On AnD0R the reverse-proxy lives on the 'backend' docker network; on
cloud.neuronetz.ai it's 'neuronetz_default'. With a hardcoded name the
cockpit ended up on a network the prod proxy couldn't see and routing
silently dropped. Network is now overridable via PSYC_PROXY_NETWORK in
.env (default 'backend' keeps dev working).
On prod, set PSYC_PROXY_NETWORK=neuronetz_default in .env before the
next compose up.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the two env vars nginxproxy/acme-companion looks for to issue +
auto-renew the TLS cert for psyc.neuronetz.ai. LETSENCRYPT_EMAIL is
interpolated from the prod .env (LETSENCRYPT_EMAIL=...) with a sensible
fallback so dev / local deploys don't fail on the variable being unset.
.env.example documents the var.
Requires the proxy stack to (a) have acme-companion alongside
nginx-proxy with shared certs/vhost.d/html volumes and (b) publish :443.
psyc-side change only — no app code touched.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three load-bearing operational pieces before any new features:
* .env.example committed, .env gitignored — per-developer API keys
(THREATFOX_AUTH_KEY, OTX_API_KEY, NVD_API_KEY) ready for the registrations
ahead; python-dotenv loads it in the venv CLI; compose picks it up via
env_file: .env on the cockpit service.
* Cockpit /api/inference-status endpoint + a topbar status chip that polls it
on page load — "model · live" green when up, "model · offline" amber when
the inference server is unreachable. No more manual checking. Compose also
gains a healthcheck on the inference service (applies on next recreate).
* New `psyc backup` command — tars the audit trail (db + sealed packages +
recipient keys + ledger + datasets) to data/backups/psyc-data-<ts>.tar.gz.
Excludes the HF model cache, mock-cert receipts, and the re-trainable
adapters — the goal is the irrecoverable evidence, not bulk artifacts.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
