eng-pad-server
==============

Read-only sync and web viewer for [eng-pad](https://git.wntrmute.dev/kyle/eng-pad)
engineering notebooks.

The Android app pushes complete notebooks to this server via gRPC. The
server stores them and serves read-only views through a web UI with
SVG rendering. Shareable links allow unauthenticated access to specific
notebooks.

## Features

- **gRPC sync**: receive notebook data from the Android app over TLS
- **Web viewer**: browse notebooks, view pages as SVG, export JPG/PDF
- **Authentication**: password (Argon2id) + FIDO2/U2F security keys
- **Shareable links**: token-based URLs with optional expiry

## Quick Start

```bash
# Build
make eng-pad-server

# Generate example config
cp eng-pad-server.toml.example /srv/eng-pad-server/eng-pad-server.toml
# Edit configuration (TLS certs, database path, etc.)

# Initialize (creates database, prompts for admin user)
./eng-pad-server init -c /srv/eng-pad-server/eng-pad-server.toml

# Run
./eng-pad-server server -c /srv/eng-pad-server/eng-pad-server.toml
```

## Build

```bash
make all          # vet → lint → test → build
make test         # run tests
make lint         # golangci-lint
make proto        # regenerate gRPC code from .proto files
make proto-lint   # buf lint + breaking change detection
```

## User Management

```bash
# Create initial user (interactive — prompts for username and password)
eng-pad-server init -c /srv/eng-pad-server/eng-pad-server.toml

# Reset a user's password
eng-pad-server passwd <username> -c /srv/eng-pad-server/eng-pad-server.toml
```

## Deployment (deimos.wntrmute.net)

The production instance runs as a Docker container on deimos behind nginx.

- **Web UI**: `https://pad.metacircular.net` (nginx → container:8080)
- **REST API**: `https://pad.metacircular.net:8443` (direct TLS)
- **gRPC sync**: `pad.metacircular.net:9443` (direct TLS, for Android app)
- **Data**: `/srv/eng-pad-server/` on deimos
- **TLS**: Let's Encrypt cert, shared by nginx and the container

### Deploy workflow

```bash
# From local machine:
rsync -az --exclude='.git' --exclude='srv/' . deimos.wntrmute.net:/tmp/eng-pad-server-build/
ssh deimos.wntrmute.net "cd /tmp/eng-pad-server-build && \
  docker build -t eng-pad-server . && \
  docker stop eng-pad-server && docker rm eng-pad-server && \
  docker run -d --name eng-pad-server --restart unless-stopped \
    -p 127.0.0.1:8090:8080 -p 8443:8443 -p 9443:9443 \
    -v /srv/eng-pad-server:/srv/eng-pad-server eng-pad-server"
```

### Container management

```bash
# View logs
ssh deimos.wntrmute.net "docker logs eng-pad-server"

# Create/reset user
ssh -t deimos.wntrmute.net "docker exec -it eng-pad-server \
  eng-pad-server passwd kyle -c /srv/eng-pad-server/eng-pad-server.toml"

# Renew TLS certs (after certbot renews)
ssh deimos.wntrmute.net "sudo cp /etc/letsencrypt/live/pad.metacircular.net/{fullchain,privkey}.pem \
  /srv/eng-pad-server/certs/ && docker restart eng-pad-server"
```

## Documentation

- [ARCHITECTURE.md](ARCHITECTURE.md) — full system specification
- [CLAUDE.md](CLAUDE.md) — AI development context

## License

Private. All rights reserved.