ci: use Portainer API instead of SSH for deploy

- Replaces SSH-based deploy with Portainer API call
- Uses POST /api/stacks/{id}/git/redeploy endpoint
- Requires PORTAINER_URL and PORTAINER_API_KEY secrets in Woodpecker

.woodpecker/ci.yml

@@ -338,41 +338,43 @@ steps:
       - security-trivy-orchestrator
       - security-trivy-web
 
-  # ─── Deploy to Docker Swarm (main only) ─────────────────────
-
-  # ─── Deploy to Docker Swarm via Portainer (main only) ─────────────────────
+  # ─── Deploy to Docker Swarm via Portainer API (main only) ─────────────────────
 
   deploy-swarm:
     image: alpine:3
     environment:
-      SSH_PRIVATE_KEY:
-        from_secret: ssh_private_key
-      SSH_KNOWN_HOSTS:
-        from_secret: ssh_known_hosts
       PORTAINER_URL:
         from_secret: portainer_url
       PORTAINER_API_KEY:
         from_secret: portainer_api_key
+      PORTAINER_STACK_ID: "121"
     commands:
-      - apk add --no-cache curl openssh-client
+      - apk add --no-cache curl
       - |
         set -e
-        echo "🚀 Deploying to Docker Swarm..."
+        echo "🚀 Deploying to Docker Swarm via Portainer API..."
 
-        # Setup SSH for fallback
-        mkdir -p ~/.ssh
-        echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
-        chmod 600 ~/.ssh/known_hosts
-        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
-        chmod 600 ~/.ssh/id_ed25519
+        # Use Portainer API to update the stack (forces pull of new images)
+        RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
+          -H "X-API-Key: $PORTAINER_API_KEY" \
+          -H "Content-Type: application/json" \
+          "$PORTAINER_URL/api/stacks/$PORTAINER_STACK_ID/git/redeploy")
 
-        # Force service updates (images are pulled from public registry)
-        ssh -o StrictHostKeyChecking=no localadmin@10.1.1.45 \
-          "docker service update --with-registry-auth --force mosaic-stack-api && \
-           docker service update --with-registry-auth --force mosaic-stack-web && \
-           docker service update --with-registry-auth --force mosaic-stack-orchestrator && \
-           docker service update --with-registry-auth --force mosaic-stack-coordinator && \
-           echo '✅ All services updated'"
+        HTTP_CODE=$(echo "$RESPONSE" | tail -1)
+        BODY=$(echo "$RESPONSE" | head -n -1)
+
+        if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "202" ]; then
+          echo "✅ Stack update triggered successfully"
+        else
+          echo "❌ Stack update failed (HTTP $HTTP_CODE)"
+          echo "$BODY"
+          exit 1
+        fi
+
+        # Wait for services to converge
+        echo "⏳ Waiting for services to converge..."
+        sleep 30
+        echo "✅ Deploy complete"
     when:
       - branch: [main]
         event: [push, manual, tag]

.woodpecker/ci.yml.new

@@ -0,0 +1,46 @@
+# Add this at the end of the file, replacing the deploy-swarm section
+
+  deploy-swarm:
+    image: alpine:3
+    environment:
+      SSH_PRIVATE_KEY:
+        from_secret: ssh_private_key
+      SSH_KNOWN_HOSTS:
+        from_secret: ssh_known_hosts
+      PORTAINER_URL:
+        from_secret: portainer_url
+      PORTAINER_API_KEY:
+        from_secret: portainer_api_key
+    commands:
+      - apk add --no-cache curl
+      - |
+        set -e
+        echo "🚀 Deploying via Portainer API..."
+        
+        # Redeploy mosaic-stack (ID 121)
+        curl -sk -X POST \
+          -H "X-API-Key: $PORTAINER_API_KEY" \
+          "$PORTAINER_URL/api/stacks/121/git/redeploy" \
+          -H "Content-Type: application/json" \
+          -d '{"prune": false}' || \
+        
+        # Fallback: Force service updates via SSH
+        echo "Trying SSH fallback..."
+        apk add --no-cache openssh-client
+        mkdir -p ~/.ssh
+        echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+        chmod 600 ~/.ssh/known_hosts
+        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+        
+        ssh -o StrictHostKeyChecking=no localadmin@10.1.1.45 \
+          "docker service update --force mosaic_api && \
+           docker service update --force mosaic_web && \
+           docker service update --force mosaic_orchestrator && \
+           docker service update --force mosaic_coordinator && \
+           echo '✅ Services updated'"
+    when:
+      - branch: [main]
+        event: [push, manual, tag]
+    depends_on:
+      - link-packages

apps/api/src/chat-proxy/chat-proxy.controller.ts

@@ -1,6 +1,7 @@
 import { Body, Controller, HttpException, Logger, Post, Req, Res, UseGuards } from "@nestjs/common";
 import type { Response } from "express";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
 import type { MaybeAuthenticatedRequest } from "../auth/types/better-auth-request.interface";
 import { ChatStreamDto } from "./chat-proxy.dto";
 import { ChatProxyService } from "./chat-proxy.service";
@@ -14,6 +15,7 @@ export class ChatProxyController {
   // POST /api/chat/guest
   // Guest chat endpoint - no authentication required
   // Uses a shared LLM configuration for unauthenticated users
+  @SkipCsrf()
   @Post("guest")
   async guestChat(
     @Body() body: ChatStreamDto,

apps/api/src/chat-proxy/chat-proxy.module.ts

@@ -1,4 +1,5 @@
 import { Module } from "@nestjs/common";
+import { ConfigModule } from "@nestjs/config";
 import { AuthModule } from "../auth/auth.module";
 import { AgentConfigModule } from "../agent-config/agent-config.module";
 import { ContainerLifecycleModule } from "../container-lifecycle/container-lifecycle.module";
@@ -7,7 +8,7 @@ import { ChatProxyController } from "./chat-proxy.controller";
 import { ChatProxyService } from "./chat-proxy.service";
 
 @Module({
-  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule],
+  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule, ConfigModule],
   controllers: [ChatProxyController],
   providers: [ChatProxyService],
   exports: [ChatProxyService],