The web service container only inherited NODE_ENV/DATABASE_URL/DATA_DIR/
MEDIA_DIR/WEB_PORT, so AUTH_SECRET (set in .env.development) was never
visible inside the container. Login bailed out with 'Server is not
configured for sign-in.' loginAction needs both keys to issue cookies,
and OPERATOR_TOKEN_VERSION defaults to 1 (the env-bump session
invalidator).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two related fixes:
1. Phone (and any LAN client) couldn't reach the web container because
the dev compose mapped 127.0.0.1:WEB_PORT instead of binding all
interfaces. Drop the loopback prefix.
2. Turbopack and NodeNext disagree on extension handling: bot's tsc
needs `.js` extensions in source imports; Turbopack's transpilePackages
path can't resolve those `.js` requests back to `.ts` source. Switch
to consuming the workspace packages via their compiled dist instead:
- packages/db + packages/shared point `main`/`exports` at ./dist/*
- drop transpilePackages from next.config.ts; web picks up the
compiled `.js` files directly
- dev compose command for web builds shared+db before running
`next dev` so dist is fresh when Turbopack starts
- put the `.js` extensions back in packages/db source so NodeNext
compilers (bot's tsc, packages/db's own tsc) are happy
