The web service container only inherited NODE_ENV/DATABASE_URL/DATA_DIR/
MEDIA_DIR/WEB_PORT, so AUTH_SECRET (set in .env.development) was never
visible inside the container. Login bailed out with 'Server is not
configured for sign-in.' loginAction needs both keys to issue cookies,
and OPERATOR_TOKEN_VERSION defaults to 1 (the env-bump session
invalidator).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Telegram bot phase ended in Plan 3 — the operator now signs in
via username + password. Migration 0011 drops the legacy column +
its unique index. seed.ts no longer reads SEED_OPERATOR_TELEGRAM_ID;
docker-compose.base.yml swaps the env to SEED_OPERATOR_USERNAME
(default 'admin'); .env.development follows. Settings page shows
'Username' instead of 'Operator ID'. Auth-and-prod-hardening plan
doc updated to drop the synthetic telegram_user_id from the
create-user CLI script and createUserAction insert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
