FAC-104 to FAC-106 + VPS deployment infrastructure (#243)

* chore(docs): update roadmap

* FAC-104 feat: expose semester context for dean faculty evaluation flow (#233)

* feat: add GET /semesters/current endpoint for semester context

Expose a dedicated authenticated endpoint that returns the latest
active semester, unblocking the dean faculty evaluation flow on the
frontend. Any authenticated user can call this endpoint.

Closes #231

https://claude.ai/code/session_015zAeByh3G1YxLc6cEtniGn

* feat: rework to campus-aware GET /semesters listing endpoint

Replace GET /semesters/current (single semester) with GET /semesters
(full listing). Each semester now includes its campus (id, code, name)
so the frontend can resolve the correct semester for the user's campus
in the dean faculty evaluation flow.

https://claude.ai/code/session_015zAeByh3G1YxLc6cEtniGn

* feat: add optional campusId filter to GET /semesters

Allow filtering semesters by campus via ?campusId= query parameter.
When omitted, all semesters are returned.

https://claude.ai/code/session_015zAeByh3G1YxLc6cEtniGn

---------

Co-authored-by: Claude <noreply@anthropic.com>

* FAC-105 feat: report generation infrastructure — faculty evaluation PDF (#234)

* FAC-105 feat: report generation infrastructure — faculty evaluation PDF

Async PDF report generation via BullMQ + Puppeteer/Handlebars with
Cloudflare R2 storage and presigned download URLs. Supports single
and batch generation with scope-aware authorization, dedup guards,
and orphan protection.

Closes #232

* fix: resolve runtime issues in report generation pipeline

- Switch all raw SQL from $1 params to ? placeholders (em.execute()
  routes through Knex which only supports ? bindings)
- Wrap JS arrays with pgArray() helper for ANY(?) PostgreSQL queries
- Fix template path resolution (process.cwd() + dist/modules/ instead
  of __dirname which resolves to dist/src/)
- Add User entity to ReportsModule for RolesGuard DI resolution
- Include tech-spec artifact and MikroORM schema snapshot

* FAC-106 fix: resolve scope by category code instead of moodleCategoryId (#236)

The scope resolver matched departments/programs by moodleCategoryId,
which is semester-specific in Moodle's category tree. A Dean assigned
to a program-level category (depth 4) would never match any department
(depth 3), and even at the correct depth, querying a different semester
would fail because each semester creates new category IDs.

Fix scope resolution to navigate depth 4→3 via parentMoodleCategoryId
and match by code (consistent across semesters) instead of
moodleCategoryId. Add DEAN depth auto-resolution to the admin
assignment endpoint so future assignments always land at depth 3.

Closes #235

* feat: VPS deployment infrastructure

Add production Dockerfile (multi-stage), Docker Compose for VPS deployment
with staging/production profiles, Nginx reverse proxy config with SSL,
GitHub Actions CI/CD deploy workflow, environment templates, Postgres init
script with pgvector, and database backup script.

* fix: skip lifecycle scripts in production Docker stage

Husky prepare script fails in production stage since it's a dev
dependency. Using --ignore-scripts for the production npm ci.

* fix: correct dist entry point path in Dockerfile

NestJS build outputs to dist/src/main.js, not dist/main.js.

* fix: install Chromium in production Docker image for Puppeteer PDF generation

* fix: use runtime DNS resolution in Nginx for optional API containers

Nginx fails at startup when an upstream host doesn't exist. Using
variables with Docker's embedded DNS resolver (127.0.0.11) defers
resolution to request time, allowing staging and production to run
independently.

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: y4nder

.dockerignore

@@ -0,0 +1,17 @@
+node_modules
+dist
+.git
+.gitignore
+.env*
+!.env.*.sample
+test/
+coverage/
+*.md
+!package.json
+_bmad*/
+_bmad-output/
+docs/
+.github/
+mock-worker/
+.vscode/
+.idea/

.env.production.sample

@@ -0,0 +1,72 @@
+# ──────────────────────────────────────────────
+# Faculytics API — Production Environment
+# ──────────────────────────────────────────────
+# Copy to .env.production and fill in real values.
+# DATABASE_URL and REDIS_URL are set in docker-compose.deploy.yml
+# via environment overrides — do NOT set them here.
+# ──────────────────────────────────────────────
+
+# Server (PORT set via Compose — do not override here)
+# NODE_ENV set via Compose — do not override here
+
+# Moodle LMS
+MOODLE_BASE_URL=
+MOODLE_MASTER_KEY=
+
+# Authentication
+JWT_SECRET=
+REFRESH_SECRET=
+# JWT_ACCESS_TOKEN_EXPIRY=300s
+# JWT_REFRESH_TOKEN_EXPIRY=30d
+# JWT_BCRYPT_ROUNDS=10
+
+# CORS — production frontend URL
+CORS_ORIGINS=["https://faculytics.ctr3.org"]
+
+# OpenAI
+OPENAI_API_KEY=
+
+# ──────────────────────────────────────────────
+# Optional: Admin
+# ──────────────────────────────────────────────
+
+SUPER_ADMIN_USERNAME=superadmin
+SUPER_ADMIN_PASSWORD=changeme-use-a-strong-password
+
+# ──────────────────────────────────────────────
+# Optional: Moodle sync
+# ──────────────────────────────────────────────
+
+SYNC_ON_STARTUP=true
+# DISABLE_SYNC_CATEGORY_ON_STARTUP=false
+# MOODLE_SYNC_CONCURRENCY=3
+
+# ──────────────────────────────────────────────
+# Optional: Rate Limiting
+# ──────────────────────────────────────────────
+
+# THROTTLE_TTL_SECONDS=60
+# THROTTLE_LIMIT=60
+
+# ──────────────────────────────────────────────
+# Optional: Analysis workers
+# ──────────────────────────────────────────────
+
+# SENTIMENT_WORKER_URL=
+# BULLMQ_SENTIMENT_CONCURRENCY=3
+# EMBEDDINGS_WORKER_URL=
+# EMBEDDINGS_CONCURRENCY=3
+# TOPIC_MODEL_WORKER_URL=
+# TOPIC_MODEL_CONCURRENCY=1
+# RECOMMENDATIONS_CONCURRENCY=1
+# RECOMMENDATIONS_MODEL=gpt-4o-mini
+
+# ──────────────────────────────────────────────
+# Optional: Report Generation (R2 Storage)
+# ──────────────────────────────────────────────
+
+# CF_ACCOUNT_ID=
+# R2_ACCESS_KEY_ID=
+# R2_SECRET_ACCESS_KEY=
+# R2_BUCKET_NAME=faculytics-reports
+# REPORT_GENERATION_CONCURRENCY=2

.env.sample

@@ -93,3 +93,17 @@ OPENAI_API_KEY=
 # TOPIC_MODEL_CONCURRENCY=1
 # RECOMMENDATIONS_CONCURRENCY=1
 # RECOMMENDATIONS_MODEL=gpt-4o-mini
+
+# ──────────────────────────────────────────────
+# Optional: Report Generation (R2 Storage)
+# App starts without these — report endpoints return 503
+# ──────────────────────────────────────────────
+
+# CF_ACCOUNT_ID=
+# R2_ACCESS_KEY_ID=
+# R2_SECRET_ACCESS_KEY=
+# R2_BUCKET_NAME=faculytics-reports
+# REPORT_GENERATION_CONCURRENCY=2
+# REPORT_PRESIGNED_URL_EXPIRY_SECONDS=3600
+# REPORT_BATCH_MAX_SIZE=100
+# REPORT_RETENTION_DAYS=7

.env.staging.sample

@@ -0,0 +1,72 @@
+# ──────────────────────────────────────────────
+# Faculytics API — Staging Environment
+# ──────────────────────────────────────────────
+# Copy to .env.staging and fill in real values.
+# DATABASE_URL and REDIS_URL are set in docker-compose.deploy.yml
+# via environment overrides — do NOT set them here.
+# ──────────────────────────────────────────────
+
+# Server (PORT set via Compose — do not override here)
+# NODE_ENV set via Compose — do not override here
+
+# Moodle LMS
+MOODLE_BASE_URL=
+MOODLE_MASTER_KEY=
+
+# Authentication
+JWT_SECRET=
+REFRESH_SECRET=
+# JWT_ACCESS_TOKEN_EXPIRY=300s
+# JWT_REFRESH_TOKEN_EXPIRY=30d
+# JWT_BCRYPT_ROUNDS=10
+
+# CORS — staging frontend URL
+CORS_ORIGINS=["https://staging.faculytics.ctr3.org"]
+
+# OpenAI
+OPENAI_API_KEY=
+
+# ──────────────────────────────────────────────
+# Optional: Admin
+# ──────────────────────────────────────────────
+
+SUPER_ADMIN_USERNAME=superadmin
+SUPER_ADMIN_PASSWORD=changeme-staging
+
+# ──────────────────────────────────────────────
+# Optional: Moodle sync
+# ──────────────────────────────────────────────
+
+SYNC_ON_STARTUP=true
+# DISABLE_SYNC_CATEGORY_ON_STARTUP=false
+# MOODLE_SYNC_CONCURRENCY=3
+
+# ──────────────────────────────────────────────
+# Optional: Rate Limiting
+# ──────────────────────────────────────────────
+
+# THROTTLE_TTL_SECONDS=60
+# THROTTLE_LIMIT=60
+
+# ──────────────────────────────────────────────
+# Optional: Analysis workers
+# ──────────────────────────────────────────────
+
+# SENTIMENT_WORKER_URL=
+# BULLMQ_SENTIMENT_CONCURRENCY=3
+# EMBEDDINGS_WORKER_URL=
+# EMBEDDINGS_CONCURRENCY=3
+# TOPIC_MODEL_WORKER_URL=
+# TOPIC_MODEL_CONCURRENCY=1
+# RECOMMENDATIONS_CONCURRENCY=1
+# RECOMMENDATIONS_MODEL=gpt-4o-mini
+
+# ──────────────────────────────────────────────
+# Optional: Report Generation (R2 Storage)
+# ──────────────────────────────────────────────
+
+# CF_ACCOUNT_ID=
+# R2_ACCESS_KEY_ID=
+# R2_SECRET_ACCESS_KEY=
+# R2_BUCKET_NAME=faculytics-reports
+# REPORT_GENERATION_CONCURRENCY=2

.github/workflows/deploy.yml

@@ -0,0 +1,108 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - staging
+      - master
+
+jobs:
+  deploy-staging:
+    name: Deploy to Staging
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/staging'
+    steps:
+      - name: Deploy via SSH
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_DEPLOY_USER }}
+          key: ${{ secrets.VPS_SSH_KEY }}
+          script: |
+            set -e
+            cd /opt/faculytics
+
+            echo "Fetching latest staging..."
+            git fetch origin staging
+
+            echo "Building staging image..."
+            mkdir -p /tmp/faculytics-build
+            git archive origin/staging | tar -x -C /tmp/faculytics-build
+            docker build -t faculytics-api:staging -f /tmp/faculytics-build/Dockerfile /tmp/faculytics-build
+            rm -rf /tmp/faculytics-build
+
+            echo "Deploying staging..."
+            docker compose -f docker-compose.deploy.yml --profile staging up -d api-staging
+
+            echo "Waiting for health check..."
+            sleep 15
+            if docker compose -f docker-compose.deploy.yml --profile staging ps api-staging | grep -q "(healthy)"; then
+              echo "Staging deploy successful!"
+            else
+              echo "Health check - checking API response..."
+              docker exec $(docker compose -f docker-compose.deploy.yml ps -q api-staging) node -e "fetch('http://localhost:5201/api/v1/health').then(r=>r.json()).then(console.log).catch(e=>{console.error(e);process.exit(1)})" || true
+              docker compose -f docker-compose.deploy.yml --profile staging logs --tail=50 api-staging
+              echo "WARNING: Health check inconclusive - check logs above"
+            fi
+
+            echo "Cleaning old images..."
+            docker system prune -f --filter "until=168h" || true
+
+      - name: Discord Notification
+        if: always()
+        uses: sarisia/actions-status-discord@v1
+        with:
+          webhook: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          title: 'Staging Deploy'
+          description: '${{ job.status == ''success'' && ''Staging deployment succeeded'' || ''Staging deployment failed'' }}'
+          color: '${{ job.status == ''success'' && ''0x00ff00'' || ''0xff0000'' }}'
+
+  deploy-production:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master'
+    steps:
+      - name: Deploy via SSH
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_DEPLOY_USER }}
+          key: ${{ secrets.VPS_SSH_KEY }}
+          script: |
+            set -e
+            cd /opt/faculytics
+
+            echo "Fetching latest master..."
+            git fetch origin master
+
+            echo "Building production image..."
+            mkdir -p /tmp/faculytics-build
+            git archive origin/master | tar -x -C /tmp/faculytics-build
+            docker build -t faculytics-api:production -f /tmp/faculytics-build/Dockerfile /tmp/faculytics-build
+            rm -rf /tmp/faculytics-build
+
+            echo "Deploying production..."
+            docker compose -f docker-compose.deploy.yml --profile production up -d api-production
+
+            echo "Waiting for health check..."
+            sleep 15
+            if docker compose -f docker-compose.deploy.yml --profile staging ps api-production | grep -q "(healthy)"; then
+              echo "Production deploy successful!"
+            else
+              echo "Health check - checking API response..."
+              docker exec $(docker compose -f docker-compose.deploy.yml ps -q api-production) node -e "fetch('http://localhost:5200/api/v1/health').then(r=>r.json()).then(console.log).catch(e=>{console.error(e);process.exit(1)})" || true
+              docker compose -f docker-compose.deploy.yml --profile production logs --tail=50 api-production
+              echo "WARNING: Health check inconclusive - check logs above"
+            fi
+
+            echo "Cleaning old images..."
+            docker system prune -f --filter "until=168h" || true
+
+      - name: Discord Notification
+        if: always()
+        uses: sarisia/actions-status-discord@v1
+        with:
+          webhook: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          title: 'Production Deploy'
+          description: '${{ job.status == ''success'' && ''Production deployment succeeded'' || ''Production deployment failed'' }}'
+          color: '${{ job.status == ''success'' && ''0x00ff00'' || ''0xff0000'' }}'

Dockerfile

@@ -0,0 +1,32 @@
+# Stage 1: Build
+FROM node:24-alpine AS build
+
+WORKDIR /app
+
+COPY package.json package-lock.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+# Stage 2: Production
+FROM node:24-alpine
+
+# Install Chromium for Puppeteer PDF generation
+RUN apk add --no-cache chromium nss freetype harfbuzz ca-certificates ttf-freefont
+
+ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
+ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
+
+WORKDIR /app
+
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev --ignore-scripts
+
+COPY --from=build /app/dist ./dist
+
+ENV NODE_ENV=production
+
+EXPOSE 5200
+
+CMD ["node", "dist/src/main"]