Topology clarification:
- portal.gigafibre.ca = standalone nginx container serving /opt/client-app/
(the actual Vue SPA). This is the real customer portal.
- client.gigafibre.ca = ERPNext frontend (exposes Frappe's password login
form — dead-end UX, legacy MD5 attack surface).
Changes:
- apps/client/deploy.sh: target /opt/client-app/ directly with DEPLOY_BASE=/
(was uploading into ERPNext's /assets/client-app/, which nothing serves).
Atomic stage-and-swap + docker restart so the nginx bind-mount picks up
the new inode.
- apps/portal/traefik-client-portal.yml: replace per-path /login and /desk
blocks on client.gigafibre.ca with a catch-all 307 to portal.gigafibre.ca.
Old bookmarks, old invoice links, and in-flight SMS all end up on the
Vue SPA instead of Frappe's password page.
- apps/ops/package-lock.json: sync to include html5-qrcode transitive deps
so `npm ci` in deploy.sh works from a clean checkout.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
7ac9a582c6