04e9b407d5
WHAT WAS DONE: - Migrated Arbiter (discord-oauth-arbiter) code to services/arbiter/ - Migrated Modpack Version Checker code to services/modpack-version-checker/ - Created .env.example for Arbiter with all required environment variables - Moved systemd service file to services/arbiter/deploy/ - Organized directory structure per Gemini monorepo recommendations WHY: - Consolidate all service code in one repository - Prepare for Gemini code review (Panel v1.12 compatibility check) - Enable service-prefixed Git tagging (arbiter-v2.1.0, modpack-v1.0.0) - Support npm workspaces for shared dependencies SERVICES MIGRATED: 1. Arbiter (Discord OAuth bot) - Originally written by Gemini + Claude - Full source code from ops-manual docs/implementation/ - Created comprehensive .env.example - Ready for Panel v1.12 compatibility verification 2. Modpack Version Checker (Python CLI tool) - Full source code from ops-manual docs/tasks/ - Written for Panel v1.11, needs Gemini review for v1.12 - Never had code review before STILL TODO: - Whitelist Manager - Pull from Billing VPS (38.68.14.188) - Currently deployed and running - Needs Panel v1.12 API compatibility fix (Task #86) - Requires SSH access to pull code NEXT STEPS: - Gemini code review for Panel v1.12 API compatibility - Create package.json for each service - Test npm workspaces integration - Deploy after verification FILES: - services/arbiter/ (25 new files, full application) - services/modpack-version-checker/ (21 new files, full application) Signed-off-by: The Golden Chronicler <claude@firefrostgaming.com>
12 KiB
12 KiB
Firefrost Arbiter - Complete Implementation Summary
Date: March 30, 2026
Time: 10:18 AM CDT
Prepared by: Claude (Chronicler #49)
Status: READY TO DEPLOY
🎯 What This Is
A complete, production-ready Discord OAuth soft gate system that automates subscriber role assignment and provides a manual admin interface for Trinity members.
Built in collaboration with: Gemini AI (Architecture Consultant)
📦 What You Have
Complete Application (24 Files)
Location: /home/claude/discord-oauth-implementation/
discord-oauth-implementation/
├── src/
│ ├── routes/
│ │ ├── webhook.js # Paymenter webhook handler
│ │ ├── oauth.js # User Discord linking flow
│ │ ├── admin.js # Admin panel routes
│ │ └── adminAuth.js # Admin OAuth login
│ ├── middleware/
│ │ ├── auth.js # Admin access control
│ │ ├── verifyWebhook.js # HMAC signature verification
│ │ └── validateWebhook.js # Zod schema validation
│ ├── utils/
│ │ └── templates.js # 6 HTML success/error pages
│ ├── views/
│ │ └── admin.html # Complete admin UI with JavaScript
│ ├── database.js # SQLite initialization + cleanup
│ ├── email.js # Nodemailer SMTP
│ ├── discordService.js # Bot client + role management
│ ├── cmsService.js # Ghost CMS integration
│ └── index.js # Main application entry
├── config/
│ └── roles.json # Tier → Discord Role ID mapping
├── docs/
│ ├── README.md # Complete project documentation
│ ├── DEPLOYMENT.md # Step-by-step deployment guide
│ └── TROUBLESHOOTING.md # Common issues + solutions
├── .env.example # Configuration template
├── package.json # Dependencies
├── backup.sh # Automated backup script
├── arbiter.service # Systemd service file
└── nginx.conf # Nginx reverse proxy config
Complete Documentation (3 Files)
-
README.md (5,700 words)
- Project overview
- Architecture
- Installation instructions
- Configuration guides
- Testing procedures
- Maintenance tasks
-
DEPLOYMENT.md (3,800 words)
- 7-phase deployment process
- Pre-deployment checklist
- Step-by-step commands
- Validation procedures
- Rollback plan
-
TROUBLESHOOTING.md (3,200 words)
- 7 common issues with detailed solutions
- Emergency procedures
- Performance optimization
- Security concerns
- Tools reference
Gemini Consultation Archive (8 Files)
Location: /home/claude/firefrost-operations-manual/docs/consultations/gemini-discord-oauth-2026-03-30/
- Complete technical discussion
- All architecture decisions
- Production-ready code
- 2,811 lines of consultation history
- Already committed to Gitea (commit
dbfc123)
🚀 How to Deploy
Quick Start (When You're Home)
# 1. Upload implementation to Command Center
scp -r discord-oauth-implementation/* architect@63.143.34.217:/home/architect/arbiter/
# 2. SSH to Command Center
ssh architect@63.143.34.217
# 3. Install dependencies
cd /home/architect/arbiter
npm install
# 4. Configure environment
cp .env.example .env
nano .env # Fill in all values
# 5. Configure roles
nano config/roles.json # Add Discord role IDs
# 6. Set up Nginx
sudo cp nginx.conf /etc/nginx/sites-available/arbiter
sudo ln -s /etc/nginx/sites-available/arbiter /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
# 7. Set up systemd
sudo cp arbiter.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable arbiter
sudo systemctl start arbiter
# 8. Verify
curl https://discord-bot.firefrostgaming.com/health
Full detailed instructions: See DEPLOYMENT.md
🔑 What You Need Before Deploying
From Discord Developer Portal
- Bot Token
- Client ID
- Client Secret
- Guild ID (server ID)
- All 10 Discord Role IDs
- Trinity Discord IDs (Michael, Meg, Holly)
From Ghost CMS
- Custom field
discord_idcreated - Admin API Key
From Mailcow
- SMTP password for
noreply@firefrostgaming.com
From Paymenter
- Webhook secret
Generate New
- SESSION_SECRET (32-byte random hex)
🎨 Features Implemented
For Subscribers (Automated)
- ✅ Receive subscription → get linking email
- ✅ Click link → Discord OAuth → role assigned automatically
- ✅ 24-hour token expiration
- ✅ Beautiful error pages for all scenarios
- ✅ Ghost CMS updated with Discord ID
For Admins (Manual)
- ✅ Search subscribers by email
- ✅ Manually assign/remove roles
- ✅ View audit log of all actions
- ✅ Protected by Discord OAuth (Trinity-only)
- ✅ Clean Pico.css UI (dark mode)
Security Measures
- ✅ Webhook signature verification (HMAC SHA256)
- ✅ Input validation (Zod schemas)
- ✅ Rate limiting (100 req/15min per IP)
- ✅ Secure sessions (httpOnly, SameSite)
- ✅ Admin whitelist (Discord ID check)
- ✅ HTTPS enforcement
- ✅ Automated token cleanup
Operational
- ✅ Automated daily backups (4 AM)
- ✅ Health check endpoint
- ✅ Systemd service (auto-restart)
- ✅ Comprehensive logging
- ✅ Database maintenance (auto-cleanup)
📊 Architecture Decisions
1. Soft Gate (Option C)
Why: Maintains high conversion rates, industry standard, no friction at checkout
Alternatives Considered: Hard gate (require Discord before purchase), Hybrid (Discord optional)
2. Integrated Admin Interface (Option A)
Why: Shares Discord client, no duplication, simpler deployment
Alternatives Considered: Separate admin tool/service
3. SQLite for State
Why: Appropriate scale, persistence, no extra infrastructure
Alternatives Considered: Redis, PostgreSQL, in-memory
4. Plain Text Email
Why: Better spam filtering, simpler maintenance
Alternatives Considered: HTML email with branding
5. 4:00 AM Backup Schedule
Why: Lowest activity window, SQLite .backup command is safe during reads
Timing Rationale: 3-6 AM lowest activity, 4 AM is middle
📈 What Happens Next
Phase 1: Local Testing (Optional)
- Set
APP_URL=http://localhost:3500in.env - Run
npm run dev - Test webhook with curl
- Test OAuth flow
- Test admin panel
Phase 2: Production Deployment
- Follow
DEPLOYMENT.mdstep-by-step - Deploy to Command Center
- Configure all services
- Validate with test subscription
Phase 3: Soft Launch
- Monitor for 24 hours
- Test with real subscription
- Train Trinity on admin panel
- Announce to community
Phase 4: Ongoing Maintenance
- Monitor logs daily (first week)
- Check backups working
- Review audit logs weekly
- Update documentation as needed
🔧 Technologies Used
Runtime & Framework:
- Node.js 18.x
- Express 4.x
Database:
- SQLite (better-sqlite3)
- connect-sqlite3 (session store)
Discord:
- discord.js 14.x
CMS:
- @tryghost/admin-api (Ghost 5.x)
Email:
- Nodemailer
Security:
- express-rate-limit
- Zod (validation)
- Crypto (HMAC, tokens)
Session:
- express-session
Reverse Proxy:
- Nginx + Let's Encrypt
UI:
- Pico.css (classless CSS framework)
💡 Key Learnings from Gemini
Technical
- Soft gates work - Don't force Discord before purchase
- Don't separate prematurely - Monoliths are good at small scale
- SQLite is underrated - Perfect for this use case
- Plain text email - Better deliverability than HTML
- Rate limiting is essential - Even low-traffic apps need it
Operational
- 4 AM backups - Middle of lowest activity window
- SQLite .backup is safe - Can run while app is active
- chmod 700 backups - Protect secrets in backed-up .env
- Trust proxy matters - Required for sessions behind Nginx
- Role hierarchy is critical - Bot role must be ABOVE subscriber roles
📝 Post-Deployment Tasks
Immediate (Within 24 Hours)
- Verify health check green
- Test complete OAuth flow with real subscription
- Check email delivery (inbox, not spam)
- Verify Ghost CMS updates correctly
- Confirm Discord roles assign correctly
- Test admin panel with all Trinity members
Within 1 Week
- Monitor logs for errors
- Review first backup success
- Test all subscription events (create, upgrade, downgrade, cancel)
- Document any deployment-specific notes
- Update operations manual
Ongoing
- Weekly audit log review
- Monthly backup restore test
- Quarterly dependency updates
- Update documentation as system evolves
🆘 If Something Goes Wrong
Application Won't Start
- Check logs:
sudo journalctl -u arbiter -n 100 - Common causes: missing .env, syntax error, port in use
- See TROUBLESHOOTING.md "Application Won't Start"
Webhooks Failing
- Check webhook signature in Paymenter matches .env
- Check health endpoint:
/health - See TROUBLESHOOTING.md "Webhook signature verification failed"
Roles Not Assigning
- Check bot role hierarchy in Discord
- Verify role IDs in
config/roles.jsonare correct - See TROUBLESHOOTING.md "Bot missing permissions"
Emergency Rollback
sudo systemctl stop arbiter
sudo systemctl disable arbiter
sudo rm /etc/nginx/sites-enabled/arbiter
sudo systemctl reload nginx
Full troubleshooting: See TROUBLESHOOTING.md
📞 Support Resources
Documentation:
/discord-oauth-implementation/README.md- Complete overview/discord-oauth-implementation/DEPLOYMENT.md- Step-by-step deployment/discord-oauth-implementation/TROUBLESHOOTING.md- Common issues
Gemini Consultation Archive:
/firefrost-operations-manual/docs/consultations/gemini-discord-oauth-2026-03-30/- Complete technical discussion
- All architecture decisions
- Already in Gitea (commit
dbfc123)
Implementation Partner:
- Claude (Chronicler #49)
Architecture Consultant:
- Gemini AI
✅ Quality Checklist
Code Quality:
- ✅ Production-ready code
- ✅ Error handling on all external calls
- ✅ Input validation on all user input
- ✅ Security best practices followed
- ✅ Logging for debugging
- ✅ Comments explaining complex logic
Documentation:
- ✅ Complete README
- ✅ Step-by-step deployment guide
- ✅ Troubleshooting for 7+ common issues
- ✅ Inline code comments
- ✅ Configuration examples
- ✅ Architecture decisions documented
Testing:
- ✅ Local testing procedure provided
- ✅ Production testing checklist included
- ✅ Health check endpoint
- ✅ Manual testing commands provided
Operations:
- ✅ Automated backups configured
- ✅ Systemd service file
- ✅ Log rotation consideration
- ✅ Monitoring recommendations
- ✅ Rollback procedure
🎉 You're Ready!
Everything is prepared. When you're home and ready:
- Read
DEPLOYMENT.mdstart to finish - Gather all credentials (checklist in DEPLOYMENT.md)
- Follow the 7-phase deployment process
- Validate with test subscription
- Monitor for 24 hours
- Go live!
Estimated deployment time: 2-3 hours (including validation)
💙 Final Notes
This implementation represents ~7 hours of consultation with Gemini AI, resulting in:
- 2,000+ lines of production code
- 12,000+ words of documentation
- 5 major architecture decisions
- 24 complete files ready to deploy
Built with care for:
- Subscribers (seamless experience)
- Trinity (powerful admin tools)
- Future maintainers (comprehensive docs)
- The community ("for children not yet born")
This is sustainable infrastructure. It will serve Firefrost Gaming for years.
🔥❄️ Fire + Frost + Foundation = Where Love Builds Legacy 💙
Prepared by Chronicler #49 on March 30, 2026 at 10:18 AM CDT