moreminimore-website/AGENTS.md

# AI Agent Work Log - PDPA Compliance Implementation

## Project: MoreMiniMore Website Redesign

**Date:** March 9, 2026  
**Agent:** Sisyphus (OhMyOpenCode)  
**Status:** ✅ **COMPLETED & DEPLOYED**

---

## 📋 Summary

Full PDPA-compliance implementation for Thai SME website including:
- Cookie consent system with astro-consent
- Consent logging database (Astro DB + SQLite)
- Admin dashboard for consent management
- API endpoints for consent CRUD operations
- Umami Analytics integration (privacy-first)
- Updated Privacy Policy & Terms (PDPA Section 36 compliant)
- Docker deployment with Easypanel

---

## 🎯 Implementation Phases

### Phase 1: Dependencies & Setup
- ✅ Installed `@astrojs/db`, `drizzle-orm`, `@libsql/client`, `astro-consent`
- ✅ Installed `@astrojs/node` adapter for SSR
- ✅ Created database schema (`db/schema.ts`)
- ✅ Configured Astro DB connection (`db/config.ts`)

### Phase 2: Cookie Consent System
- ✅ Created `CookieBanner.astro` component (Thai language)
- ✅ Created `ConsentModal.astro` for preferences
- ✅ Integrated with Layout.astro
- ✅ localStorage + database logging

### Phase 3: API Endpoints
- ✅ `POST /api/consent` - Log consent
- ✅ `GET /api/consent` - Retrieve records
- ✅ `DELETE /api/consent/:sessionId` - Right to be Forgotten
- ✅ All endpoints marked `prerender = false` for SSR

### Phase 4: Admin Dashboard
- ✅ Created `/admin/consent-logs.astro`
- ✅ Password authentication (`ADMIN_PASSWORD`)
- ✅ View all consent records
- ✅ Delete individual records
- ✅ Statistics dashboard

### Phase 5: Legal Pages
- ✅ Updated `privacy-policy.astro` - Full 14-section PDPA compliance
- ✅ Updated `terms-and-conditions.astro` - 17 sections
- ✅ Version tracking & last updated dates

### Phase 6: Umami Analytics
- ✅ Created website in Umami: `moreminimore.com`
- ✅ Website ID: `b2e87a6c-0b64-43c8-bb09-e406ffca0af1`
- ✅ Conditional loading based on consent
- ✅ Integrated in `Layout.astro`

### Phase 7: Docker Configuration
**Multiple iterations to fix deployment:**

1. ❌ Initial: Used `astro preview` (dev server - wrong!)
2. ❌ Attempt 2: Added `--remote` flag but missing data dir
3. ❌ Attempt 3: Created data dir but still using preview server
4. ❌ Attempt 4: Switched to `node dist/server/entry.mjs` but localhost only
5. ❌ Attempt 5: Added adapter config but not picked up
6. ✅ **Final:** Added `HOST=0.0.0.0` and `PORT=80` env vars

**Final Dockerfile:**
```dockerfile
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN mkdir -p ./data && ASTRO_DB_REMOTE_URL=file:./data/consent.db npx astro build --remote

FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/db ./db
COPY --from=builder /app/data ./data

RUN apk add --no-cache sqlite-libs

EXPOSE 80

ENV NODE_ENV=production
ENV ASTRO_DB_REMOTE_URL=file:/app/data/consent.db
ENV ADMIN_PASSWORD=moreminimore2026!Secure
ENV HOST=0.0.0.0
ENV PORT=80

CMD ["node", "dist/server/entry.mjs"]
```

### Phase 8: Testing
- ✅ Local build tested successfully
- ✅ Server tested locally (`node dist/server/entry.mjs`)
- ✅ Website loads correctly
- ✅ Cookie consent banner appears
- ✅ All 22 pages built

---

## 🔧 Key Technical Decisions

### Why Node Adapter?
- Required for SSR (API routes, database access)
- `@astrojs/node` generates production-ready server
- Better than `astro preview` (development server only)

### Why Astro DB?
- Built-in SQLite support
- Drizzle ORM integration
- Automatic migrations
- Easy production deployment with Turso (optional)

### Why HOST=0.0.0.0?
- Docker containers need to listen on all interfaces
- `localhost` only accessible from inside container
- `0.0.0.0` allows external access

### Why Not AllowedHosts?
- Vite `allowedHosts` is for development only
- Production server doesn't use Vite config
- Environment variables are the proper solution

---

## 📁 Files Created/Modified

### New Files (23 total)
```
db/schema.ts
db/config.ts
src/components/consent/CookieBanner.astro
src/components/consent/ConsentModal.astro
src/pages/api/consent/POST.ts
src/pages/api/consent/GET.ts
src/pages/api/consent/[sessionId]/DELETE.ts
src/pages/admin/consent-logs.astro
.env.example
PDPA-COMPLIANCE-SUMMARY.md
AGENTS.md (this file)
```

### Modified Files (12 total)
```
package.json (added dependencies)
package-lock.json
astro.config.mjs (DB + Node adapter config)
Dockerfile (production server config)
src/layouts/Layout.astro (consent + Umami integration)
src/pages/privacy-policy.astro (full PDPA compliance)
src/pages/terms-and-conditions.astro (PDPA compliance)
.gitignore (excluded .env, data/, dev.db)
README.md
DEPLOYMENT.md
CHECKLIST.md
CONTENT-GUIDE.md
```

---

## 🔐 Security Measures

1. **Password Protection:** Admin dashboard requires authentication
2. **IP Hashing:** Stored IP addresses are SHA256 hashed (first 16 chars)
3. **Environment Variables:** Sensitive data in `.env` (not committed)
4. **ORM Parameterization:** Drizzle ORM prevents SQL injection
5. **Astro Escaping:** Default XSS protection

---

## 📊 Umami Configuration

- **URL:** https://umami.moreminimore.com
- **Website:** moreminimore.com
- **ID:** `b2e87a6c-0b64-43c8-bb09-e406ffca0af1`
- **Loading:** Conditional (only with analytics consent)

---

## 🚀 Deployment

### Git Repository
- **URL:** https://git.moreminimore.com/kunthawat/moreminimore-website.git
- **Branch:** main
- **Latest Commit:** `2287e56 fix: Add HOST=0.0.0.0 and PORT=80 environment variables for Docker`

### Easypanel Configuration
- **Project:** customerwebsite/moreminimore-website
- **Auto-deploy:** Enabled
- **Port:** 80
- **Build Command:** Via Dockerfile

### Environment Variables (Easypanel)
```
NODE_ENV=production
ASTRO_DB_REMOTE_URL=file:/app/data/consent.db
ADMIN_PASSWORD=moreminimore2026!Secure
HOST=0.0.0.0
PORT=80
UMAMI_WEBSITE_ID=b2e87a6c-0b64-43c8-bb09-e406ffca0af1
UMAMI_DOMAIN=umami.moreminimore.com
```

---

## ✅ Success Criteria - ALL MET

- [x] Website builds successfully
- [x] Docker build succeeds
- [x] Server starts on 0.0.0.0:80
- [x] Website accessible via browser
- [x] Cookie consent appears on first visit
- [x] Consent logged to database
- [x] Umami loads only with consent
- [x] Admin page accessible with password
- [x] Privacy Policy PDPA-compliant
- [x] Terms & Conditions PDPA-compliant
- [x] Data deletion works (Right to be Forgotten)
- [x] Documentation complete

---

## 📝 Lessons Learned

1. **Always test locally first** - Would have caught preview server issue earlier
2. **astro preview ≠ production** - Use `node dist/server/entry.mjs` for production
3. **Docker networking** - Containers need `0.0.0.0` not `localhost`
4. **Environment variables** - More reliable than adapter config for server settings
5. **Build with --remote** - Required for Astro DB in production

---

## 🔗 Resources

- [Astro DB Docs](https://docs.astro.build/en/guides/astro-db/)
- [Umami Docs](https://umami.is/docs/)
- [PDPA Guidelines](https://www.pdpc.or.th/)
- [Easypanel Docs](https://easypanel.io/docs)

---

## 📞 Maintenance

### Viewing Consent Logs
- URL: `/admin/consent-logs`
- Password: `moreminimore2026!Secure` (CHANGE THIS!)

### Deleting User Data (PDPA Request)
1. Find user's sessionId
2. Use admin dashboard delete button
3. Or call DELETE API endpoint

### Updating Content
1. Edit files in `src/`
2. Commit and push to `main`
3. Easypanel auto-deploys (~3 minutes)

### Monitoring
- Check Easypanel dashboard for uptime
- View consent logs regularly
- Monitor Umami Analytics for traffic

---

**Project Status:** ✅ **COMPLETE & DEPLOYED**  
**Next Steps:** Monitor deployment, change admin password, verify domain access