Feature/spa sync from chat 20260224

.gitignore

@@ -57,3 +57,5 @@ main.exe
 .telegram.token
 apoint-voip-server.json
 src/.env.apoint-voip
+bin
+pkg

AGENTS.md

@@ -0,0 +1,27 @@
+# SPA Sync From chat.aireset.com.br
+
+## task objective
+Sync SPA updates from `chat.aireset.com.br/src` into `quepasa/src` with full scope (backend SPA + frontend + webserver fallback), versioning frontend assets.
+
+## mandatory checklist
+- [x] Create dedicated feature branch
+- [x] Sync SPA backend API routes/controllers/login
+- [x] Sync form handlers for SPA-first flow
+- [x] Sync webserver SPA fallback behavior
+- [x] Sync environment SPA-related settings
+- [x] Sync frontend source (`src/frontend`)
+- [x] Sync built assets (`src/assets/frontend`)
+- [x] Regenerate Swagger docs
+- [x] Validate build
+
+## current status
+Branch `feature/spa-sync-from-chat-20260224` with SPA sync completed. Backend build, frontend build, and Swagger generation executed successfully. Local runtime smoke tests executed with app running on port `31000`.
+
+## next steps
+Await user validation/QA in runtime and follow-up adjustments if necessary. Keep temporary runtime env override notes for local startup (`USER`/`PASSWORD`) until seed config is aligned.
+
+## immutable constraints discovered during execution
+- Do not commit or push without explicit user request.
+- Keep API prefix aligned for SPA usage (`/api`).
+- Preserve SPA auth flow consistency (login/session/cookie JWT).
+- Keep swagger in sync after API route/controller changes.

src/.env.example

@@ -9,7 +9,7 @@
 # WEBAPIHOST - Web server bind address
 # Options: IP address, hostname, or empty for all interfaces
 # Examples: localhost, 127.0.0.1, 0.0.0.0, your-domain.com
-WEBAPIHOST=
+WEBAPIHOST=127.0.0.1
 
 # WEBAPIPORT - Web server listening port
 # Options: Any valid port number (1-65535)
@@ -25,31 +25,31 @@ WEBSOCKETSSL=false
 # SIGNING_SECRET - Secret key for signing JWT tokens and cookies
 # Options: Any strong random string (recommended: 32+ characters)
 # Example: your-super-secret-signing-key-here
-SIGNING_SECRET=
+SIGNING_SECRET=dev-signing-secret-1234567890-abc
 
 # MASTERKEY - Master key for super admin API methods
 # Options: Any string (acts as super admin password)
 # Example: your-master-admin-key
-MASTERKEY=
+MASTERKEY=dev-master-key
 
 # USER - Default user for initial database seeding
 # Options: Any valid email address or username
 # Default: Uses "default@quepasa.io" if not set
 # Note: Only used during first startup when no users exist
 # IMPORTANT: ALWAYS CHANGE THIS IN PRODUCTION!
-USER=admin@yourdomain.com
+USER="contato@localhost.com.br"
 
 # PASSWORD - Password for default user
 # Options: Any strong password (recommended: 12+ characters with mixed case, numbers, symbols)
 # Default: Creates user with EMPTY password if not set (INSECURE!)
 # Note: Only used during first startup when no users exist
 # IMPORTANT: ALWAYS SET THIS IN PRODUCTION!
-PASSWORD=YourSecurePassword123!@#
+PASSWORD="YourSecurePassword123!@#"
 
 # HTTPLOGS - Enable HTTP request logging
 # Options: true, false
 # Default: false
-HTTPLOGS=false
+HTTPLOGS=HTTPLOGS=true
 
 # =============================================================================
 # MODEL CONTEXT PROTOCOL (MCP) SERVER
@@ -59,7 +59,7 @@ HTTPLOGS=false
 # Options: true, false
 # Default: false
 # Note: Allows AI assistants to interact with QuePasa API via MCP protocol
-MCP_ENABLED=false
+MCP_ENABLED=true
 
 # MCP_PATH - MCP server endpoint path
 # Options: Any valid URL path
@@ -75,7 +75,10 @@ MCP_PATH=/mcp
 # Options: Any positive integer
 # Default: 10
 # Examples: 5, 10, 15, 30
-#WEBHOOK_TIMEOUT=10
+WEBHOOK_TIMEOUT=30
+
+# Examples: 1, 2, 4, 8
+WEBHOOK_WORKERS=8
 
 # =============================================================================
 # SWAGGER DOCUMENTATION
@@ -107,35 +110,35 @@ DBDRIVER=sqlite3
 # Options: localhost, IP address, hostname
 # Examples: localhost, 127.0.0.1, db.example.com
 # Note: Not needed for sqlite3
-DBHOST=
+#DBHOST=
 
 # DBDATABASE - Database name
 # Options: Any valid database name
 # Examples: quepasa, quepasa_production
 # Note: For sqlite3, this is the file path
-DBDATABASE=
+#DBDATABASE=
 
 # DBPORT - Database server port
 # Options: Any valid port number
 # Examples: 5432 (PostgreSQL), 3306 (MySQL)
 # Note: Not needed for sqlite3
-DBPORT=
+#DBPORT=
 
 # DBUSER - Database username
 # Options: Any valid database username
 # Note: Not needed for sqlite3
-DBUSER=
+#DBUSER=
 
 # DBPASSWORD - Database password
 # Options: Any string
 # Note: Not needed for sqlite3
-DBPASSWORD=
+#DBPASSWORD=
 
 # DBSSLMODE - Database SSL connection mode
 # Options: disable, require, verify-ca, verify-full
 # Default: disable
 # Note: PostgreSQL specific
-DBSSLMODE=
+#DBSSLMODE=
 
 # =============================================================================
 # WHATSAPP CONFIGURATION
@@ -172,7 +175,7 @@ BROADCASTS=false
 # Options: Any positive integer, or empty for default
 # Examples: 1, 7, 30
 # Note: Higher values may slow initial sync
-HISTORYSYNCDAYS=
+HISTORYSYNCDAYS=1
 
 # PRESENCE - WhatsApp presence status
 # Options: available, unavailable, composing, recording, paused
@@ -264,19 +267,19 @@ SIPPROXY_RETRIES=3
 # Options: DEBUG, INFO, WARN, ERROR, FATAL
 # Default: INFO
 # Examples: DEBUG (verbose), INFO (normal), WARN (minimal)
-LOGLEVEL=
+LOGLEVEL=DEBUG
 
 # WHATSMEOW_LOGLEVEL - Whatsmeow library log level
 # Options: DEBUG, INFO, WARN, ERROR
 # Default: WARN
 # Note: Controls WhatsApp protocol library logging
-WHATSMEOW_LOGLEVEL=
+WHATSMEOW_LOGLEVEL=DEBUG
 
 # WHATSMEOW_DBLOGLEVEL - Whatsmeow database operations log level
 # Options: DEBUG, INFO, WARN, ERROR
 # Default: WARN
 # Note: Controls database query logging from Whatsmeow
-WHATSMEOW_DBLOGLEVEL=
+WHATSMEOW_DBLOGLEVEL=DEBUG
 
 # WHATSMEOW_USE_RETRY_MESSAGE_STORE - Persist outgoing messages for retry receipts after restart
 # Options: true, false
@@ -292,13 +295,15 @@ WHATSMEOW_USE_RETRY_MESSAGE_STORE=false
 # Options: true, false
 # Default: true
 # Note: Automatically updates database schema
-MIGRATIONS=true
+# MIGRATIONS=true
+# MIGRATIONS=/opt/quepasa/migrations
+MIGRATIONS=./migrations
 
 # APP_TITLE - Application title displayed in WhatsApp device list
 # Options: Any string
 # Default: QuePasa
 # Examples: "My WhatsApp Bot", "Company Bot"
-APP_TITLE=
+APP_TITLE="Hermes"
 
 # REMOVEDIGIT9 - Remove digit 9 from Brazilian phone numbers
 # Options: true, false

src/api/api.go

@@ -49,10 +49,20 @@ func Configure(r chi.Router) {
 		}))
 		*/
 
-		// Mount API routes under the configured prefix
+		// Mount API routes under the configured prefix (e.g., /api)
 		r.Route("/"+apiPrefix, func(r chi.Router) {
 			r.Group(RegisterAPIControllers)
 			r.Group(RegisterAPIV3Controllers)
+			r.Group(RegisterSPAControllers)
 		})
+
+		// For backward compatibility, also register routes at root level
+		// when API_PREFIX is not empty. This allows legacy clients using
+		// /info, /v3/bot/..., /health to continue working.
+		if apiPrefix != "" {
+			log.Info("Registering legacy API routes at root level for backward compatibility")
+			r.Group(RegisterAPIControllers)
+			r.Group(RegisterAPIV3Controllers)
+		}
 	})
 }