Revamp: security patch, Next.js 15 migration, and low-cost AWS deployment via Terraform

[thasup]

Full revamp of the 3-years-unmaintained stack so Aurapan can run again — locally on Docker Desktop and on AWS at roughly half the old DigitalOcean cost — with a security audit, patched dependencies, and a one-command Terraform deployment.

💸 AWS deployment (new — infra/terraform/)

~$15/month (vs ~$30 on DO): one t4g.small Graviton EC2 running single-node k3s + Elastic IP + 20 GB encrypted gp3. No EKS control plane ($73/mo), no NAT gateway ($32/mo), no managed load balancer ($16/mo) — ingress-nginx binds 80/443 directly on the node. terraform apply bootstraps k3s, ingress-nginx, cert-manager (Let's Encrypt TLS), all manifests and secrets; you only point your domain's A record at the output IP. No SSH port — access via SSM Session Manager; IMDSv2 required. MongoDB Atlas M0 (free) recommended for durable data, or in-cluster MongoDB at $0. Cost details in infra/terraform/README.md.

🔒 Security audit & dependency patch (docs/SECURITY-AUDIT.md)

npm audit: 0 vulnerabilities in all 5 services and the client. Highlights:

• jsonwebtoken 8 → 9 (CVE-2022-23529 family), with npm overrides patching the copy nested in @thasup-dev/common
• express 4.17 → 4.21, mongoose 6.2 → 8.16, express-validator 7, stripe 8 → 18, bull 4.16, swiper prototype-pollution fix (GHSA-hmx5-qpq5-p643), axios 1.x, postcss override
• Node 16 (EOL) → Node 22 LTS everywhere; multi-stage production images with compiled TS, USER node, no dev toolchain
• k8s hardening: liveness/readiness probes on new /healthz endpoints, resource limits, non-root securityContext, pinned images (mongo:7, nats-streaming:0.25.6), MongoDB on PersistentVolumeClaims
• Remaining known risks documented (NATS Streaming EOL — internal-only, JetStream migration recommended as follow-up)

⚛️ Next.js 15 + React 19 App Router migration (full refactor)

• Every page converted from pages/ to app/ with server components and per-page data fetching — removes the legacy _app.getInitialProps that fetched all products, users and orders on every page view
• Server-side auth guards via redirect(); per-request fetch helper forwards Host/Cookie to the ingress with cache()-deduped currentUser
• Abandoned libs replaced: react-stripe-checkout → @stripe/react-stripe-js (same /api/payments token contract), react-paypal-button-v2 → @paypal/react-paypal-js, react-rating-stars-component → local component
• next build: ✅ 32 dynamic routes, standalone output, /api/healthz for probes

🧰 Local dev & seed

• skaffold dev on Docker Desktop k8s with per-service dev.Dockerfile hot reload (guide: docs/DEPLOYMENT.md)
• scripts/seed.mjs: idempotent, seeds an admin + 2 demo customers + 10 realistic products through the real APIs, so product data replicates to the order/payment services via NATS events exactly like production traffic

🤖 CI

• tests-*: Node 22, npm ci, full suites on PR (payment needs the STRIPE_KEY repo secret)
• deploy-*: multi-arch (amd64+arm64 for Graviton) buildx pushes; optional zero-SSH rollout to the AWS node via SSM, enabled by setting AWS_REGION/AURAPAN_INSTANCE_ID repo variables
• Legacy DigitalOcean/doctl and initial-deploy-* workflows removed

⚠️ Notes for the reviewer

• Backend test suites compile cleanly but were not executed in the authoring sandbox (mongod binary download blocked there) — the tests-* workflows on this PR are the gate. Add the STRIPE_KEY secret for the payment suite.
• @thasup-dev/common is still on its old pins (you own that package — republishing it with updated deps is the cleanest follow-up; the jwt CVE inside it is already neutralized via overrides).
• .gitignore previously ignored infra/ — fixed, which is why the Terraform files show up at all.

https://claude.ai/code/session_01WBtAYmdHyGPNvoPRXGY1xv

---

Generated by Claude Code