fix: build, typecheck, eslint

.env

@@ -2,7 +2,7 @@
 NODE_ENV=production
 NEXT_PUBLIC_BASE_URL=https://klz-cables.com
 UMAMI_API_ENDPOINT=https://analytics.infra.mintel.me
-UMAMI_WEBSITE_ID=59a7db94-0100-4c7e-98ef-99f45b17f9c3
+NEXT_PUBLIC_UMAMI_WEBSITE_ID=59a7db94-0100-4c7e-98ef-99f45b17f9c3
 SENTRY_DSN=https://c10957d0182245b1a2a806ac2d34a197@errors.infra.mintel.me/1
 LOG_LEVEL=info
 

.env.production

@@ -26,15 +26,5 @@ MAIL_PASSWORD=
 MAIL_FROM=KLZ Cables <noreply@klz-cables.com>
 MAIL_RECIPIENTS=info@klz-cables.com
 
-# Strapi
-STRAPI_DATABASE_NAME=strapi
-STRAPI_DATABASE_USERNAME=strapi
-STRAPI_DATABASE_PASSWORD=
-APP_KEYS=
-API_TOKEN_SALT=
-ADMIN_JWT_SECRET=
-TRANSFER_TOKEN_SALT=
-JWT_SECRET=
-
 # Varnish Cache Size (optional)
 VARNISH_CACHE_SIZE=256m

.gitea/workflows/deploy.yml

@@ -29,6 +29,8 @@ jobs:
       image_tag:        ${{ steps.determine.outputs.image_tag }}
       env_file:         ${{ steps.determine.outputs.env_file }}
       traefik_host:     ${{ steps.determine.outputs.traefik_host }}
+      traefik_host_rule: ${{ steps.determine.outputs.traefik_host_rule }}
+      primary_host:     ${{ steps.determine.outputs.primary_host }}
       next_public_base_url: ${{ steps.determine.outputs.next_public_base_url }}
       directus_url:     ${{ steps.determine.outputs.directus_url }}
       directus_host:    ${{ steps.determine.outputs.directus_host }}
@@ -115,11 +117,23 @@ jobs:
             TARGET="skip"
           fi
 
+          if [[ "$TRAEFIK_HOST" == *","* ]]; then
+            # Multi-domain: Host(`a.com`) || Host(`b.com`)
+            TRAEFIK_HOST_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(`%s`)%s", $i, (i==NF?"":" || ")}')
+            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g')
+          else
+            # Single domain: Host(`domain.com`)
+            TRAEFIK_HOST_RULE="Host(\`$TRAEFIK_HOST\`)"
+            PRIMARY_HOST="$TRAEFIK_HOST"
+          fi
+
           {
             echo "target=$TARGET"
             echo "image_tag=$IMAGE_TAG"
             echo "env_file=$ENV_FILE"
             echo "traefik_host=$TRAEFIK_HOST"
+            echo "traefik_host_rule=$TRAEFIK_HOST_RULE"
+            echo "primary_host=$PRIMARY_HOST"
             echo "next_public_base_url=$NEXT_PUBLIC_BASE_URL"
             echo "directus_url=$DIRECTUS_URL"
             echo "directus_host=$DIRECTUS_HOST"
@@ -198,16 +212,12 @@ jobs:
           IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
           TARGET:    ${{ needs.prepare.outputs.target }}
           NEXT_PUBLIC_BASE_URL:          ${{ needs.prepare.outputs.next_public_base_url }}
-          UMAMI_WEBSITE_ID:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.TESTING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID) }}
-          UMAMI_API_ENDPOINT:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.TESTING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL) }}
           DIRECTUS_URL:                  ${{ needs.prepare.outputs.directus_url }}
         run: |
           docker buildx build \
             --pull \
             --platform linux/arm64 \
             --build-arg NEXT_PUBLIC_BASE_URL="$NEXT_PUBLIC_BASE_URL" \
-            --build-arg UMAMI_WEBSITE_ID="$UMAMI_WEBSITE_ID" \
-            --build-arg UMAMI_API_ENDPOINT="$UMAMI_API_ENDPOINT" \
             --build-arg NEXT_PUBLIC_TARGET="$TARGET" \
             --build-arg DIRECTUS_URL="$DIRECTUS_URL" \
             -t registry.infra.mintel.me/mintel/klz-cables.com:$IMAGE_TAG \
@@ -229,11 +239,11 @@ jobs:
       TARGET:               ${{ needs.prepare.outputs.target }}
       IMAGE_TAG:            ${{ needs.prepare.outputs.image_tag }}
       ENV_FILE:             ${{ needs.prepare.outputs.env_file }}
-      TRAEFIK_HOST:         ${{ needs.prepare.outputs.traefik_host }}
+      TRAEFIK_HOST:         ${{ needs.prepare.outputs.primary_host }}
       NEXT_PUBLIC_BASE_URL:          ${{ needs.prepare.outputs.next_public_base_url }}
-      UMAMI_WEBSITE_ID:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.TESTING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID) }}
+      UMAMI_WEBSITE_ID:    ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.TESTING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID) }}
       UMAMI_API_ENDPOINT:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.TESTING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL) }}
-      SENTRY_DSN:                    ${{ secrets.SENTRY_DSN                    || vars.SENTRY_DSN                    || (needs.prepare.outputs.target == 'production' && secrets.SENTRY_DSN                    || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_SENTRY_DSN                    || secrets.TESTING_SENTRY_DSN                    || secrets.SENTRY_DSN)) }}
+      SENTRY_DSN:          ${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }}
       MAIL_HOST:                     ${{ secrets.MAIL_HOST || vars.MAIL_HOST || (needs.prepare.outputs.target == 'production' && (secrets.MAIL_HOST || vars.MAIL_HOST) || (needs.prepare.outputs.target == 'staging' && (secrets.STAGING_MAIL_HOST || vars.STAGING_MAIL_HOST) || (secrets.TESTING_MAIL_HOST || vars.TESTING_MAIL_HOST) || (secrets.MAIL_HOST || vars.MAIL_HOST))) }}
       MAIL_PORT:                     ${{ secrets.MAIL_PORT || vars.MAIL_PORT || (needs.prepare.outputs.target == 'production' && (secrets.MAIL_PORT || vars.MAIL_PORT) || (needs.prepare.outputs.target == 'staging' && (secrets.STAGING_MAIL_PORT || vars.STAGING_MAIL_PORT) || (secrets.TESTING_MAIL_PORT || vars.TESTING_MAIL_PORT) || (secrets.MAIL_PORT || vars.MAIL_PORT))) }}
       MAIL_USERNAME:                 ${{ secrets.MAIL_USERNAME || vars.MAIL_USERNAME || (needs.prepare.outputs.target == 'production' && (secrets.MAIL_USERNAME || vars.MAIL_USERNAME) || (needs.prepare.outputs.target == 'staging' && (secrets.STAGING_MAIL_USERNAME || vars.STAGING_MAIL_USERNAME) || (secrets.TESTING_MAIL_USERNAME || vars.TESTING_MAIL_USERNAME) || (secrets.MAIL_USERNAME || vars.MAIL_USERNAME))) }}
@@ -268,15 +278,19 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null
 
+          # Generated by CI - $TARGET - $(date -u)
+          # Determine dynamic values before writing the file
+          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
+          COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+
           cat > /tmp/klz-cables.env << EOF
           # Generated by CI - $TARGET - $(date -u)
-          NODE_ENV=production
+          IMAGE_TAG=$IMAGE_TAG
           NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL
-          NEXT_PUBLIC_TARGET=$TARGET
           UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID
           UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT
           SENTRY_DSN=$SENTRY_DSN
-          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
+          LOG_LEVEL=$LOG_LEVEL
           MAIL_HOST=$MAIL_HOST
           MAIL_PORT=$MAIL_PORT
           MAIL_USERNAME=$MAIL_USERNAME
@@ -300,14 +314,15 @@ jobs:
 
           TARGET=$TARGET
           SENTRY_ENVIRONMENT=$TARGET
-          IMAGE_TAG=$IMAGE_TAG
-          TRAEFIK_HOST=$TRAEFIK_HOST
-          ENV_FILE=$ENV_FILE
-          AUTH_MIDDLEWARE=$( [[ "$TARGET" == "production" ]] && echo "compress" || echo "${PROJECT_NAME}-auth,compress" )
           PROJECT_NAME=$PROJECT_NAME
-          COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+          COOKIE_DOMAIN=$COOKIE_DOMAIN
+          TRAEFIK_HOST=$TRAEFIK_HOST
           EOF
 
+          # Append complex variables that contain backticks using printf to avoid shell expansion hits
+          printf "AUTH_MIDDLEWARE=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-compress" )" >> /tmp/klz-cables.env
+          printf "TRAEFIK_HOST_RULE='%s'\n" '${{ needs.prepare.outputs.traefik_host_rule }}' >> /tmp/klz-cables.env
+
           # 1. Cleanup and Create Directories on server BEFORE SCP
           ssh -o StrictHostKeyChecking=accept-new root@alpha.mintel.me bash << 'EOF'
             set -e

Dockerfile

@@ -25,18 +25,10 @@ ENV NEXT_TELEMETRY_DISABLED=1
 # Build-time environment variables for Next.js
 # These are baked into the client bundle during build
 ARG NEXT_PUBLIC_BASE_URL
-ARG NEXT_PUBLIC_BASE_URL
-ARG UMAMI_WEBSITE_ID
-ARG NEXT_PUBLIC_UMAMI_WEBSITE_ID
-ARG UMAMI_API_ENDPOINT
-ARG UMAMI_SCRIPT_URL
-ARG NEXT_PUBLIC_UMAMI_SCRIPT_URL
 ARG NEXT_PUBLIC_TARGET
 ARG DIRECTUS_URL
 
 ENV NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL
-ENV UMAMI_WEBSITE_ID=${UMAMI_WEBSITE_ID:-$NEXT_PUBLIC_UMAMI_WEBSITE_ID}
-ENV UMAMI_API_ENDPOINT=${UMAMI_API_ENDPOINT:-${UMAMI_SCRIPT_URL:-$NEXT_PUBLIC_UMAMI_SCRIPT_URL}}
 ENV NEXT_PUBLIC_TARGET=$NEXT_PUBLIC_TARGET
 ENV DIRECTUS_URL=$DIRECTUS_URL
 

app/[locale]/layout.tsx

@@ -52,7 +52,7 @@ export default async function LocaleLayout({
           <CMSConnectivityNotice />
 
           {/* Sends pageviews for client-side navigations */}
-          <AnalyticsProvider websiteId={config.analytics.umami.websiteId} />
+          <AnalyticsProvider />
         </NextIntlClientProvider>
       </body>
     </html>

app/errors/api/relay/route.ts

@@ -0,0 +1,69 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerAppServices } from '@/lib/services/create-services.server';
+import { config } from '@/lib/config';
+
+/**
+ * Smart Proxy / Relay for Sentry/GlitchTip events.
+ *
+ * This Route Handler receives Sentry envelopes from the client,
+ * injects the correct DSN if needed, and forwards them to the
+ * internal GlitchTip/Sentry instance.
+ *
+ * This hides the real DSN from the client and bypasses ad-blockers
+ * that target Sentry's default ingest endpoints.
+ */
+export async function POST(request: NextRequest) {
+  const services = getServerAppServices();
+  const logger = services.logger.child({ component: 'sentry-relay' });
+
+  try {
+    const envelope = await request.text();
+
+    // Sentry envelopes can contain multiple parts separated by newlines
+    const lines = envelope.split('\n');
+    if (lines.length < 1) {
+      return NextResponse.json({ error: 'Empty envelope' }, { status: 400 });
+    }
+
+    const header = JSON.parse(lines[0]);
+    const realDsn = config.errors.glitchtip.dsn;
+
+    if (!realDsn) {
+      logger.warn('Sentry relay received but no SENTRY_DSN configured on server');
+      return NextResponse.json({ status: 'ignored' }, { status: 200 });
+    }
+
+    const dsnUrl = new URL(realDsn);
+    const projectId = dsnUrl.pathname.replace('/', '');
+    const relayUrl = `${dsnUrl.protocol}//${dsnUrl.host}/api/${projectId}/envelope/`;
+
+    logger.debug('Relaying Sentry envelope', {
+      projectId,
+      host: dsnUrl.host,
+    });
+
+    const response = await fetch(relayUrl, {
+      method: 'POST',
+      body: envelope,
+      headers: {
+        'Content-Type': 'application/x-sentry-envelope',
+      },
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      logger.error('Sentry/GlitchTip API responded with error', {
+        status: response.status,
+        error: errorText.slice(0, 100),
+      });
+      return new NextResponse(errorText, { status: response.status });
+    }
+
+    return NextResponse.json({ status: 'ok' });
+  } catch (error) {
+    logger.error('Failed to relay Sentry request', {
+      error: (error as Error).message,
+    });
+    return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 });
+  }
+}

app/stats/api/send/route.ts

@@ -0,0 +1,73 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerAppServices } from '@/lib/services/create-services.server';
+import { config } from '@/lib/config';
+
+/**
+ * Smart Proxy for Umami Analytics.
+ *
+ * This Route Handler receives tracking events from the browser,
+ * injects the secret UMAMI_WEBSITE_ID, and forwards them to the
+ * internal Umami API endpoint.
+ *
+ * This ensures:
+ * 1. The Website ID is NOT leaked to the client bundle.
+ * 2. The Umami API endpoint is hidden behind our domain.
+ * 3. We have full control over the tracking data.
+ */
+export async function POST(request: NextRequest) {
+  const services = getServerAppServices();
+  const logger = services.logger.child({ component: 'umami-smart-proxy' });
+
+  try {
+    const body = await request.json();
+    const { type, payload } = body;
+
+    // Inject the secret websiteId from server config
+    const websiteId = config.analytics.umami.websiteId;
+    if (!websiteId) {
+      logger.warn('Umami tracking received but no Website ID configured on server');
+      return NextResponse.json({ status: 'ignored' }, { status: 200 });
+    }
+
+    // Prepare the enhanced payload with the secret ID
+    const enhancedPayload = {
+      ...payload,
+      website: websiteId,
+    };
+
+    const umamiEndpoint = config.analytics.umami.apiEndpoint;
+
+    // Log the event (internal only)
+    logger.debug('Forwarding analytics event', {
+      type,
+      url: payload.url,
+      website: websiteId.slice(0, 8) + '...',
+    });
+
+    const response = await fetch(`${umamiEndpoint}/api/send`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'User-Agent': request.headers.get('user-agent') || 'KLZ-Smart-Proxy',
+        'X-Forwarded-For': request.headers.get('x-forwarded-for') || '',
+      },
+      body: JSON.stringify({ type, payload: enhancedPayload }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      logger.error('Umami API responded with error', {
+        status: response.status,
+        error: errorText.slice(0, 100),
+      });
+      return new NextResponse(errorText, { status: response.status });
+    }
+
+    return NextResponse.json({ status: 'ok' });
+  } catch (error) {
+    logger.error('Failed to proxy analytics request', {
+      error: (error as Error).message,
+    });
+    return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 });
+  }
+}

components/analytics/AnalyticsProvider.tsx

@@ -8,19 +8,12 @@ import { getAppServices } from '@/lib/services/create-services';
  * AnalyticsProvider Component
  *
  * Automatically tracks pageviews on client-side route changes.
- * This component should be placed inside your layout to handle navigation events.
+ * This component handles navigation events for the Umami analytics service.
  *
- * @param {Object} props - Component props
- * @param {string} [props.websiteId] - The Umami website ID (passed from server config)
- *
- * @example
- * ```tsx
- * // In your layout.tsx
- * const { websiteId } = config.analytics.umami;
- * <AnalyticsProvider websiteId={websiteId} />
- * ```
+ * Note: Website ID is now centrally managed on the server side via a proxy,
+ * so it's no longer needed as a prop here.
  */
-export default function AnalyticsProvider({ websiteId }: { websiteId?: string }) {
+export default function AnalyticsProvider() {
   const pathname = usePathname();
   const searchParams = useSearchParams();
 
@@ -31,14 +24,12 @@ export default function AnalyticsProvider({ websiteId }: { websiteId?: string })
     const url = `${pathname}${searchParams?.size ? `?${searchParams.toString()}` : ''}`;
 
     // Track pageview with the full URL
+    // The service will relay this to our internal proxy which injects the Website ID
     services.analytics.trackPageview(url);
 
-    if (process.env.NODE_ENV === 'development') {
-      console.log('[Umami] Tracked pageview:', url);
-    }
+    // Services like logger are already sub-initialized in getAppServices()
+    // so we don't need to log here manually.
   }, [pathname, searchParams]);
 
-  if (!websiteId) return null;
-
   return null;
 }

docker-compose.yml

@@ -25,31 +25,43 @@ services:
     labels:
       - "traefik.enable=true"
       # HTTP ⇒ HTTPS redirect
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/.well-known/acme-challenge/`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)}"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.entrypoints=web"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.middlewares=redirect-https"
-      # HTTPS router
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=Host(`${TRAEFIK_HOST}`)"
+      # HTTPS router (Protected)
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)}"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls=true"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.service=${PROJECT_NAME:-klz-cables}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-${PROJECT_NAME:-klz-cables}-compress}"
+
+      # HTTPS router (Unprotected - for Analytics & Errors)
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)} && PathPrefix(`/stats`, `/errors`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.entrypoints=websecure"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls.certresolver=le"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls=true"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.service=${PROJECT_NAME:-klz-cables}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${PROJECT_NAME:-klz-cables}-compress"
+
       - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.port=80"
       - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.scheme=http"
-      # Forwarded Headers
-      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
-      # Middlewares
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-compress}"
       - "traefik.docker.network=infra"
 
+      # Middleware Definitions
+      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-compress.compress=true"
+
       # Gatekeeper Router (to show the login page)
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST:-klz-cables.com}`)"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.service=${PROJECT_NAME:-klz-cables}-gatekeeper"
 
+      # Forwarded Headers
+      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
+
       # Middleware Definitions
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-ratelimit.ratelimit.average=100"
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-ratelimit.ratelimit.burst=50"
@@ -70,7 +82,7 @@ services:
       PORT: 3000
       COOKIE_DOMAIN: ${COOKIE_DOMAIN}
       AUTH_COOKIE_NAME: klz_gatekeeper_session
-      NEXT_PUBLIC_BASE_URL: https://gatekeeper.${TRAEFIK_HOST}
+      NEXT_PUBLIC_BASE_URL: https://gatekeeper.${TRAEFIK_HOST:-klz-cables.com}
       GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD:-klz2026}
     labels:
       - "traefik.enable=true"

lib/config.ts

@@ -35,11 +35,11 @@ function createConfig() {
 
     errors: {
       glitchtip: {
-        // Use SENTRY_DSN for both server and client (proxied)
         dsn: env.SENTRY_DSN,
-        // The proxied origin used in the frontend
         proxyPath: '/errors',
-        enabled: Boolean(env.SENTRY_DSN),
+        // On the client, we always enable it (it uses the tunnel / proxy defined in sentry.client.config.ts)
+        // On the server, we only enable it if the DSN is provided.
+        enabled: typeof window !== 'undefined' || Boolean(env.SENTRY_DSN),
       },
     },
 

lib/env.ts

@@ -82,11 +82,8 @@ export function getRawEnv() {
     NODE_ENV: process.env.NODE_ENV,
     NEXT_PUBLIC_BASE_URL: process.env.NEXT_PUBLIC_BASE_URL,
     NEXT_PUBLIC_TARGET: process.env.NEXT_PUBLIC_TARGET,
-    UMAMI_WEBSITE_ID: process.env.UMAMI_WEBSITE_ID || process.env.NEXT_PUBLIC_UMAMI_WEBSITE_ID,
-    UMAMI_API_ENDPOINT:
-      process.env.UMAMI_API_ENDPOINT ||
-      process.env.UMAMI_SCRIPT_URL ||
-      process.env.NEXT_PUBLIC_UMAMI_SCRIPT_URL,
+    UMAMI_WEBSITE_ID: process.env.UMAMI_WEBSITE_ID,
+    UMAMI_API_ENDPOINT: process.env.UMAMI_API_ENDPOINT,
     SENTRY_DSN: process.env.SENTRY_DSN,
     LOG_LEVEL: process.env.LOG_LEVEL,
     MAIL_HOST: process.env.MAIL_HOST,

lib/mail/mailer.test.ts

@@ -47,7 +47,7 @@ describe('mailer', () => {
       });
 
       expect(result.success).toBe(false);
-      expect((result.error as Error).message).toContain('MAIL_HOST is not configured');
+      expect(result.error).toContain('MAIL_HOST is not configured');
 
       // Restore host
       (config.mail as any).host = originalHost;

lib/services/analytics/umami-analytics-service.ts

@@ -1,5 +1,6 @@
 import type { AnalyticsEventProperties, AnalyticsService } from './analytics-service';
 import { config } from '../../config';
+import type { LoggerService } from '../logging/logger-service';
 
 /**
  * Configuration options for UmamiAnalyticsService.
@@ -18,56 +19,94 @@ export type UmamiAnalyticsServiceOptions = {
  *
  * In the browser, it gathers standard metadata (screen, language, referrer)
  * and sends it to the proxied '/stats/api/send' endpoint.
+ * On the server, it sends directly to the internal Umami API.
  */
 export class UmamiAnalyticsService implements AnalyticsService {
   private websiteId?: string;
   private endpoint: string;
+  private logger: LoggerService;
 
-  constructor(private readonly options: UmamiAnalyticsServiceOptions) {
+  constructor(
+    private readonly options: UmamiAnalyticsServiceOptions,
+    logger: LoggerService,
+  ) {
     this.websiteId = config.analytics.umami.websiteId;
+    this.logger = logger.child({ component: 'analytics-umami' });
 
     // On server, use the full internal URL; on client, use the proxied path
     this.endpoint = typeof window === 'undefined' ? config.analytics.umami.apiEndpoint : '/stats';
+
+    this.logger.debug('Umami service initialized', {
+      enabled: this.options.enabled,
+      websiteId: this.websiteId ? 'configured' : 'not configured (client-side proxy mode)',
+      endpoint: this.endpoint,
+    });
   }
 
   /**
    * Internal method to send the payload to Umami API.
    */
   private async sendPayload(type: 'event', data: Record<string, any>) {
-    if (!this.options.enabled || !this.websiteId) return;
+    if (!this.options.enabled) return;
+
+    // On the client, we don't need the websiteId (it's injected by the server-side proxy handler).
+    // On the server, we need it because we're calling the Umami API directly.
+    const isClient = typeof window !== 'undefined';
+
+    if (!isClient && !this.websiteId) {
+      this.logger.warn('Umami tracking called on server but no Website ID configured');
+      return;
+    }
 
     try {
       const payload = {
         website: this.websiteId,
-        hostname: typeof window !== 'undefined' ? window.location.hostname : 'server',
-        screen:
-          typeof window !== 'undefined'
-            ? `${window.screen.width}x${window.screen.height}`
-            : undefined,
-        language: typeof window !== 'undefined' ? navigator.language : undefined,
-        referrer: typeof window !== 'undefined' ? document.referrer : undefined,
+        hostname: isClient ? window.location.hostname : 'server',
+        screen: isClient ? `${window.screen.width}x${window.screen.height}` : undefined,
+        language: isClient ? navigator.language : undefined,
+        referrer: isClient ? document.referrer : undefined,
         ...data,
       };
 
-      const response = await fetch(`${this.endpoint}/api/send`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'User-Agent': typeof window === 'undefined' ? 'KLZ-Server' : navigator.userAgent,
-        },
-        body: JSON.stringify({ type, payload }),
-        // Use keepalive for page navigation events to ensure they complete
-        keepalive: true,
-      } as any);
+      this.logger.trace('Sending analytics payload', { type, url: data.url });
 
-      if (!response.ok && process.env.NODE_ENV === 'development') {
-        const errorText = await response.text();
-        console.warn(`[Umami] API responded with ${response.status}: ${errorText}`);
+      // Add a timeout to prevent hanging requests
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), 10000); // 10s timeout
+
+      try {
+        const response = await fetch(`${this.endpoint}/api/send`, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': isClient ? navigator.userAgent : 'KLZ-Server',
+          },
+          body: JSON.stringify({ type, payload }),
+          keepalive: true,
+          signal: controller.signal,
+        } as any);
+
+        clearTimeout(timeoutId);
+
+        if (!response.ok) {
+          const errorText = await response.text();
+          this.logger.warn('Umami API responded with error', {
+            status: response.status,
+            error: errorText.slice(0, 100),
+          });
+        }
+      } catch (fetchError) {
+        clearTimeout(timeoutId);
+        if ((fetchError as Error).name === 'AbortError') {
+          this.logger.error('Umami request timed out');
+        } else {
+          throw fetchError;
+        }
       }
     } catch (error) {
-      if (process.env.NODE_ENV === 'development') {
-        console.error('[Umami] Failed to send analytics:', error);
-      }
+      this.logger.error('Failed to send analytics', {
+        error: (error as Error).message,
+      });
     }
   }
 

lib/services/create-services.server.ts

@@ -31,7 +31,7 @@ export function getServerAppServices(): AppServices {
   });
 
   const analytics = config.analytics.umami.enabled
-    ? new UmamiAnalyticsService({ enabled: true })
+    ? new UmamiAnalyticsService({ enabled: true }, logger)
     : new NoopAnalyticsService();
 
   if (config.analytics.umami.enabled) {
@@ -55,7 +55,7 @@ export function getServerAppServices(): AppServices {
   }
 
   const errors = config.errors.glitchtip.enabled
-    ? new GlitchtipErrorReportingService({ enabled: true }, notifications)
+    ? new GlitchtipErrorReportingService({ enabled: true }, logger, notifications)
     : new NoopErrorReportingService();
 
   if (config.errors.glitchtip.enabled) {

lib/services/create-services.ts

@@ -1,5 +1,6 @@
 import { AppServices } from './app-services';
 import { NoopAnalyticsService } from './analytics/noop-analytics-service';
+import { UmamiAnalyticsService } from './analytics/umami-analytics-service';
 import { MemoryCacheService } from './cache/memory-cache-service';
 import { GlitchtipErrorReportingService } from './errors/glitchtip-error-reporting-service';
 import { NoopErrorReportingService } from './errors/noop-error-reporting-service';
@@ -29,8 +30,7 @@ let singleton: AppServices | undefined;
  *
  * The services are configured based on environment variables:
  * - `UMAMI_WEBSITE_ID` - Enables Umami analytics
- * - `NEXT_PUBLIC_SENTRY_DSN` - Enables client-side error reporting
- * - `SENTRY_DSN` - Enables server-side error reporting
+ * - `SENTRY_DSN` - Enables error reporting (server-side direct, client-side via relay)
  *
  * @returns {AppServices} The application services singleton
  *
@@ -100,12 +100,8 @@ export function getAppServices(): AppServices {
   });
 
   // Create analytics service (Umami or no-op)
-  // Use dynamic import to avoid importing server-only code in client components
   const analytics = umamiEnabled
-    ? (() => {
-        const { UmamiAnalyticsService } = require('./analytics/umami-analytics-service');
-        return new UmamiAnalyticsService({ enabled: true });
-      })()
+    ? new UmamiAnalyticsService({ enabled: true }, logger)
     : new NoopAnalyticsService();
 
   if (umamiEnabled) {
@@ -114,9 +110,13 @@ export function getAppServices(): AppServices {
     logger.info('Noop analytics service initialized (analytics disabled)');
   }
 
+  // Create notification service
+  const notifications = new NoopNotificationService();
+  logger.info('Notification service initialized (noop)');
+
   // Create error reporting service (GlitchTip/Sentry or no-op)
   const errors = sentryEnabled
-    ? new GlitchtipErrorReportingService({ enabled: true })
+    ? new GlitchtipErrorReportingService({ enabled: true }, logger, notifications)
     : new NoopErrorReportingService();
 
   if (sentryEnabled) {
@@ -139,7 +139,6 @@ export function getAppServices(): AppServices {
   });
 
   // Create and cache the singleton
-  const notifications = new NoopNotificationService();
   singleton = new AppServices(analytics, errors, cache, logger, notifications);
 
   logger.info('All application services initialized successfully');

lib/services/errors/glitchtip-error-reporting-service.ts

@@ -5,6 +5,7 @@ import type {
   ErrorReportingUser,
 } from './error-reporting-service';
 import type { NotificationService } from '../notifications/notification-service';
+import type { LoggerService } from '../logging/logger-service';
 
 type SentryLike = typeof Sentry;
 
@@ -14,11 +15,16 @@ export type GlitchtipErrorReportingServiceOptions = {
 
 // GlitchTip speaks the Sentry protocol; @sentry/nextjs can send to GlitchTip via DSN.
 export class GlitchtipErrorReportingService implements ErrorReportingService {
+  private logger: LoggerService;
+
   constructor(
     private readonly options: GlitchtipErrorReportingServiceOptions,
+    logger: LoggerService,
     private readonly notifications?: NotificationService,
     private readonly sentry: SentryLike = Sentry,
-  ) {}
+  ) {
+    this.logger = logger.child({ component: 'error-reporting-glitchtip' });
+  }
 
   async captureException(error: unknown, context?: Record<string, unknown>) {
     if (!this.options.enabled) return undefined;

middleware.ts

@@ -62,5 +62,5 @@ export default function middleware(request: NextRequest) {
 
 export const config = {
   // Match only internationalized pathnames
-  matcher: ['/((?!api|_next|_vercel|health|.*\\..*).*)', '/', '/(de|en)/:path*'],
+  matcher: ['/((?!api|_next|_vercel|stats|errors|health|.*\\..*).*)', '/', '/(de|en)/:path*'],
 };

next.config.mjs

@@ -322,22 +322,9 @@ const nextConfig = {
     contentSecurityPolicy: "default-src 'self'; script-src 'none'; sandbox;",
   },
   async rewrites() {
-    const umamiUrl = (process.env.UMAMI_API_ENDPOINT || process.env.UMAMI_SCRIPT_URL || process.env.NEXT_PUBLIC_UMAMI_SCRIPT_URL || 'https://analytics.infra.mintel.me');
-    const glitchtipUrl = process.env.SENTRY_DSN
-      ? new URL(process.env.SENTRY_DSN).origin
-      : 'https://errors.infra.mintel.me';
-
     const directusUrl = process.env.INTERNAL_DIRECTUS_URL || process.env.DIRECTUS_URL || 'https://cms.klz-cables.com';
 
     return [
-      {
-        source: '/stats/:path*',
-        destination: `${umamiUrl}/:path*`,
-      },
-      {
-        source: '/errors/:path*',
-        destination: `${glitchtipUrl}/:path*`,
-      },
       {
         source: '/cms/:path*',
         destination: `${directusUrl}/:path*`,

package.json

@@ -74,7 +74,11 @@
     "typecheck": "tsc --noEmit",
     "test": "vitest run --passWithNoTests",
     "test:og": "vitest run tests/og-image.test.ts",
-    "cms:bootstrap": "DIRECTUS_URL=http://localhost:8055 npx tsx --env-file=.env scripts/setup-directus-branding.ts",
+    "cms:branding:local": "DIRECTUS_URL=http://localhost:8055 npx tsx --env-file=.env scripts/setup-directus-branding.ts",
+    "cms:branding:testing": "DIRECTUS_URL=https://cms.testing.klz-cables.com npx tsx --env-file=.env scripts/setup-directus-branding.ts",
+    "cms:branding:staging": "DIRECTUS_URL=https://cms.staging.klz-cables.com npx tsx --env-file=.env scripts/setup-directus-branding.ts",
+    "cms:branding:prod": "DIRECTUS_URL=https://cms.klz-cables.com npx tsx --env-file=.env scripts/setup-directus-branding.ts",
+    "cms:bootstrap": "npm run cms:branding:local",
     "pdf:datasheets": "tsx ./scripts/generate-pdf-datasheets.ts",
     "pdf:datasheets:legacy": "tsx ./scripts/generate-pdf-datasheets-pdf-lib.ts",
     "cms:push:staging": "./scripts/sync-directus.sh push staging",

scripts/setup-directus-branding.ts

@@ -124,14 +124,31 @@ async function setupBranding() {
             --v-input-border-radius: 12px !important;
             --v-input-background-color: #f8f9fa !important;
         }
+
+        /* Inject Headline via CSS to avoid raw HTML display in public_note */
+        .public-view .form::before {
+            content: 'Sustainable Energy. Industrial Reliability.';
+            display: block;
+            text-align: center;
+            font-size: 18px;
+            font-weight: 700;
+            color: #ffffff;
+            margin-bottom: 8px;
+        }
+
+        .public-view .form::after {
+            content: 'KLZ INFRASTRUCTURE ENGINE';
+            display: block;
+            text-align: center;
+            font-size: 11px;
+            font-weight: 600;
+            letter-spacing: 0.1em;
+            color: rgba(255, 255, 255, 0.5);
+            margin-top: 24px;
+        }
         `;
 
-    const publicNote = `
-        <div style="font-family: 'Inter', sans-serif; text-align: center; margin-top: 24px;">
-            <p style="color: rgba(255,255,255,0.7); font-size: 14px; margin-bottom: 4px; font-weight: 500;">KLZ INFRASTRUCTURE ENGINE</p>
-            <h1 style="color: #ffffff; font-size: 18px; font-weight: 700; margin: 0;">Sustainable Energy. <span style="color: #82ed20;">Industrial Reliability.</span></h1>
-        </div>
-        `;
+    const publicNote = '';
 
     await client.request(
       updateSettings({

sentry.client.config.ts

@@ -1,13 +1,19 @@
 import * as Sentry from '@sentry/nextjs';
 
-const dsn = process.env.SENTRY_DSN;
+// We use a placeholder DSN on the client because the real DSN is injected
+// by our server-side relay at /errors/api/relay.
+// This keeps our environment clean of NEXT_PUBLIC_ variables.
+const CLIENT_DSN = 'https://public@errors.infra.mintel.me/1';
 
 Sentry.init({
-  dsn,
-  enabled: Boolean(dsn),
+  dsn: CLIENT_DSN,
+  // Relay events through our own server to hide the real DSN and bypass ad-blockers
+  tunnel: '/errors/api/relay',
+
+  // Enable even if no DSN is provided, because we have the tunnel
+  enabled: true,
+
   tracesSampleRate: 0,
-  // AdjustingreplaysOnErrorSampleRate to 1.0 to capture 100% of errors with replays if enabled
   replaysOnErrorSampleRate: 1.0,
   replaysSessionSampleRate: 0.1,
 });
-