73cb0aab8b
t3 is single-owner (no in-app multi-user), so each person runs their own `t3 serve` on the DevVM as their own OS user: wizard→:3773 (t3-serve.service), emo→:3774 (t3-serve-emo.service). An in-cluster nginx `t3-dispatch` maps the Authentik-injected X-authentik-username to the right instance; unmapped identities get 403 (no shared fallback). Flipped the ingress auth app→required (Authentik forward-auth) — the same-origin self-served UI works behind it (WS carries the Authentik cookie) and t3's own pairing/bearer stays the inner gate. Mirrors the terminal stack's per-user model. Verified: dispatcher routes vbarzin→:3773, emil.barzin→:3774, unmapped→403; t3.viktorbarzin.me now 302s to Authentik. Cross-origin native app / app.t3.codes intentionally unsupported here — deferred until the native app is published. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| agents | ||
| commands | ||
| reference | ||
| scripts | ||
| skills | ||
| calendar-query.py | ||
| CLAUDE.md | ||
| home-assistant-sofia.py | ||
| home-assistant.py | ||
| internet-mode-used_DO_NOT_REMOVE_MANUALLY_SECURITY_RISK | ||
| pfsense.py | ||
| settings.json | ||