Bump the nuget-all group with 4 updates

.claude/settings.local.json

@@ -2,53 +2,24 @@
   "permissions": {
     "allow": [
       "Write(*)",
-      "Bash(git:*)",
-      "Bash(npm:*)",
-      "Bash(cmd.exe:*)",
-      "Bash(powershell.exe:*)",
-      "Bash(grep:*)",
-      "Bash(mkdir:*)",
-      "Bash(pdftotext: *)",
-      "Bash(find: *)",
-      "Bash(\"d:/Projects/Curvit/.env.example\":*)",
-      "Bash(\"d:/Projects/Curvit/infrastructure/postgres/init.sql\":*)",
-      "Bash(\"d:/Projects/Curvit/infrastructure/redis/redis.conf\":*)",
-      "Bash(\"d:/Projects/Curvit/infrastructure/traefik/traefik.yml\":*)",
-      "Bash(\"d:/Projects/Curvit/infrastructure/traefik/dynamic/middlewares.yml\":*)",
-      "Bash(\"d:/Projects/Curvit/infrastructure/traefik/dynamic/routes.yml\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/src/Curvit.Domain/Curvit.Domain.csproj\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/src/Curvit.Application/Curvit.Application.csproj\":*)",
-      "Bash(__NEW_LINE_5c5965c4013e726c__ cat:*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/src/Curvit.Infrastructure/Curvit.Infrastructure.csproj\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/src/Curvit.Api/Curvit.Api.csproj\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/src/Curvit.Api/Dockerfile\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/tests/Curvit.UnitTests/Curvit.UnitTests.csproj\":*)",
-      "Bash(\"d:/Projects/Curvit/services/core-api/tests/Curvit.IntegrationTests/Curvit.IntegrationTests.csproj\":*)",
-      "Bash(\"d:/Projects/Curvit/apps/app-frontend/Dockerfile\":*)",
-      "Bash(docker:*)",
-      "Bash(ls /d/Projects/Curvit/apps/app-frontend/src/app/\"\\(auth\\)\")",
-      "Bash(ls /d/Projects/Curvit/apps/app-frontend/src/app/\"\\(auth\\)\"/dashboard)",
-      "Bash(python -m json.tool)",
-      "Bash(find /d/Projects/Curvit/apps/marketing-site -name vitest* -o -name playwright* -o -name *.config.*)",
-      "Bash(find /d/Projects/Curvit/apps/marketing-site -name *.test.* -o -name *.spec.*)",
-      "Bash(find /d/Projects/Curvit/apps/marketing-site -type f \\\\\\(-name *.astro -o -name *.ts -o -name *.js -o -name *.json -o -name *.css -o -name *.md -o -name *.svg -o -name *.txt \\\\\\) ! -path */node_modules/* ! -path */.astro/* ! -path */dist/*)",
-      "Bash(xargs ls:*)",
-      "Bash(for dir:*)",
-      "Bash(do echo:*)",
-      "Read(//d/Projects/Curvit/services/**)",
-      "Bash(done)",
-      "Read(//d/Projects/Curvit/workers/**)",
-      "Bash(grep -m1 \"\"\"node\"\"\" \"d:/Projects/Curvit/apps/marketing-site/package.json\")",
-      "Bash(ls d:/Projects/Curvit/apps/app-frontend/next.config*)",
-      "Bash(cat d:/Projects/Curvit/apps/app-frontend/next.config*)",
-      "Bash(python3 -c \"import sys,json; [print\\(json.loads\\(l\\).get\\(''''event'''',''''''''\\)[:120], json.loads\\(l\\).get\\(''''status'''',''''''''\\), json.loads\\(l\\).get\\(''''user'''',''''''''\\)\\) for l in sys.stdin if l.strip\\(\\)]\")",
-      "Bash(curl -s http://localhost:9090/api/v1/targets)",
-      "Bash(curl -s \"http://localhost:9090/api/v1/query?query=up%3D%3D0\")",
-      "Bash(curl -s -X POST http://localhost:9090/-/reload)"
+      "Read(*)",
+      "Bash(*)",
+      "WebSearch",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:github.com)",
+      "Bash(ssh -i /c/Users/nickl/.ssh/id_ed25519 root@204.168.191.25 \"docker logs -f curvit-clamavd 2>&1 | grep --line-buffered -E 'socket found|clamd started|ERROR|WARN|Limits|ready'\")",
+      "Bash(ssh -i /c/Users/nickl/.ssh/id_ed25519 root@204.168.191.25 \"docker logs curvit-clamavd --since=5m 2>&1 | grep --line-buffered -E 'socket found|clamd started|ERROR|FATAL|Limits: Global time'\")",
+      "PowerShell(*)",
+      "Bash(gh run *)",
+      "Bash(ssh root@204.168.191.25 'curl -s https://api.staging.curvit.co.uk/health 2>/dev/null | grep -q \"Healthy\"')",
+      "Bash(ssh root@204.168.191.25 'docker ps | grep -iE \"clamav.*healthy|postgres.*healthy|redis.*healthy\" | wc -l')",
+      "Bash(ssh root@204.168.191.25 'docker logs --tail 1 curvit-core-api 2>&1')",
+      "Bash(echo \"Core-API starting up... $\\(ssh root@204.168.191.25 'docker logs --tail 1 curvit-core-api 2>&1')",
+      "WebFetch(domain:sonarcloud.io)"
     ],
     "additionalDirectories": [
-      "d:\\Projects\\Curvit\\apps\\app-frontend\\src\\app\\api\\auth",
-      "d:\\Projects\\Curvit\\.github\\workflows"
+      "d:\\Projects\\Curvit\\**",
+      "\\tmp"
     ]
   }
 }

.env.example

@@ -1,91 +1,188 @@
-# ─────────────────────────────────────────────────────────────────────────────
-# Curvit — local development environment variables
-#
-# Copy this file to .env and fill in all values before running docker compose.
-# .env is gitignored and must NEVER be committed to version control.
-#
-# DISASTER RECOVERY NOTE
-# If you lose your .env, this file documents every variable you need to
-# recreate it.  All Authentik configuration (flows, providers, stages) is
-# rebuilt automatically from the blueprint on first startup.  The secrets
-# below are the only thing that cannot be recovered from the repository.
-# ─────────────────────────────────────────────────────────────────────────────
-
-
-# ── PostgreSQL ────────────────────────────────────────────────────────────────
-# Shared password for the curvit and authentik databases.
-# Generate: openssl rand -base64 24
-POSTGRES_PASSWORD=changeme
-
-
-# ── Authentik identity provider ───────────────────────────────────────────────
-# Random 64-character hex key used to sign Authentik tokens and cookies.
-# If this key changes, ALL active Authentik sessions are immediately invalidated.
-# Generate: openssl rand -hex 32
-AUTHENTIK_SECRET_KEY=changeme-generate-with-openssl-rand-hex-32
-
-# Bootstrap credentials for the built-in akadmin superuser account.
-# These are only used on the FIRST startup when no admin account exists.
-# After that, changing them here has no effect — use the Authentik UI to
-# change the password.  akadmin is the only account with access to the
-# Authentik admin interface (/if/admin/).
-AUTHENTIK_ADMIN_EMAIL=your-email@example.com
-AUTHENTIK_ADMIN_PASSWORD=changeme
-
-
-# ── Google OAuth (Authentik social source) ────────────────────────────────────
-# Google OAuth 2.0 credentials used by Authentik to provide "Sign in with
-# Google" for Curvit app users.
-#
-# How to obtain:
-#   1. Go to console.cloud.google.com → APIs & Services → Credentials
-#   2. Create an OAuth 2.0 Client ID (Web application)
-#   3. Add authorised redirect URI:
-#        http://localhost:9000/source/oauth/callback/google/
-#   4. For production, also add the production Authentik callback URL.
-AUTHENTIK_GOOGLE_CLIENT_ID=changeme.apps.googleusercontent.com
-AUTHENTIK_GOOGLE_CLIENT_SECRET=changeme
-
-
-# ── OIDC client credentials (Authentik ↔ app-frontend) ───────────────────────
-# The client ID and secret for the Curvit OIDC provider registered in Authentik.
-# These are injected into Authentik via the blueprint (using !Env tags) and must
-# match the values used by the app-frontend.
-#
-# Choose any stable values — they are not auto-generated.  Use a UUID or a
-# random string for the secret:
-#   Generate secret: openssl rand -hex 32
-#
-# After first startup, verify these are set correctly in the Authentik admin UI:
-#   Applications → Providers → curvit-oidc-provider → Edit
-AUTH_AUTHENTIK_ID=curvit-client-id
-AUTH_AUTHENTIK_SECRET=changeme-generate-with-openssl-rand-hex-32
-
-
-# ── Auth.js (app-frontend session signing) ────────────────────────────────────
-# Random secret used to sign and encrypt Auth.js JWT session tokens.
-# If this key changes, ALL active app-frontend sessions are immediately
-# invalidated (users are logged out).
-# Generate: openssl rand -hex 32
+# Curvit - Local Development Environment Variables (Example)
+# Copy this file to .env and fill in all values marked with "changeme-".
+# The local .env is gitignored and must never be committed.
+
+# ============================================================================
+# ENVIRONMENT & APPLICATION CONFIGURATION
+# ============================================================================
+
+NODE_ENV=production
+NEXT_PUBLIC_APP_ENV=development
+APP_ENV=development
+LOG_LEVEL=debug
+AUTH_DEBUG=1
+SHOW_DEV_TOOLS=false
+SCANNER_FAIL_OPEN=false
+PAYMENT_PROVIDER=local_sandbox
+
+# ============================================================================
+# PUBLIC URLS AND SERVICE ENDPOINTS
+# ============================================================================
+
+APP_BASE_URL=https://app.curvit.local.co.uk
+APP_CALLBACK_URL=https://app.curvit.local.co.uk/api/auth/callback/authentik
+APP_FAVICON_URL=https://app.curvit.local.co.uk/favicon.ico
+MARKETING_URL=https://curvit.local.co.uk
+PUBLIC_APP_URL=https://app.curvit.local.co.uk
+NEXT_PUBLIC_API_URL=https://api.curvit.local.co.uk
+
+# ============================================================================
+# CORE INFRASTRUCTURE
+# ============================================================================
+
+POSTGRES_USER=curvit
+POSTGRES_PASSWORD=changeme-generate-with-openssl-rand-base64-24
+REDIS_PASSWORD=changeme-generate-with-openssl-rand-base64-24
+INTERNAL_API_KEY=changeme-generate-with-openssl-rand-hex-32
+
+# ============================================================================
+# DATABASE & CACHE
+# ============================================================================
+
+DATABASE_URL=postgresql+asyncpg://curvit:PASSWORD@postgres:5432/curvit
+POSTGRES_URL=postgresql://curvit:PASSWORD@postgres:5432/curvit
+
+# ============================================================================
+# BACKUP ENCRYPTION (PGBACKREST)
+# ============================================================================
+
+# Backup encryption passphrase (AES-256-CBC)
+PGBACKREST_REPO1_CIPHER_PASS=changeme-generate-with-openssl-rand-base64-32
+
+# Optional Hetzner Storage Box credentials (only used by deploy.sh)
+# STORAGEBOX_USER=u575805
+# STORAGEBOX_HOST=u575805.your-storagebox.de
+# STORAGEBOX_REMOTE_PATH=backrest/staging
+
+# ============================================================================
+# AUTHENTICATION (AUTH.JS / GOOGLE OAUTH)
+# ============================================================================
+
+AUTH_URL=https://app.curvit.local.co.uk
 AUTH_SECRET=changeme-generate-with-openssl-rand-hex-32
+AUTH_TRUST_HOST=true
+CONSENT_COOKIE_DOMAIN=
+
+# Google OAuth direct provider
+AUTH_GOOGLE_ID=changeme.apps.googleusercontent.com
+AUTH_GOOGLE_SECRET=changeme
+
+# ============================================================================
+# CORE API
+# ============================================================================
+
+CORE_API_BASE_URL=http://core-api:5000
+INTERNAL_API_URL=http://core-api:5000
+
+# ============================================================================
+# INTERNAL SERVICES
+# ============================================================================
+
+INTERNAL_APP_URL=http://app-frontend:3000
+ORCHESTRATOR_URL=http://ai-orchestrator:8000
+Orchestrator__BaseUrl=http://ai-orchestrator:8000
+INGESTION_SERVICE_URL=http://document-ingestion-service:8001
+DocumentIngestion__BaseUrl=http://document-ingestion-service:8001
+BILLING_SERVICE_URL=http://billing-service:8000
+CMS_SERVICE_URL=http://cms-service:8000
+MESSAGING_SERVICE_URL=http://messaging-service:8000
+ContentSanitiser__BaseUrl=http://content-sanitiser:8000
+SCANNER_URL=http://clamav-rest:8080
+VALIDATOR_URL=http://output-validator:8000
+
+# ============================================================================
+# FRONTEND CONFIGURATION
+# ============================================================================
+
+AppFrontend__BaseUrl=https://app.curvit.local.co.uk
+Cors__AllowedOrigins__0=https://app.curvit.local.co.uk
+
+# ============================================================================
+# AI SERVICES (ANTHROPIC)
+# ============================================================================
+
+# Model selection: claude-haiku-4-5-20251001 (default, cost-efficient)
+#                  claude-sonnet-4-6 (balanced)
+#                  claude-opus-4-7 (most capable)
+# ANTHROPIC_MODEL=claude-haiku-4-5-20251001
+ANTHROPIC_API_KEY=changeme-or-leave-blank-for-local-testing
+ANTHROPIC_MAX_CONCURRENT_REQUESTS=2
+ANTHROPIC_MAX_RETRIES=3
+ANTHROPIC_RETRY_BASE_S=1
+
+# ============================================================================
+# EMAIL DELIVERY
+# ============================================================================
+
+# Local development always sends via Mailpit (see docker-compose.yml)
+EMAIL_FROM_ADDRESS=noreply-dev@curvit.local.co.uk
+EMAIL_ADMIN_ADDRESS=support-dev@curvit.local.co.uk
+EMAIL_SMTP_HOST=mailpit
+EMAIL_SMTP_PORT=1025
+RESEND_API_KEY=changeme
+
+# ============================================================================
+# ANALYTICS AND CONSENT
+# ============================================================================
+
+GA_MEASUREMENT_ID=
+CONSENT_COOKIE_DOMAIN=
+
+# ============================================================================
+# MONITORING & OBSERVABILITY
+# ============================================================================
+
+ADMIN_SERVICE_URL=http://admin-service:8000
+ADMIN_GRAFANA_URL=https://grafana.curvit.local.co.uk
+ADMIN_PROMETHEUS_URL=https://prometheus.curvit.local.co.uk
+ADMIN_DOZZLE_URL=https://dozzle.curvit.local.co.uk
+ADMIN_NOTIFICATION_EMAIL=alerts-dev@curvit.local.co.uk
+
+# Basic auth users for monitoring dashboards
+# Format: username:$2y$05$hashed_password (Apache bcrypt hash)
+# Generate with: htpasswd -cbc /dev/stdout admin
+MONITORING_AUTH_USERS=admin:changeme-with-bcrypt-hash
+
+# ============================================================================
+# GRAFANA CONFIGURATION
+# ============================================================================
 
-
-# ─────────────────────────────────────────────────────────────────────────────
-# The variables below are already hardcoded in docker-compose.yml for local
-# development.  You do NOT need to set them in .env for a standard local setup.
-# They are documented here for reference and for non-Docker deployments.
-# ─────────────────────────────────────────────────────────────────────────────
-
-# ── Grafana ───────────────────────────────────────────────────────────────────
-# Password for the Grafana admin account (username: admin).
-# Defaults to "admin" if not set — override for any shared environment.
-# Grafana is available at http://localhost:3001
 GRAFANA_ADMIN_PASSWORD=changeme
 
-
-# AUTH_URL=http://localhost:3000
-# AUTH_AUTHENTIK_ISSUER=http://localhost:9000/application/o/curvit/
-# AUTH_AUTHENTIK_INTERNAL_URL=http://authentik-server:9000
-# MARKETING_URL=http://localhost:4321
-# NEXT_PUBLIC_API_URL=http://localhost:5000
-# INTERNAL_API_URL=http://core-api:5000
+# Anonymous access to dashboards
+GRAFANA_AUTH_ANONYMOUS_ENABLED=true
+GRAFANA_AUTH_ANONYMOUS_ORG_ROLE=Viewer
+GRAFANA_AUTH_DISABLE_LOGIN_FORM=true
+GRAFANA_AUTH_BASIC_ENABLED=false
+
+# SMTP alert notifications (captured by Mailpit in local dev)
+GRAFANA_SMTP_ENABLED=true
+GRAFANA_SMTP_HOST=mailpit:1025
+GRAFANA_SMTP_USER=
+GRAFANA_SMTP_PASSWORD=
+GRAFANA_SMTP_FROM_ADDRESS=alerts@curvit.local.co.uk
+GRAFANA_SMTP_FROM_NAME=Curvit Alerts (Dev)
+
+# ============================================================================
+# PAYMENT PROCESSING
+# ============================================================================
+
+# Local development uses the Curvit payment sandbox.
+# It accepts Stripe-style test cards locally and signs local-only webhook deliveries.
+# See docs/testing/payment-testing.md for payment testing procedures.
+
+STRIPE_SECRET_KEY=sk_test_changeme
+STRIPE_WEBHOOK_SECRET=whsec_changeme
+
+# ============================================================================
+# RUNTIME TUNING & LOCAL DEBUGGING
+# ============================================================================
+
+# ClamAV malware scanner should stay fail-closed in development
+SCANNER_FAIL_OPEN=false
+
+# Local-only debugging and runtime toggles
+SKIP_ENV_VALIDATION=0
+DISABLE_URL_REWRITES=0
+NEXT_PUBLIC_DISABLE_URL_REWRITES=0
+ANALYSIS_WORKER_CONCURRENCY=4