refactor(config): move version from compose.version to runtime.version (#1770)

* refactor(config): move version from compose.version to runtime.version

Consolidates the Docker image version field into the existing runtime
section, eliminating the standalone compose block. Updates the Zod
schema, all example YAML files, the self-host installer (read + write
paths), the staging deploy workflow, and docs. Also renames SSH_KEY to
SSH_PRIVATE_KEY in the staging workflow for clarity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(config): reorder runtime block fields to version, nodeEnv, logLevel, timezone

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): omit replicaSetKey from generated config when secret is unset

Allows staging-cloud to skip MONGO_REPLICA_SET_KEY without writing an
empty field into compass.yaml. Uses ${VAR:+word} so staging-selfhosted
still writes the key when the secret is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(config): clarify which keys are self-host only vs all installs

Normalises the runtime table to use the Required column convention,
marks mongo.username, mongo.password, and mongo.replicaSetKey as
Self-host (not Yes), and moves mongo.uri to the top of its table
since it is the only field required for all installs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): omit supertokens postgres block from generated config when secret is unset

Same pattern as the replicaSetKey fix: uses \${VAR:+word} on each line
so staging-cloud can omit SUPERTOKENS_POSTGRES_PASSWORD without writing
empty fields into compass.yaml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(ci): make Google Calendar channel expiration configurable per environment

Adds GCAL_NOTIFICATION_EXPIRATION_MIN as a workflow var that writes
channelExpirationMin into the generated compass.yaml. Omitted when unset
so environments without Google configured are unaffected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): replace hardcoded mongo URI with MONGO_URI secret

Removes the hardcoded mongodb://...staging_calendar connection string
so each environment can supply its own URI, matching how the hosted
staging environment is configured.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): replace hardcoded SuperTokens URI with SUPERTOKENS_URI secret

Removes the docker-internal http://supertokens:3567 address so each
environment can point at its own SuperTokens instance (self-hosted
container or managed cloud).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(ci): split deploy logic into reusable workflow per environment

Extracts deploy steps into _deploy-environment.yml (workflow_call) which
takes tag and environment as inputs. deploy-staging.yml becomes a thin
caller with two jobs — staging-cloud and staging-selfhosted — each
resolving secrets from their own GitHub Environment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(infra): use Docker Compose profiles to make local services optional

Tags mongo, supertokens, and supertokens-db with profiles: [selfhost]
so cloud environments skip those containers entirely. install.sh always
activates the selfhost profile. The deploy workflow passes COMPOSE_PROFILES
from a per-environment GitHub variable so staging-selfhosted gets the
full local stack and staging-cloud only runs web and backend.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): add COMPOSE_GIT_REF override for testing pre-release compose changes

Defaults to RELEASE_TAG so production behaviour is unchanged. Set the
GitHub environment variable to a branch name to test compose.yaml or
the compass helper from that ref without cutting a new release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(self-host): preserve empty COMPOSE_PROFILES from deploy workflow

The installer's set_compose_env unconditionally set COMPOSE_PROFILES=selfhost,
overwriting the empty string passed by the CI deploy workflow for cloud
environments. This caused mongo/supertokens to start on staging-cloud.

Use ${COMPOSE_PROFILES-selfhost} (no colon) so an explicitly empty string is
preserved — allowing cloud deploys to omit selfhost services — while still
defaulting to 'selfhost' when a human runs the installer directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): tear down all profiled services before deploy update

Docker Compose's --remove-orphans flag does not remove containers from
inactive profiles, so switching from COMPOSE_PROFILES=selfhost to an empty
set on a re-deploy left mongo/supertokens running on cloud environments.

Add an explicit 'compose down' with COMPOSE_PROFILES=selfhost before the
'compass update' step so all previously-started services are removed
before the new profile set is started.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(self-host): read helper version from runtime config (#1771)

* fix(self-host): default helper to selfhost profile (#1772)

* fix(codex): update hook syntax

* docs: update cli and server guide

* fix: resolve lint issues (#1774)

* fix(self-host): preserve default compose profile

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Ugur Armagan <ugurarmagan93@gmail.com>

Author: 3 people

.codex/config.toml

@@ -1,5 +1,5 @@
 [features]
-codex_hooks = true
+hooks = true
 goals = true
 
 

.github/workflows/_deploy-environment.yml

@@ -0,0 +1,97 @@
+name: Deploy to environment
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Release tag being deployed, such as v1.2.3'
+        required: true
+        type: string
+      environment:
+        description: 'GitHub Environment to deploy to'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Deploy release to ${{ inputs.environment }}
+        env:
+          # Non-sensitive
+          BACKEND_API_URL: ${{ vars.BACKEND_API_URL }}
+          COMPOSE_GIT_REF: ${{ vars.COMPOSE_GIT_REF }}
+          COMPOSE_PROFILES: ${{ vars.COMPOSE_PROFILES }}
+          FRONTEND_URL: ${{ vars.FRONTEND_URL }}
+          GCAL_NOTIFICATION_EXPIRATION_MIN: ${{ vars.GCAL_NOTIFICATION_EXPIRATION_MIN }}
+          GOOGLE_CLIENT_ID: ${{ vars.GOOGLE_CLIENT_ID }}
+          RELEASE_TAG: ${{ inputs.tag }}
+          SSH_HOST: ${{ vars.SSH_HOST }}
+          SSH_USER: ${{ vars.SSH_USER }}
+          # Sensitive
+          COMPASS_SYNC_TOKEN: ${{ secrets.COMPASS_SYNC_TOKEN }}
+          GCAL_NOTIFICATION_TOKEN: ${{ secrets.GCAL_NOTIFICATION_TOKEN }}
+          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
+          MONGO_PASSWORD: ${{ secrets.MONGO_PASSWORD }}
+          MONGO_REPLICA_SET_KEY: ${{ secrets.MONGO_REPLICA_SET_KEY }}
+          MONGO_URI: ${{ secrets.MONGO_URI }}
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SUPERTOKENS_KEY: ${{ secrets.SUPERTOKENS_KEY }}
+          SUPERTOKENS_POSTGRES_PASSWORD: ${{ secrets.SUPERTOKENS_POSTGRES_PASSWORD }}
+          SUPERTOKENS_URI: ${{ secrets.SUPERTOKENS_URI }}
+        run: |
+          # Strip 'v' prefix for Docker image tags (v0.5.18 -> 0.5.18)
+          IMAGE_VERSION="${RELEASE_TAG#v}"
+          echo "Deploying Compass ${RELEASE_TAG} (image version: ${IMAGE_VERSION}) to ${{ inputs.environment }}"
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/staging_key
+          chmod 600 ~/.ssh/staging_key
+          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts
+          printf '%s\n' \
+            'runtime:' \
+            "  version: \"${IMAGE_VERSION}\"" \
+            '  nodeEnv: production' \
+            '  timezone: Etc/UTC' \
+            'web:' \
+            '  port: 9080' \
+            "  url: \"${FRONTEND_URL}\"" \
+            'backend:' \
+            '  port: 3000' \
+            "  apiUrl: \"${BACKEND_API_URL}\"" \
+            '  originsAllowed:' \
+            "    - \"${FRONTEND_URL}\"" \
+            "  compassToken: \"${COMPASS_SYNC_TOKEN}\"" \
+            'mongo:' \
+            '  username: compass' \
+            "  password: \"${MONGO_PASSWORD}\"" \
+            ${MONGO_REPLICA_SET_KEY:+"  replicaSetKey: \"${MONGO_REPLICA_SET_KEY}\""} \
+            "  uri: \"${MONGO_URI}\"" \
+            'supertokens:' \
+            "  uri: \"${SUPERTOKENS_URI}\"" \
+            "  key: \"${SUPERTOKENS_KEY}\"" \
+            ${SUPERTOKENS_POSTGRES_PASSWORD:+'  postgres:'} \
+            ${SUPERTOKENS_POSTGRES_PASSWORD:+'    user: supertokens'} \
+            ${SUPERTOKENS_POSTGRES_PASSWORD:+"    password: \"${SUPERTOKENS_POSTGRES_PASSWORD}\""} \
+            ${SUPERTOKENS_POSTGRES_PASSWORD:+'    database: supertokens'} \
+            'google:' \
+            "  clientId: \"${GOOGLE_CLIENT_ID}\"" \
+            "  clientSecret: \"${GOOGLE_CLIENT_SECRET}\"" \
+            "  notificationToken: \"${GCAL_NOTIFICATION_TOKEN}\"" \
+            ${GCAL_NOTIFICATION_EXPIRATION_MIN:+"  channelExpirationMin: ${GCAL_NOTIFICATION_EXPIRATION_MIN}"} \
+            | ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" \
+                "umask 077 && mkdir -p ~/compass && cat > ~/compass/compass.yaml && chmod 644 ~/compass/compass.yaml"
+          COMPOSE_GIT_REF="${COMPOSE_GIT_REF:-${RELEASE_TAG}}"
+          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${COMPOSE_GIT_REF}/self-host/compose.yaml -o ~/compass/compose.yaml"
+          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${COMPOSE_GIT_REF}/self-host/compass -o ~/compass/compass && chmod +x ~/compass/compass"
+          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && COMPOSE_PROFILES=selfhost docker compose --project-name compass -f compose.yaml down 2>/dev/null || true"
+          if [ -n "$COMPOSE_PROFILES" ]; then
+            ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && COMPOSE_PROFILES='${COMPOSE_PROFILES}' ./compass update"
+          else
+            ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && ./compass update"
+          fi

.github/workflows/deploy-staging.yml

@@ -18,71 +18,18 @@ permissions:
   contents: read
 
 jobs:
-  deploy:
-    name: Deploy release to staging
-    runs-on: ubuntu-latest
-    environment: Staging
+  deploy-cloud:
+    name: Deploy to staging-cloud
+    uses: ./.github/workflows/_deploy-environment.yml
+    with:
+      tag: ${{ inputs.tag }}
+      environment: staging-cloud
+    secrets: inherit
 
-    steps:
-      - name: Deploy release to staging
-        env:
-          # Non-sensitive
-          BACKEND_API_URL: ${{ vars.BACKEND_API_URL }}
-          FRONTEND_URL: ${{ vars.FRONTEND_URL }}
-          GOOGLE_CLIENT_ID: ${{ vars.GOOGLE_CLIENT_ID }}
-          RELEASE_TAG: ${{ inputs.tag }}
-          SSH_USER: ${{ vars.SSH_USER }}
-          SSH_HOST: ${{ vars.SSH_HOST }}
-          # Sensitive
-          COMPASS_SYNC_TOKEN: ${{ secrets.COMPASS_SYNC_TOKEN }}
-          GCAL_NOTIFICATION_TOKEN: ${{ secrets.GCAL_NOTIFICATION_TOKEN }}
-          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
-          MONGO_PASSWORD: ${{ secrets.MONGO_PASSWORD }}
-          MONGO_REPLICA_SET_KEY: ${{ secrets.MONGO_REPLICA_SET_KEY }}
-          SSH_KEY: ${{ secrets.SSH_KEY }}
-          SUPERTOKENS_KEY: ${{ secrets.SUPERTOKENS_KEY }}
-          SUPERTOKENS_POSTGRES_PASSWORD: ${{ secrets.SUPERTOKENS_POSTGRES_PASSWORD }}
-        run: |
-          # Strip 'v' prefix for Docker image tags (v0.5.18 -> 0.5.18)
-          IMAGE_VERSION="${RELEASE_TAG#v}"
-          echo "Deploying Compass ${RELEASE_TAG} (image version: ${IMAGE_VERSION}) to staging"
-          mkdir -p ~/.ssh
-          echo "$SSH_KEY" > ~/.ssh/staging_key
-          chmod 600 ~/.ssh/staging_key
-          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts
-          printf '%s\n' \
-            'compose:' \
-            "  version: \"${IMAGE_VERSION}\"" \
-            'runtime:' \
-            '  nodeEnv: production' \
-            '  timezone: Etc/UTC' \
-            'web:' \
-            '  port: 9080' \
-            "  url: \"${FRONTEND_URL}\"" \
-            'backend:' \
-            '  port: 3000' \
-            "  apiUrl: \"${BACKEND_API_URL}\"" \
-            '  originsAllowed:' \
-            "    - \"${FRONTEND_URL}\"" \
-            "  compassToken: \"${COMPASS_SYNC_TOKEN}\"" \
-            'mongo:' \
-            '  username: compass' \
-            "  password: \"${MONGO_PASSWORD}\"" \
-            "  replicaSetKey: \"${MONGO_REPLICA_SET_KEY}\"" \
-            "  uri: \"mongodb://compass:${MONGO_PASSWORD}@mongo:27017/staging_calendar?authSource=admin&replicaSet=rs0\"" \
-            'supertokens:' \
-            '  uri: http://supertokens:3567' \
-            "  key: \"${SUPERTOKENS_KEY}\"" \
-            '  postgres:' \
-            '    user: supertokens' \
-            "    password: \"${SUPERTOKENS_POSTGRES_PASSWORD}\"" \
-            '    database: supertokens' \
-            'google:' \
-            "  clientId: \"${GOOGLE_CLIENT_ID}\"" \
-            "  clientSecret: \"${GOOGLE_CLIENT_SECRET}\"" \
-            "  notificationToken: \"${GCAL_NOTIFICATION_TOKEN}\"" \
-            | ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" \
-                "umask 077 && mkdir -p ~/compass && cat > ~/compass/compass.yaml && chmod 644 ~/compass/compass.yaml"
-          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${RELEASE_TAG}/self-host/compose.yaml -o ~/compass/compose.yaml"
-          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${RELEASE_TAG}/self-host/compass -o ~/compass/compass && chmod +x ~/compass/compass"
-          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && ./compass update"
+  deploy-selfhosted:
+    name: Deploy to staging-selfhosted
+    uses: ./.github/workflows/_deploy-environment.yml
+    with:
+      tag: ${{ inputs.tag }}
+      environment: staging-selfhosted
+    secrets: inherit

compass.example.yaml

@@ -5,13 +5,11 @@
 # - Do not commit this file; it contains secrets.
 # - For detailed explanations, see: https://docs.compasscalendar.com/docs/config
 
-compose:
-  version: latest
-
 runtime:
+  version: latest
   nodeEnv: development
-  timezone: Etc/UTC
   logLevel: debug
+  timezone: Etc/UTC
 
 web:
   port: 9080

docs/CI-CD/cli-and-maintenance-commands.md

@@ -1,4 +1,4 @@
-# Compass YAML Configuration
+# Configuration
 
 Compass uses `compass.yaml` for self-hosting and local development. The file is visible, diffable, and contains secrets, so keep it out of git and back it up with the Docker volumes.
 
@@ -7,14 +7,14 @@ Examples:
 - local development: `packages/backend/compass.example.yaml`
 - self-hosting: `self-host/compass.example.yaml`
 
-## Top-Level Sections
+## Runtime
 
-| key | Default | Description |
+| key | Required | Description |
 |---|---|---|
-| `compose.version` | `latest` | Docker image tag used by the self-host compose stack. Pin this for reproducible installs. |
-| `runtime.nodeEnv` | `production` | Runtime mode. Self-hosted installs should use `production`; local development uses `development`. |
-| `runtime.timezone` | `Etc/UTC` | Backend timezone. Only `Etc/UTC` and `UTC` are accepted. |
-| `runtime.logLevel` | `info` | Winston log level. |
+| `runtime.version` | Self-host | Docker image tag used by the self-host compose stack. Defaults to `latest`. Pin this for reproducible installs. |
+| `runtime.nodeEnv` | Yes | Runtime mode. Use `production` for self-hosted and staging; `development` for local dev. |
+| `runtime.timezone` | Yes | Backend timezone. Only `Etc/UTC` and `UTC` are accepted. |
+| `runtime.logLevel` | No | Winston log level. Defaults to `info`. |
 
 ## Web
 
@@ -36,10 +36,10 @@ Examples:
 
 | key | Required | Description |
 |---|---|---|
-| `mongo.username` | Self-host | MongoDB root username created on first container startup. Must match `mongo.uri`. |
+| `mongo.uri` | Yes | Backend MongoDB connection string. For self-hosted installs, must include `authSource=admin` and `replicaSet=rs0`. |
+| `mongo.username` | Self-host | MongoDB root username created on first container startup. Must match the credentials in `mongo.uri`. |
 | `mongo.password` | Self-host | MongoDB root password. Changing it after first startup requires a MongoDB user migration. |
-| `mongo.replicaSetKey` | Self-host | MongoDB replica set key for the single-node `rs0` replica set. |
-| `mongo.uri` | Yes | Backend MongoDB connection string. Self-hosted installs must include `authSource=admin` and `replicaSet=rs0`. |
+| `mongo.replicaSetKey` | Self-host | Shared secret used for internal authentication between replica set members. |
 
 ## SuperTokens