tibberous/TrioDesktop
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
TrioDesktop CMS Repository
==========================
This repository is the current working version of the TrioDesktop CMS codebase.
Nginx configuration files included
----------------------------------
The Nginx configuration supplied from the live server has been saved in:
nginx/triodesktop.com.current.nginx.conf
A recommended dedicated CMS server block has also been added in:
nginx/cms.triodesktop.com.recommended.nginx.conf
Deployment target
-----------------
Desired production path:
/home/triodesktop.com
Desired production host:
https://triodesktop.com/
Important Nginx finding
-----------------------
The current live Nginx config uses this root:
root /home/triodesktop.com;
That means requests for https://triodesktop.com/ are served from the parent
/home/triodesktop.com document root, not from /home/triodesktop.com.
So the current config can only be used as-is if the CMS files are deployed into
/home/triodesktop.com itself, or if /home/triodesktop.com/index.php forwards into
/cms. That is not the desired layout.
Recommended fix
---------------
Use a separate Nginx server block for cms.triodesktop.com with:
root /home/triodesktop.com;
The recommended replacement block is in:
nginx/cms.triodesktop.com.recommended.nginx.conf
Before enabling the dedicated CMS block, remove cms.triodesktop.com from the
shared triodesktop.com server_name list to avoid duplicate vhost conflicts.
Security note
-------------
Because this legacy CMS currently keeps config.ini, SQL dumps, logs, tools,
vendor code, and private files under the repository root, the recommended Nginx
block explicitly denies those paths/extensions. A later cleanup pass should move
public assets into a public/ webroot and keep private/runtime files outside the
web root entirely.
Pretty URL / Front Controller Update - 2026-05-03
--------------------------------------------------
The uploaded Nginx config already has a partial pretty URL rule:
location / {
try_files $uri $uri/ /index.php?$query_string;
}
That is not enough for the TrioDesktop CMS front-controller model because existing PHP files are still handled by the generic PHP include. The repo now includes:
nginx/cms.triodesktop.com.pretty-front-controller.nginx.conf
Use that config for cms.triodesktop.com. It sends all PHP-looking requests through index.php while still serving existing static assets directly. index.php was updated to parse REQUEST_URI and map pretty paths back to the existing page/action/slug variables.
Cleanup note — 2026-05-03
-------------------------
This CWV was cleaned down from the old AcquisitionInvest CMS/site export into a small TrioDesktop CMS placeholder source tree. The deleted-file inventory is saved in cleanup_manifest.txt. The cleanup removed old generated thumbnails, old investor PDFs, old marketing/team/kit graphics, elFinder sample uploads, server-account artifacts, old SQL dumps, and preview/test files.
The current public landing view is intentionally neutral TrioDesktop CMS placeholder content. Site-specific content should be added through the CMS after the MariaDB/Eloquent layer is installed and configured.
Deployment note:
- Target path: /home/triodesktop.com
- Target host: https://triodesktop.com/
- Run composer install in the CMS directory before first runtime if vendor dependencies are missing or incomplete.
2026-05-03 account/admin/deploy pass
------------------------------------
This repo now expects the public TrioDesktop site to be served from /home/triodesktop.com with the existing Nginx root and front-controller fallback.
Key public routes:
- /signup: create account.
- /login: user login.
- /user: starter logged-in user area with dropdown logout.
- /admin: temporary admin login.
- /admin/users: user list/edit/delete/restore after admin login.
Admin login:
- Google OAuth is preferred when oauth_google is configured.
- Password admin login now requires TRIOCMS_ADMIN_PASSWORD_HASH, TRIOCMS_ADMIN_PASSWORD,
config.local.ini [security] admin_password_hash, or [security] admin_password.
- The old admin/password test login is disabled by default. It only works if
[security] allow_test_admin_login = true is explicitly enabled for local testing.
Deployment:
Run python start.py from the repo root. It uses config.ini [deploy], WinSCP saved session vps, remote path /home/triodesktop.com, base URL https://triodesktop.com, and 8 parallel workers. It uploads only changed files after local/remote MD5 comparison and verifies changed files after upload. Vendor is intentionally ignored so Composer/Eloquent installed on the server is preserved.
OAuth login pass
----------------
Google OAuth login is now wired through the same legacy-friendly CMS layout:
index.php routes, actions/ handles OAuth start/callback, pages/ renders forms,
and includes/ contains the OAuth helpers plus the Eloquent-backed ORM layer.
The raw uploaded Google client JSON is kept at private/google_oauth_client.unmolested.json.
The runtime values were copied into config.ini under [oauth_google]. The deployer
ignores /private so the unmodified JSON is preserved in the repo zip but not pushed
to the server by default.
Google Cloud must allow this redirect URI:
https://triodesktop.com/oauth/google/callback
Because config.ini contains database and OAuth credentials, the live Nginx server
block should include the safety rules from nginx/triodesktop.com.security-additions.conf.
2026-05-04 server setup update:
start.py now does more than push files. It uses the saved WinSCP session `vps` and the WinSCP remote `call` command to run a temporary server-side shell script. That script repairs the Nginx routing so cms.triodesktop.com serves /home/triodesktop.com/cms, tests the config with nginx -t, restores the backup on failure, and reloads Nginx on success.
Run:
python start.py nginx
or just:
python start.py deploy
The deploy defaults are:
remote_path = /home/triodesktop.com/cms
base_url = https://cms.triodesktop.com
workers = 8
winscp_session = vps
Nginx backups are written on the server to:
/www/server/panel/vhost/nginx/triocms_backups
Nginx deploy debugging
----------------------
The live Nginx configuration supplied by the server is stored in:
nginx/triodesktop.com.current.nginx.conf
start.py now also writes a locally generated target config to:
nginx/triodesktop.com.patched-for-cms.nginx.conf
Deployment logs are written to both:
deploy.log
debug.log
Raw WinSCP scripts, WinSCP logs, XML logs, and downloaded/uploaded Nginx config
proof files are saved in:
logs/deploy-debug/
The deployer should make cms.triodesktop.com serve /home/triodesktop.com/cms by
removing cms.triodesktop.com from the shared vhost server_name list and adding a
dedicated server block rooted at /home/triodesktop.com/cms.
2026-05-05 root/www/login deploy note
--------------------------------------
The deployer now treats triodesktop.com, www.triodesktop.com, and cms.triodesktop.com as one canonical TrioCMS host set. Running `python start.py deploy` patches the Nginx vhost so all three hostnames serve `/home/triodesktop.com/cms`, verifies no CMS host remains in the old shared `server_name` line, uploads only changed files, and probes `/`, `/login`, `/admin`, and `/triocms_live_check.php` on all configured hosts.
2026-05-07 handbook concept application pass
---------------------------------------------
The uploaded CodeBot handbook is Python/Qt-oriented, but the useful concepts now
have PHP CMS equivalents in this repo:
- includes/runtime.php adds request IDs, structured logs, PHP error/exception/fatal
handlers, context redaction, and runtime evidence in logs/runtime.log.
- config.php now loads includes/runtime.php first, supports config.local.ini as a
local/production secret overlay, and supports environment overrides for database,
Google OAuth, SMTP, and admin password values.
- index.php now sets hardened session cookie parameters before session_start().
- includes/orm.php now verifies mutation results and logs zero affected-row updates
unless a caller explicitly marks the mutation as an intentional no-op.
- includes/auth.php no longer treats the old admin/password test login as available
by default. Use Google OAuth or set TRIOCMS_ADMIN_PASSWORD_HASH/admin_password_hash.
- tools/run_detectors.py now verifies the above handbook-inspired safeguards.
- docs/HANDBOOK_APPLICATION_TO_CMS.md explains what was mapped directly, what was
translated for PHP/CMS runtime, and what was deliberately not forced.
No live deployment was performed during this pass.