From 0e9cc64501ec547b5bddef83dda8a202a94ff203 Mon Sep 17 00:00:00 2001
From: Jonas Thelemann <e-mail@jonas-thelemann.de>
Date: Fri, 20 Feb 2026 04:20:22 +0100
Subject: [PATCH 1/6] feat(postgraphile)!: change forward authorization path

---
 src/development/stack.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/development/stack.yml b/src/development/stack.yml
index f64f6755..3d6251c6 100644
--- a/src/development/stack.yml
+++ b/src/development/stack.yml
@@ -296,7 +296,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/service/traefik/authentication
+        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/internal/service/postgraphile/authentication
         - traefik.http.middlewares.postgraphile_auth.forwardauth.forwardBody=true
         - traefik.http.middlewares.postgraphile_auth.forwardauth.preserveRequestMethod=true
         - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowCredentials=true

From 1ccdd94c7f87fc570212f6cf8c5ad281632e743f Mon Sep 17 00:00:00 2001
From: Jonas Thelemann <e-mail@jonas-thelemann.de>
Date: Fri, 20 Feb 2026 04:21:00 +0100
Subject: [PATCH 2/6] feat(vibetype): allow csrf token access control header

---
 src/development/stack.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/development/stack.yml b/src/development/stack.yml
index 3d6251c6..25d1b7d7 100644
--- a/src/development/stack.yml
+++ b/src/development/stack.yml
@@ -525,7 +525,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowHeaders=authorization,hook-name
+        - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowHeaders=authorization,hook-name,x-csrf-token
         - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowMethods=GET,POST,PUT,DELETE
         - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowOriginList=https://localhost:3000,https://app.localhost:3000
         - traefik.http.middlewares.vibetype_redirectregex.redirectregex.regex=^https?:\/\/www\.${STACK_DOMAIN}\/(.*)

From ca5edf85dae55aa757cb166e7171c7dff394c926 Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Fri, 20 Feb 2026 03:22:08 +0000
Subject: [PATCH 3/6] chore(release): 17.0.0-beta.1 [skip ci]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## [17.0.0-beta.1](https://github.com/maevsi/stack/compare/16.0.8...17.0.0-beta.1) (2026-02-20)

### ⚠ BREAKING CHANGES

* **postgraphile:** change forward authorization path

### Features

* **postgraphile:** change forward authorization path ([0e9cc64](https://github.com/maevsi/stack/commit/0e9cc64501ec547b5bddef83dda8a202a94ff203))
* **vibetype:** allow csrf token access control header ([1ccdd94](https://github.com/maevsi/stack/commit/1ccdd94c7f87fc570212f6cf8c5ad281632e743f))
---
 CHANGELOG.md | 11 +++++++++++
 package.json |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2dcb24b..775a771f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+## [17.0.0-beta.1](https://github.com/maevsi/stack/compare/16.0.8...17.0.0-beta.1) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** change forward authorization path
+
+### Features
+
+* **postgraphile:** change forward authorization path ([0e9cc64](https://github.com/maevsi/stack/commit/0e9cc64501ec547b5bddef83dda8a202a94ff203))
+* **vibetype:** allow csrf token access control header ([1ccdd94](https://github.com/maevsi/stack/commit/1ccdd94c7f87fc570212f6cf8c5ad281632e743f))
+
 ## [16.0.8](https://github.com/maevsi/stack/compare/16.0.7...16.0.8) (2026-02-08)
 
 ### Bug Fixes
diff --git a/package.json b/package.json
index b41d97a2..30875062 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,5 @@
     "prepare": "husky && ./src/development/certificates/mkcert.sh"
   },
   "type": "module",
-  "version": "16.0.8"
+  "version": "17.0.0-beta.1"
 }

From 011338398447c002aaf4682f06aeaee238f3b3b8 Mon Sep 17 00:00:00 2001
From: Jonas Thelemann <e-mail@jonas-thelemann.de>
Date: Wed, 18 Feb 2026 07:51:44 +0100
Subject: [PATCH 4/6] feat(postgraphile)!: upgrade to v5

---
 README.md                                     |  4 +++
 src/development/stack.yml                     | 34 +++++++++++--------
 .../postgraphile/.postgraphilerc.js           | 25 --------------
 src/production/production.yml                 |  1 +
 4 files changed, 25 insertions(+), 39 deletions(-)
 delete mode 100644 src/production/configurations/postgraphile/.postgraphilerc.js

diff --git a/README.md b/README.md
index e6a66709..5998d433 100644
--- a/README.md
+++ b/README.md
@@ -310,6 +310,10 @@ This project is deployed in accordance to the [DargStack template](https://githu
     
     The container manager's data.
     
+ - ### `postgraphile_data`
+    
+    The GraphQL API's data.
+    
  - ### `postgres_data`
     
     The database's data.
diff --git a/src/development/stack.yml b/src/development/stack.yml
index 25d1b7d7..5556cd1c 100644
--- a/src/development/stack.yml
+++ b/src/development/stack.yml
@@ -307,25 +307,28 @@ services:
         - traefik.http.routers.postgraphile.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure.entryPoints=web-secure
         - traefik.http.routers.postgraphile_secure.middlewares=postgraphile_auth,postgraphile_cors
-        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`)
+        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphql`)
         - traefik.http.routers.postgraphile_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
         - traefik.http.routers.postgraphile_secure_graphiql.entryPoints=web-secure
-        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphiql`)
+        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure_graphiql.tls.options=mintls13@file #DARGSTACK-REMOVE
-        - traefik.http.services.postgraphile.loadbalancer.server.port=5000
-    environment:
-      POSTGRAPHILE_CONNECTION_FILE: /run/secrets/postgraphile_connection
-      POSTGRAPHILE_JWT_PUBLIC_KEY_FILE: /run/config/postgraphile_jwt-public-key
-      POSTGRAPHILE_JWT_SECRET_KEY_FILE: /run/secrets/postgraphile_jwt-secret
-      POSTGRAPHILE_OWNER_CONNECTION_FILE: /run/secrets/postgraphile_owner-connection
-    image: ghcr.io/maevsi/postgraphile:1.0.19
+        - traefik.http.services.postgraphile.loadbalancer.server.port=5678
+    # # Use the DEBUG environment variable for extended debugging.
+    # environment:
+    #   DEBUG: graphile-build:warn,graphile-build-pg:sql
+    image: maevsi/postgraphile:dev
     secrets:
-      - postgraphile_connection
-      - postgraphile_jwt-secret
-      - postgraphile_owner-connection
+      - source: postgraphile_connection
+        target: /run/environment-variables/POSTGRAPHILE_CONNECTION
+      - source: postgraphile_jwt-secret
+        target: /run/environment-variables/POSTGRAPHILE_JWT_SECRET_KEY
+      - source: postgraphile_owner-connection
+        target: /run/environment-variables/POSTGRAPHILE_OWNER_CONNECTION
     volumes:
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/config/postgraphile_jwt-public-key:ro
-      - ../production/configurations/postgraphile/.postgraphilerc.js:/postgraphile/.postgraphilerc.js:ro
+      - ../../../postgraphile/:/srv/app/ #DARGSTACK-REMOVE
+      - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/POSTGRAPHILE_JWT_PUBLIC_KEY:ro
+      - pnpm_data:/srv/.pnpm-store/ #DARGSTACK-REMOVE
+      - postgraphile_data:/srv/app/node_modules #DARGSTACK-REMOVE
   postgres:
     # You can access the database via `adminer`.
     command: -c vibetype.jwt_expiry_duration='1 month' -c wal_level=logical
@@ -596,6 +599,9 @@ volumes:
   portainer_data:
     # The container manager's data.
     {}
+  postgraphile_data:
+    # The GraphQL API's data.
+    {}
   postgres_data:
     # The database's data.
     {}
diff --git a/src/production/configurations/postgraphile/.postgraphilerc.js b/src/production/configurations/postgraphile/.postgraphilerc.js
deleted file mode 100644
index b24a8b17..00000000
--- a/src/production/configurations/postgraphile/.postgraphilerc.js
+++ /dev/null
@@ -1,25 +0,0 @@
-const fs = require('fs');
-
-const postgisPlugin = require("@graphile/postgis");
-
-module.exports = {
-    options: {
-        appendPlugins: [postgisPlugin.default || postgisPlugin],
-        connection: fs.readFileSync(process.env.POSTGRAPHILE_CONNECTION_FILE, 'utf8'),
-        defaultRole: 'vibetype_anonymous',
-        dynamicJson: true,
-        enhanceGraphiql: true,
-        extendedErrors: ['errcode'],
-        host: '0.0.0.0',
-        ignoreRBAC: false,
-        jwtPublicKey: fs.readFileSync(process.env.POSTGRAPHILE_JWT_PUBLIC_KEY_FILE, 'utf8'),
-        jwtSecret: fs.readFileSync(process.env.POSTGRAPHILE_JWT_SECRET_KEY_FILE, 'utf8'),
-        jwtSignOptions: { algorithm: 'RS256' },
-        jwtTokenIdentifier: 'vibetype.jwt',
-        jwtVerifyAlgorithms: ['RS256'],
-        ownerConnection: fs.readFileSync(process.env.POSTGRAPHILE_OWNER_CONNECTION_FILE, 'utf8'),
-        schema: ['vibetype'],
-        setofFunctionsContainNulls: false,
-        watch: true
-    },
-};
diff --git a/src/production/production.yml b/src/production/production.yml
index 63322e87..db27157a 100644
--- a/src/production/production.yml
+++ b/src/production/production.yml
@@ -43,6 +43,7 @@ services:
         - (( append ))
         - traefik.http.routers.postgraphile.middlewares=postgraphile_auth,postgraphile_cors
         - traefik.http.routers.postgraphile_secure.tls.certresolver=default
+    image: maevsi/postgraphile:2.0.0-beta.1
   postgres_backup:
     # You cannot access the database backup directly.
     environment:

From 7826898e033635d027b28421b71ef60561eee1a5 Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Fri, 20 Feb 2026 07:44:30 +0000
Subject: [PATCH 5/6] chore(release): 17.0.0-beta.2 [skip ci]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## [17.0.0-beta.2](https://github.com/maevsi/stack/compare/17.0.0-beta.1...17.0.0-beta.2) (2026-02-20)

### ⚠ BREAKING CHANGES

* **postgraphile:** upgrade to v5

### Features

* **postgraphile:** upgrade to v5 ([0113383](https://github.com/maevsi/stack/commit/011338398447c002aaf4682f06aeaee238f3b3b8))
---
 CHANGELOG.md | 10 ++++++++++
 package.json |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 775a771f..5be3efcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
+## [17.0.0-beta.2](https://github.com/maevsi/stack/compare/17.0.0-beta.1...17.0.0-beta.2) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** upgrade to v5
+
+### Features
+
+* **postgraphile:** upgrade to v5 ([0113383](https://github.com/maevsi/stack/commit/011338398447c002aaf4682f06aeaee238f3b3b8))
+
 ## [17.0.0-beta.1](https://github.com/maevsi/stack/compare/16.0.8...17.0.0-beta.1) (2026-02-20)
 
 ### ⚠ BREAKING CHANGES
diff --git a/package.json b/package.json
index 30875062..4713599d 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,5 @@
     "prepare": "husky && ./src/development/certificates/mkcert.sh"
   },
   "type": "module",
-  "version": "17.0.0-beta.1"
+  "version": "17.0.0-beta.2"
 }

From ff6e7ffb1e941086b3947e453320e2e584a7fd1e Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Mon, 23 Feb 2026 17:57:56 +0000
Subject: [PATCH 6/6] chore(release): 17.0.0-beta.3 [skip ci]

## [17.0.0-beta.3](https://github.com/maevsi/stack/compare/17.0.0-beta.2...17.0.0-beta.3) (2026-02-23)

### Features

* **zammad:** add ([f913dfc](https://github.com/maevsi/stack/commit/f913dfc894724e19195853138cc6610419a5ab42))

### Bug Fixes

* **deps:** lockfile maintenance ([0785ef9](https://github.com/maevsi/stack/commit/0785ef9d90e3b32b86da13fae2052f4879d3985d))
* **deps:** update ghcr.io/maevsi/vibetype to v13.3.3 ([a175137](https://github.com/maevsi/stack/commit/a1751375c4bcaae957fd32e920cd7a62e10114fa))
* **elasticsearch:** correct security configuration ([ccda936](https://github.com/maevsi/stack/commit/ccda936b5d1d7c24450027e260d9b49c27abbfbd))
* **elasticsearch:** set memory ([e257b75](https://github.com/maevsi/stack/commit/e257b75a3500aee4b0028bca4777905d14ca7cf0))
* **vibetype:** move allowed headers from postgraphile ([421ae19](https://github.com/maevsi/stack/commit/421ae19e65001039c15c94db5e91ce3610bd230f))
* **zammad-init:** restart on failure only ([3fb38d9](https://github.com/maevsi/stack/commit/3fb38d9d88cc8dd4db0baa55345c3e8e14e0ad70))
* **zammad-nginx:** resolve certificate ([e95bf06](https://github.com/maevsi/stack/commit/e95bf068fd2b4ad34c810815ab2e638b33cddb01))
* **zammad:** set nginx server scheme ([f035ac5](https://github.com/maevsi/stack/commit/f035ac5ed555b00983612de0c73abdca5accc34d))

### Performance Improvements

* **elasticsearch:** add resource constraints ([3ae4d73](https://github.com/maevsi/stack/commit/3ae4d73975b3afe8b5177cad84c476c358c230a4))
---
 CHANGELOG.md | 21 +++++++++++++++++++++
 package.json |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d44e80d..ea447b8c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,24 @@
+## [17.0.0-beta.3](https://github.com/maevsi/stack/compare/17.0.0-beta.2...17.0.0-beta.3) (2026-02-23)
+
+### Features
+
+* **zammad:** add ([f913dfc](https://github.com/maevsi/stack/commit/f913dfc894724e19195853138cc6610419a5ab42))
+
+### Bug Fixes
+
+* **deps:** lockfile maintenance ([0785ef9](https://github.com/maevsi/stack/commit/0785ef9d90e3b32b86da13fae2052f4879d3985d))
+* **deps:** update ghcr.io/maevsi/vibetype to v13.3.3 ([a175137](https://github.com/maevsi/stack/commit/a1751375c4bcaae957fd32e920cd7a62e10114fa))
+* **elasticsearch:** correct security configuration ([ccda936](https://github.com/maevsi/stack/commit/ccda936b5d1d7c24450027e260d9b49c27abbfbd))
+* **elasticsearch:** set memory ([e257b75](https://github.com/maevsi/stack/commit/e257b75a3500aee4b0028bca4777905d14ca7cf0))
+* **vibetype:** move allowed headers from postgraphile ([421ae19](https://github.com/maevsi/stack/commit/421ae19e65001039c15c94db5e91ce3610bd230f))
+* **zammad-init:** restart on failure only ([3fb38d9](https://github.com/maevsi/stack/commit/3fb38d9d88cc8dd4db0baa55345c3e8e14e0ad70))
+* **zammad-nginx:** resolve certificate ([e95bf06](https://github.com/maevsi/stack/commit/e95bf068fd2b4ad34c810815ab2e638b33cddb01))
+* **zammad:** set nginx server scheme ([f035ac5](https://github.com/maevsi/stack/commit/f035ac5ed555b00983612de0c73abdca5accc34d))
+
+### Performance Improvements
+
+* **elasticsearch:** add resource constraints ([3ae4d73](https://github.com/maevsi/stack/commit/3ae4d73975b3afe8b5177cad84c476c358c230a4))
+
 ## [17.0.0-beta.2](https://github.com/maevsi/stack/compare/17.0.0-beta.1...17.0.0-beta.2) (2026-02-20)
 
 ### ⚠ BREAKING CHANGES
diff --git a/package.json b/package.json
index 835db2b6..56478632 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,5 @@
     "prepare": "husky && ./src/development/certificates/mkcert.sh"
   },
   "type": "module",
-  "version": "17.0.0-beta.2"
+  "version": "17.0.0-beta.3"
 }