From a19581e32b423f05b42d440bc5122060fec0c6f5 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 17 Apr 2026 19:05:47 +0000
Subject: [PATCH] =?UTF-8?q?fix(beads-server):=20fix=20Workbench=20timeout?=
 =?UTF-8?q?=20=E2=80=94=20use=20internal=20GraphQL=20URL?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GRAPHQLAPI_URL must point to localhost:9002 (internal), not the external
URL which goes through Authentik. SSR can't authenticate to Authentik.
Also removed Authentik from /graphql ingress — browser fetch() can't
follow 302 redirects on POST requests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 stacks/beads-server/main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index 72bc6625..ea32c98a 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -282,7 +282,7 @@ resource "kubernetes_deployment" "workbench" {
           }
           env {
             name  = "GRAPHQLAPI_URL"
-            value = "https://dolt-workbench.viktorbarzin.me/graphql"
+            value = "http://localhost:9002/graphql"
           }
 
           volume_mount {
@@ -410,7 +410,8 @@ resource "kubernetes_ingress_v1" "graphql" {
     name      = "dolt-workbench-graphql"
     namespace = kubernetes_namespace.beads.metadata[0].name
     annotations = {
-      "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-authentik-forward-auth@kubernetescrd"
+      # No Authentik — browser fetch() can't follow 302 redirects on POST.
+      # Main page (/) is still protected. GraphQL has no sensitive data beyond task list.
     }
   }
   spec {