- Simplify flows.zh-CN.md to an entry + quick reference, add "Quick Navigation" and in-depth reading links, original sections 6/7/9/10 are retained in the entry page with titles but changed to links.
- Add in-depth reading sub-document:
- docs/ai-playbook/flows/frontend.zh-CN.md
- docs/ai-playbook/flows/backpressure-chunking.zh-CN.md
- docs/ai-playbook/flows/resume.zh-CN.md
- docs/ai-playbook/flows/reconnect-consistency.zh-CN.md
- docs/ai-playbook/index.zh-CN.md add "Process (In-depth reading split)" index
- Add multi-language post “Cached ID reconnect: auto rejoin and resume”:
zh, en, ja, ko, de, fr, es under: frontend/content/blog/cached-id-reconnect/*.mdx
- Include cover asset: frontend/public/blog-assets/cached-id-reconnect.webp
- Describe receiver auto-join, reconnect workflow, and resume behavior.
- Tag with WebRTC/P2P/reconnect for discoverability.
- Receiver: auto-fill and join on Retrieve tab when input empty, not in room, no URL roomId, and cachedId exists (ClipboardApp + roomIdCache)
- Sender: “Use cached ID” now immediately joins the room (add onUseCached + disabled to CachedIdActionButton; wire in SendTabPanel)
- UI: add ThemeToggle and integrate into Header (desktop and mobile)
- Styles: replace hardcoded white with design tokens in Retrieve panel (bg-card/text-card-foreground) for dark mode
- Docs: update AI playbook flows and code-map
- Add Messages.meta.blog and text.blog (BlogTexts) to types/messages
- Update all locales with blog UI strings and meta.blog
- Localize blog list, tag pages, and article detail (titles, labels, dates)
- Pass messages to ArticleListItem; TableOfContents supports localized title
- Use dictionary-based metadata; alternates cover all supported locales
- Sitemap: include /[lang]/blog/tag/{tag} and set blog list lastModified to newest post
- JSON-LD: hardcode site URL in getSiteUrl() for consistency
- Attempt reconnection on 'disconnected' | 'failed' | 'closed' states (BaseWebRTC)
- Relax gating: rejoin when roomId exists and any of isPeerDisconnected, isSocketDisconnected, or socketId changed
- Auto re-join room on socket 'connect' if lastJoinedSocketId differs or not in room; send initiator-online for initiators
- Track lastJoinedSocketId after successful join and reset isInRoom when socketId changes to bypass early-return
- Update flows to document mobile background/foreground reconnection and socketId-based rejoin
- Move from flat file structure (privydrop-open-source-en.mdx) to nested structure (privydrop-open-source/en.mdx)
- Update blog.ts to handle new directory-based file organization
- Update duplicate room ID messages across all languages for better clarity
- Enhance cached ID tips with double-click save mode functionality
- Add image optimization cache configuration to Nginx
- Document production environment variable sync requirements
- Add NEXT_IMAGE_UNOPTIMIZED to production config
- Return success=true when room exists and roomId length >= 8 (no TTL refresh)
- Keep short IDs (<8) strict: duplicates still fail
- No Redis schema changes; TTL refresh remains on successful socket join
- Fix duplicate warning when sender rejoins with cached long ID
- Add generic JSON-LD injector component and builders
- components/seo/JsonLd.tsx
- lib/seo/jsonld.ts
- Inject Organization and WebSite JSON-LD globally in [lang]/layout
- Inject WebApplication JSON-LD on the localized home page
- Localize description/url/inLanguage and set alternateName ["PrivyDrop", "PrivyDrop APP"]
- Inject FAQPage JSON-LD only on /[lang]/faq (not on home)
- Build Q&A from messages.text.faqs
- Inject BlogPosting + BreadcrumbList on blog post pages
- Use frontmatter.cover as image, localized breadcrumbs
Notes
- Use stable @id anchors (/#organization, /#website, /[lang]#app, /[lang]/blog/[slug]#post)
- Respect multi-language setup across en/zh/ja/es/de/fr/ko
- SameAs limited to GitHub and X as provided
- Site URL resolved via NEXT_PUBLIC_SITE_URL or defaults to https://www.privydrop.app
- Use "bash ./deploy.sh" consistently across docs
- Prefer "docker compose" (Compose v2) and update examples accordingly
- Public mode: recommend "--with-nginx" for same-origin gateway
- Access: document Nginx (same-origin) vs direct ports; update HTTPS endpoints (lan-tls 8443, full 443)
- Health checks: add same-origin /api examples
- Add notes on NEXT_IMAGE_UNOPTIMIZED in Docker and same-origin behavior when --with-nginx is enabled
- Fix bare-metal docs cross-links to Docker guides
- generate-config.sh: in lan-tls without HTTPS, set NEXT_PUBLIC_API_URL empty when WITH_NGINX=true so frontend uses relative /api and /socket.io; widen CORS origins to include http://localhost and http://<LOCAL_IP>
- deploy.sh: pass --with-nginx to config generator for consistency
- generate-config.sh: add --with-nginx flag handling; when enabled, set NEXT_PUBLIC_API_URL empty to use same-origin /api and /socket.io; add BACKEND_INTERNAL_URL for SSR/internal fetch; adjust lan-tls HTTPS (8443) and TLS generation policy
- deploy.sh: show only valid access URLs when Nginx is enabled (gateway URLs), avoid misleading :3002/:3001 entries
- frontend (env/webrtc): return mutable transports [websocket,polling]; use empty signaling server for same-origin; comments in English
- frontend (next.config): support NEXT_IMAGE_UNOPTIMIZED to turn off image optimization in Docker
- frontend (health): prefer BACKEND_INTERNAL_URL for internal health checks, fallback to public URL/localhost
- docker-compose + Dockerfile(frontend): pass NEXT_IMAGE_UNOPTIMIZED and BACKEND_INTERNAL_URL envs
- New modes: lan-http, lan-tls (self-signed), public, full
- Add flags: --no-sni443, --enable-web-https (lan-tls), --test-renewal
- generate-config: lan-tls HTTPS on 8443 only when explicitly enabled; HSTS only in full; SNI 443 default in full
- detect-environment: remove interactive prompt; adjust public description to 'HTTP + TURN'
- deploy.sh: pass new flags, add certbot scheduler (systemd timer or cron fallback), add dry-run renewal test
- Docs (EN/zh-CN): update quick start, modes overview, LAN TLS guidance, LE auto-issue/renew section
- deploy.sh: replace verbose public domain test instructions with a single docs link
- docker/scripts/generate-config.sh: remove 'Intranet with TURN quick tip' from help; add docs pointers
- docs(zh/EN): add 'Modes Overview', add 'Private LAN + TURN' quick start example, add 'Domain + Self-signed' and 'Public Domain Quick Test' sections; note LE auto-issue/renew and SNI 443 default in full mode
- DEPLOYMENT_docker.md/zh-CN: Add top Quick Start (private/public/full), Let’s Encrypt auto issue/renew (webroot, zero downtime), SNI 443 default for full+domain, common flags (--with-sni443, --turn-port-range, --le-email), replace docker-compose with docker compose.
- README.md/zh-CN: Promote Docker one-click section to top and link to docs.
- DEPLOYMENT.md/zh-CN: Add audience/scope notice; point to Docker docs for recommended path.
- ROADMAP.md/zh-CN: Record recently completed (Docker, LE, SNI, TURN).
- docker/scripts/generate-config.sh
- Add --enable-sni443/--no-sni443 flags; default enable in full+domain.
- Generate Nginx stream{} with ssl_preread SNI routing: turn.<domain> -> coturn:5349; others -> web:8443.
- When SNI is enabled, serve HTTPS on 8443 (http layer); otherwise keep 443.
- deploy.sh:
- Add --with-sni443 and propagate to config generation and LE provisioning.
- No compose changes required; 8443 remains internal.
- Notes:
- Backward compatible. SNI is auto-enabled for full+domain, can be toggled with flags.
- Leverages existing LE automation and TURN cert reuse.
- generate-config.sh
- Add flags: --no-clean, --reset-ssl, --ssl-mode (letsencrypt|self-signed|provided)
- Stop deleting docker/ssl by default; only wipe on explicit --reset-ssl
- Inject ACME webroot route into HTTP (80) server; create docker/letsencrypt-www
- Default SSL_MODE: full=letsencrypt, private/public=self-signed
- Add enable_https_if_cert_present: append 443 server only when server-cert.pem/server-key.pem exist
- Keep self-signed path generating HTTPS immediately (non-basic)
- docker-compose.yml
- Mount ./docker/letsencrypt-www:/var/www/certbot:ro for Nginx ACME challenges
- deploy.sh
- Add --le-email for Let’s Encrypt account email
- Auto-install certbot once (apt-get) and enable systemd timer if available
- Install deploy hook at /etc/letsencrypt/renewal-hooks/deploy/privydrop-reload.sh to:
- Copy renewed certs into docker/ssl
- Hot-reload Nginx; HUP or restart coturn
- First-time issuance (webroot) for <domain> and turn.<domain> after Nginx:80 is up; copy certs
- Re-run generate-config with --no-clean --ssl-mode letsencrypt to enable 443, then reload Nginx
- Behavior changes
- Full mode prefers Let’s Encrypt by default; HTTPS gets enabled as soon as certs exist
- docker/ssl is no longer wiped by config generation
- Notes
- SNI-based turns:443 is not implemented yet (planned)
- Backward compatible with private/public (self-signed)
- deploy.sh: show public endpoints (domain/public IP only); add TURN info (domain/public IP); prepend logs chmod 777; append HTTPS+Nginx quick-test tips.
- generate-config.sh: fix public/full CORS and NEXT_PUBLIC_API_URL; prefer PUBLIC_IP for TURN host when no domain; update help text.
- Switch all CLI examples to Docker Compose V2 (docker compose) for consistency.
- Add explicit instruction to grant write permissions to the host logs/ directory (chmod 777 -R logs) to fix coturn/nginx bind-mount logging errors.
- Parameterize TURN UDP port range via TURN_MIN_PORT/TURN_MAX_PORT and set a safer default 49152-49252 to reduce startup/cleanup overhead and port
conflicts.
- Update troubleshooting with coturn log write failure guidance and port conflict hints.
- Clarify that LAN IP is auto-detected in private mode; --local-ip is no longer needed by default but remains as an override for edge cases.
Test steps:
bash docker/scripts/generate-config.sh --mode private [--local-ip 192.168.0.113]
bash ./deploy.sh --mode private
Front-end directly inlines NEXT_PUBLIC_API_URL, directly connecting to the backend.
CORS (production) supports comma-separated multiple origins, with localhost and local network IPs included by default.
david_bai