gateway logs after deployment to confirm traffic routing.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Keep authentication fix in Program.cs but use original CI/CD pipeline configuration that builds from Dockerfile
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Updated .gitlab-ci.yml with complete build, test, and deploy stages
- Added authentication redirect fix in Program.cs (302 redirect for admin routes)
- Fixed Cookie vs Bearer authentication conflict for admin panel
- Configure pipeline to build from .NET 9.0 source
- Deploy to Hostinger VPS with proper environment variables
- Include rollback capability for production deployments
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Added auto-deploy on successful builds for main branch
- Deployment uses commit SHA when no tag is present
- Manual deployment still available for tagged releases
- Follows same pattern as TeleBot deployment
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove docker:24-dind service to use runner's mounted Docker socket.
This fixes the 403 Git access error and Docker socket conflict.
Changes:
- Remove services: docker:24-dind from build and deploy jobs
- Change image from docker:24-dind to docker:24
- Update DOCKER_HOST to use unix socket
Co-Authored-By: Claude <noreply@anthropic.com>
