Per Hendrik's direction, no nJAMS references on the website. The
founder pedigree claim now stands on the years and the customer
segment ("15 years building integration monitoring for banks,
insurers, and logistics operators") without naming a prior product.
Changes:
- src/components/sections/SocialProofStrip.astro: drop the
' · ex-nJAMS' suffix from the founder attribution; collapse the
multi-step PENDING comment into a single-line founder-name TODO.
- src/components/sections/WhyUs.astro: drop the trademark-review
comment (no longer relevant — the body text never named the
prior product, only the comment did).
- OPERATOR-CHECKLIST.md: remove the 'Why us / nJAMS wording review'
pre-publish task. Also rename the adjacent 'MID-tier retention'
TODO to 'Starter-tier retention' to match the relaunched tier
taxonomy.
- docs/superpowers/specs/2026-04-25-cameleer-website-relaunch-design.md:
update §4, §6.2, §12 to reflect the removed wording. Only the
founder-name placeholder remains as a pre-publish blocker.
Historical specs / plans under docs/superpowers/{specs,plans}/
keep their original wording — they're records of past decisions
and are not on the website.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both auth flows now navigate to the app domain rather than the
auth.cameleer.io subdomain:
PUBLIC_AUTH_SIGNIN_URL → https://app.cameleer.io/sign-in
PUBLIC_AUTH_SIGNUP_URL → https://app.cameleer.io/sign-in?first_screen=register
Updated:
- .env.example (the canonical reference values)
- OPERATOR-CHECKLIST.md (deploy-time secret values)
- src/config/auth.test.ts (test fixtures)
- src/middleware.ts (CSP-comment about <a> navigation target)
- src/pages/privacy.astro (visitor-facing external-links section
in §6 of the privacy policy)
The auth.ts validator stays strict-https — the new URLs are still
absolute https URLs, just on a different host. Logto itself may
still run at auth.cameleer.io as the OIDC backend; only the
visitor-facing /sign-in entry point moved.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hetzner Webhosting L runs Apache with AllowOverride None on the
user docroot, so file-based .htaccess is silently ignored — directives
in public/.htaccess never applied. Confirmed via direct-origin tests:
neither Header, Rewrite, nor FilesMatch fired regardless of the file
being present and readable.
The only origin-side override path on this tier is konsoleH's per-
directory Serverkonfiguration UI, which writes to a separate Apache
config file outside the user's filesystem (and thus outside any
deploy pipeline).
Make the architecture honest:
- Delete public/.htaccess (dead code Apache never reads).
- Remove the "Copy .htaccess into dist" CI step (now a no-op).
- Update deploy.yml header comment to point at Cloudflare for headers.
- Update OPERATOR-CHECKLIST.md §1 with the three Webhosting-L gotchas:
port 222 for SSH, SFTP_PATH must match the actual vhost docroot
(default is bare public_html/), and AllowOverride None.
- Update §5 to reflect manual workflow_dispatch (no auto-deploy on
push) and 5-header expectation.
- Update README.md deploy section likewise.
Headers (HSTS, CSP, XFO, X-Content-Type-Options, Referrer-Policy,
Permissions-Policy) are now owned by Cloudflare Transform Rules,
documented in OPERATOR-CHECKLIST.md §2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Switch ci.yml + deploy.yml env bindings from ${{ vars.* }} to
${{ secrets.* }}. Gitea lets you put non-sensitive Actions values in
either tab, and the secrets tab was used in practice — workflow was
reading the wrong context and getting empty strings.
- Broaden the "no TODO markers ship" guard to accept both TODO: and
legacy TBD: prefixes, matching the imprint/privacy page markers that
were recently renamed.
- Document the secret-vs-variable choice in OPERATOR-CHECKLIST so the
next operator doesn't get tripped up by the same thing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
