deployment: harden self-hosted install behind HTTPS reverse proxies
Task #538. Fixes the four bugs that bit the user's first Tailscale-fronted install of Tx OS on their Mac: 1. Missing `user_sessions` table on fresh installs — `connect-pg-simple` now uses `createTableIfMissing: true`. Drizzle migrations still skip the table (`tablesFilter: ["!user_sessions"]`), so ownership stays with the session store. 2. Session cookie silently dropped behind HTTPS proxies that don't forward `X-Forwarded-Proto` (Tailscale serve, ngrok free, some Cloudflare Tunnels). New `TRUST_PROXY_HTTPS=true` env var injects the header before pino + session middleware, and `cookie.secure` is now derived from `PUBLIC_BASE_URL.startsWith("https://") || trustProxyHttps` instead of `NODE_ENV`. 3. `ALLOWED_ORIGINS` was undocumented for non-localhost URLs — added examples (LAN IP, Tailscale name, custom domain) in `.env.example`, `.env.docker.example`, `README.md`, plus a new "Reverse proxy / Tailscale / external URL" README section. 4. Demo executive meetings always seeded on real installs — gated behind `SEED_DEMO_MEETINGS=true` (default off), wired through `docker-compose.yml` to the migrate service. Architect (code review) approved; added a security note clarifying that `TRUST_PROXY_HTTPS=true` requires the API to be unreachable directly over plain HTTP. The git commit + push to Gitea is delegated to a follow-up task because main-agent sandbox blocks `git commit` / branch creation.
This commit is contained in: