Reorganize monorepo into projects/wizard, ops-desk, finance

Specs stay at repo root (cross-VM). Move deploy and code into logical
projects with README per domain, updated manifest.yaml, and symlinks at
legacy paths for VM122 backward compatibility.

README.md

@@ -4,6 +4,18 @@ Plataforma de operações Ligbox — Spec-Driven Development com [GitHub Spec Ki
 
 **VM:** 122 (`ligbox-ops`) · `10.10.10.122` · SSH WAN `95.216.14.146:2522`
 
+
+## Estrutura do monorepo
+
+| Projecto | VM | Pasta |
+|----------|-----|-------|
+| Wizard | VM112 | `projects/wizard/` |
+| Ops Desk | VM122 | `projects/ops-desk/` |
+| Finance | VM123 | `projects/finance/` |
+| Integrations | VM104 | `projects/integrations/` |
+
+**Specs** ficam em `specs/` (raiz) — muitas cruzam VMs. Ver `projects/README.md` e `deploy/manifest.yaml`.
+
 ---
 
 ## Início rápido Spec Kit
@@ -46,7 +58,7 @@ Canais: `workspace/` · `obsidian-infra/ligbox-ops-platform/` (VM112) · `LAPTOP
 
 ## Estado MVP (VM122)
 
-Deploy em `/opt/ligbox-ops-platform/`:
+Deploy em `/opt/ligbox-ops-platform/` (conteúdo = `projects/ops-desk/` no Git):
 
 - API `:8080` · Frontend `:8091` · Redis + Worker internos
 - fail2ban activo · webhook secret dev (rotacionar em produção)

_sidebar.md

@@ -0,0 +1,138 @@
+# Ligbox Spec Kit
+- [🏠 Hub](/)
+- [📋 Inventário VMs](docs/vms/README.md)
+- [📜 Constitution](.specify/memory/constitution.md)
+- [📌 Backlog](BACKLOG.md)
+---
+## VM112 — Onboard / Mail
+- **001-webhook-vm112-integration**
+  - [📄 spec.md](specs/001-webhook-vm112-integration/spec.md)
+  - [plan.md](specs/001-webhook-vm112-integration/plan.md)
+  - [tasks.md](specs/001-webhook-vm112-integration/tasks.md)
+  - [quickstart.md](specs/001-webhook-vm112-integration/quickstart.md)
+  - [research.md](specs/001-webhook-vm112-integration/research.md)
+  - [data-model.md](specs/001-webhook-vm112-integration/data-model.md)
+  - **contracts/**
+    - [webhook-onboard](specs/001-webhook-vm112-integration/contracts/webhook-onboard.md)
+  - **checklists/**
+    - [requirements](specs/001-webhook-vm112-integration/checklists/requirements.md)
+- **017-vm112-domain-orchestration**
+  - [📄 spec.md](specs/017-vm112-domain-orchestration/spec.md)
+- **022-carbonio-account-exists-release**
+  - [📄 spec.md](specs/022-carbonio-account-exists-release/spec.md)
+  - [tasks.md](specs/022-carbonio-account-exists-release/tasks.md)
+- **025-wizard-onboarding-continuity**
+  - [📄 spec.md](specs/025-wizard-onboarding-continuity/spec.md)
+  - [tasks.md](specs/025-wizard-onboarding-continuity/tasks.md)
+- **026-purge-traefik-validation**
+  - [📄 spec.md](specs/026-purge-traefik-validation/spec.md)
+- **010-desk-assist-takeover**
+  - [📄 spec.md](specs/010-desk-assist-takeover/spec.md)
+  - [tasks.md](specs/010-desk-assist-takeover/tasks.md)
+  - [quickstart.md](specs/010-desk-assist-takeover/quickstart.md)
+## VM122 — Ops Desk
+- **003-desk-auth-rbac**
+  - [📄 spec.md](specs/003-desk-auth-rbac/spec.md)
+  - [plan.md](specs/003-desk-auth-rbac/plan.md)
+  - [tasks.md](specs/003-desk-auth-rbac/tasks.md)
+  - [quickstart.md](specs/003-desk-auth-rbac/quickstart.md)
+  - [research.md](specs/003-desk-auth-rbac/research.md)
+  - [data-model.md](specs/003-desk-auth-rbac/data-model.md)
+  - **contracts/**
+    - [auth-api](specs/003-desk-auth-rbac/contracts/auth-api.md)
+  - **checklists/**
+    - [requirements](specs/003-desk-auth-rbac/checklists/requirements.md)
+- **004-desk-account-management**
+  - [📄 spec.md](specs/004-desk-account-management/spec.md)
+  - [tasks.md](specs/004-desk-account-management/tasks.md)
+  - [quickstart.md](specs/004-desk-account-management/quickstart.md)
+- **004-onboard-funnel-events**
+  - [📄 spec.md](specs/004-onboard-funnel-events/spec.md)
+  - [plan.md](specs/004-onboard-funnel-events/plan.md)
+  - [tasks.md](specs/004-onboard-funnel-events/tasks.md)
+  - [research.md](specs/004-onboard-funnel-events/research.md)
+  - **contracts/**
+    - [webhook-funnel-events](specs/004-onboard-funnel-events/contracts/webhook-funnel-events.md)
+  - **checklists/**
+    - [requirements](specs/004-onboard-funnel-events/checklists/requirements.md)
+- **009-ops-audit-overview**
+  - [📄 spec.md](specs/009-ops-audit-overview/spec.md)
+  - [plan.md](specs/009-ops-audit-overview/plan.md)
+  - [tasks.md](specs/009-ops-audit-overview/tasks.md)
+  - [research.md](specs/009-ops-audit-overview/research.md)
+  - **contracts/**
+    - [audit-api](specs/009-ops-audit-overview/contracts/audit-api.md)
+  - **checklists/**
+    - [requirements](specs/009-ops-audit-overview/checklists/requirements.md)
+- **010-admin-domain-validation**
+  - [📄 spec.md](specs/010-admin-domain-validation/spec.md)
+  - [correcao-vm112.md](specs/010-admin-domain-validation/correcao-vm112.md)
+- **012-abandoned-onboarding-lead**
+  - [📄 spec.md](specs/012-abandoned-onboarding-lead/spec.md)
+  - [tasks.md](specs/012-abandoned-onboarding-lead/tasks.md)
+  - [quickstart.md](specs/012-abandoned-onboarding-lead/quickstart.md)
+- **015-desk-module-registry**
+  - [📄 spec.md](specs/015-desk-module-registry/spec.md)
+- **027-desk-rbac-function-matrix**
+  - [📄 spec.md](specs/027-desk-rbac-function-matrix/spec.md)
+  - [quickstart.md](specs/027-desk-rbac-function-matrix/quickstart.md)
+  - [data-model.md](specs/027-desk-rbac-function-matrix/data-model.md)
+  - **contracts/**
+    - [vm123-product-roles](specs/027-desk-rbac-function-matrix/contracts/vm123-product-roles.md)
+## VM123 — Finance / Console
+- **019-ops-console-active-operations**
+  - [📄 spec.md](specs/019-ops-console-active-operations/spec.md)
+  - [plan.md](specs/019-ops-console-active-operations/plan.md)
+  - [tasks.md](specs/019-ops-console-active-operations/tasks.md)
+  - [README.md](specs/019-ops-console-active-operations/README.md)
+  - **contracts/**
+    - [chamados-api](specs/019-ops-console-active-operations/contracts/chamados-api.md)
+  - **design/**
+    - [navigation-ia](specs/019-ops-console-active-operations/design/navigation-ia.md)
+- **023-billing-recurrence-desk-visibility**
+  - [📄 spec.md](specs/023-billing-recurrence-desk-visibility/spec.md)
+  - [tasks.md](specs/023-billing-recurrence-desk-visibility/tasks.md)
+- **024-openpanel-fossbilling**
+  - [📄 spec.md](specs/024-openpanel-fossbilling/spec.md)
+  - [tasks.md](specs/024-openpanel-fossbilling/tasks.md)
+  - [PROVISIONING_CLIENT_CARD.md](specs/024-openpanel-fossbilling/PROVISIONING_CLIENT_CARD.md)
+- **019-email-migration-vm122-execution**
+  - [📄 spec.md](specs/019-email-migration-vm122-execution/spec.md)
+  - [tasks.md](specs/019-email-migration-vm122-execution/tasks.md)
+## VM104 — Wazuh
+- **002-wazuh-integration**
+  - [📄 spec.md](specs/002-wazuh-integration/spec.md)
+  - [plan.md](specs/002-wazuh-integration/plan.md)
+  - [tasks.md](specs/002-wazuh-integration/tasks.md)
+## CT130 — Spec Hub
+- **031-spec-hub-portal**
+  - [📄 spec.md](specs/031-spec-hub-portal/spec.md)
+## Outras specs
+- **007-mobile-push-notifications**
+  - [📄 spec.md](specs/007-mobile-push-notifications/spec.md)
+  - [tasks.md](specs/007-mobile-push-notifications/tasks.md)
+  - [quickstart.md](specs/007-mobile-push-notifications/quickstart.md)
+- **011-integration-otrs**
+  - [📄 spec.md](specs/011-integration-otrs/spec.md)
+- **011-mail-tls-wizard-validation**
+  - [📄 spec.md](specs/011-mail-tls-wizard-validation/spec.md)
+  - [README.md](specs/011-mail-tls-wizard-validation/README.md)
+- **013-email-server-migration**
+  - [📄 spec.md](specs/013-email-server-migration/spec.md)
+  - [plan.md](specs/013-email-server-migration/plan.md)
+  - [tasks.md](specs/013-email-server-migration/tasks.md)
+  - [quickstart.md](specs/013-email-server-migration/quickstart.md)
+  - [research.md](specs/013-email-server-migration/research.md)
+  - [data-model.md](specs/013-email-server-migration/data-model.md)
+  - [infrastructure.md](specs/013-email-server-migration/infrastructure.md)
+- **014-funnel-phase-timing**
+  - [📄 spec.md](specs/014-funnel-phase-timing/spec.md)
+- **016-onboard-self-service-prefill**
+  - [📄 spec.md](specs/016-onboard-self-service-prefill/spec.md)
+- **018-service-orchestration**
+  - [📄 spec.md](specs/018-service-orchestration/spec.md)
+- **020-purge-history-desk**
+  - [📄 spec.md](specs/020-purge-history-desk/spec.md)
+- **021-wizard-cybersecurity-telemetry**
+  - [📄 spec.md](specs/021-wizard-cybersecurity-telemetry/spec.md)
+  - [tasks.md](specs/021-wizard-cybersecurity-telemetry/tasks.md)

api

@@ -0,0 +1 @@
+projects/ops-desk/api

deploy/manifest.yaml

@@ -1,17 +1,49 @@
-vm122:
-  tag: main
-  path: /opt/ligbox-ops-platform
-  hub_mirror: /opt/ligbox-spec-hub/repos/ligbox-ops-platform
-vm123:
-  tag: main
-  paths:
-    - /opt/vm123-finance-stack
-    - /opt/ligbox-ops-console
+# Deploy manifest — Ligbox Ops Platform
+# Fonte: CT130 Forgejo · git pull por VM
+
 vm112:
   tag: main
+  description: Wizard onboard + Carbonio mail
+  project: projects/wizard
   paths:
-    - deploy/vm112-spec022
-    - deploy/vm112-wizard-security
+    - projects/wizard/deploy/vm112-spec022
+    - projects/wizard/deploy/vm112-wizard-security
+  deploy_to:
+    - /opt/ligbox-wizard-scripts
+
+vm122:
+  tag: main
+  description: Ops Desk API + worker + frontend
+  project: projects/ops-desk
+  paths:
+    - projects/ops-desk
+  deploy_to: /opt/ligbox-ops-platform
+  hub_mirror: /opt/ligbox-spec-hub/repos/ligbox-ops-platform/projects/ops-desk
+  note: Symlinks api/worker/frontend na raiz do repo apontam para projects/ops-desk/
+
+vm123:
+  tag: main
+  description: Finance stack + console
+  project: projects/finance
+  paths:
+    - projects/finance/deploy/vm123-finance-stack
+    - projects/finance/app/vm123
+    - specs/019-ops-console-active-operations/deploy
+  deploy_to:
+    - /opt/vm123-finance-stack
+    - /opt/ligbox-ops-console
+
+vm104:
+  tag: main
+  description: Wazuh SIEM integration
+  project: projects/integrations
+  paths:
+    - projects/integrations/wazuh
+  deploy_to: /opt/wazuh-integration
+
 ct130:
   tag: main
-  path: /opt/ligbox-spec-hub
+  description: Spec Hub Git + Portal
+  paths:
+    - .
+  deploy_to: /opt/ligbox-spec-hub

deploy/vm112-spec022

@@ -0,0 +1 @@
+../projects/wizard/deploy/vm112-spec022

deploy/vm112-wizard-security

@@ -0,0 +1 @@
+../projects/wizard/deploy/vm112-wizard-security

deploy/vm122-fossbilling

@@ -0,0 +1 @@
+../projects/finance/deploy/vm122-fossbilling

deploy/vm123-finance-stack

@@ -0,0 +1 @@
+../projects/finance/deploy/vm123-finance-stack

docker-compose.mvp.yml

@@ -1,39 +0,0 @@
-version: "3.8"
-services:
-  redis:
-    image: redis:7-alpine
-    restart: unless-stopped
-    command: redis-server --maxmemory 128mb --maxmemory-policy allkeys-lru
-    networks: [ops]
-  api:
-    build: ./api
-    restart: unless-stopped
-    env_file: .env
-    volumes:
-      - /var/lib/ligbox-ops-platform:/data
-    ports:
-      - "10.10.10.122:8080:8080"
-    depends_on: [redis]
-    networks: [ops]
-  worker:
-    build: ./worker
-    restart: unless-stopped
-    env_file: .env
-    environment:
-      OPS_API_URL: http://api:8080
-      AUDIT_INTERVAL_SEC: "600"
-      LEAD_SYNC_INTERVAL_SEC: "900"
-      ONBOARD_STALE_HOURS: "24"
-      OPS_INTERNAL_TOKEN: ${OPS_INTERNAL_TOKEN}
-    depends_on: [redis, api]
-    networks: [ops]
-  frontend:
-    build: ./frontend
-    restart: unless-stopped
-    ports:
-      - "10.10.10.122:8091:80"
-    depends_on: [api]
-    networks: [ops]
-networks:
-  ops:
-    driver: bridge

docker-compose.mvp.yml

@@ -0,0 +1 @@
+projects/ops-desk/docker-compose.mvp.yml

docs/vms/README.md

@@ -5,15 +5,29 @@
 
 > As specs **não vivem só na VM122** — descrevem o **ecossistema completo**. O código de cada VM está em `deploy/vm*` e é sincronizado via Git Forgejo.
 
----
+
+## Estrutura do monorepo
+
+```
+ligbox-ops-platform/
+├── specs/              # Spec Kit — cruzam VMs
+├── contracts/          # API/eventos partilhados
+├── projects/
+│   ├── wizard/         # VM112
+│   ├── ops-desk/       # VM122
+│   ├── finance/        # VM123
+│   └── integrations/   # VM104 Wazuh
+├── deploy/manifest.yaml
+└── docs/vms/
+```
 
 ## Mapa rápido
 
 | VM/CT | IP | SSH WAN | Papel | Deploy no repo |
 |-------|-----|---------|-------|----------------|
-| **112** | 10.10.10.112 | :2512 | Wizard onboard + Carbonio mail | `deploy/vm112-*` |
-| **122** | 10.10.10.122 | :2522 | Ops Desk API + worker + UI MVP | `api/` `frontend/` `worker/` |
-| **123** | 10.10.10.123 | :2523 | FOSSBilling + Odoo + OpenPanel + Console UI | `deploy/vm123-*` |
+| **112** | 10.10.10.112 | :2512 | Wizard onboard + Carbonio mail | `projects/wizard/` |
+| **122** | 10.10.10.122 | :2522 | Ops Desk API + worker + UI MVP | `projects/ops-desk/` |
+| **123** | 10.10.10.123 | :2523 | FOSSBilling + Odoo + OpenPanel + Console UI | `projects/finance/` |
 | **104** | 10.10.10.104 | :2504 | Wazuh SIEM | integração Spec 002, 019 |
 | **114** | 10.10.10.114 | — | Traefik (CT) | `docs/network/TRAEFIK_*` |
 | **130** | 10.10.10.130 | :2530 | **Spec Hub** Git + Obsidian + Portal | CT130 local |

frontend

@@ -0,0 +1 @@
+projects/ops-desk/frontend

projects/README.md

@@ -0,0 +1,29 @@
+# Projects — Ligbox Ops Platform
+
+Monorepo organizado por **domínio de negócio**. As **specs** ficam na raiz (`specs/`) porque muitas cruzam VMs.
+
+## Estrutura
+
+| Projecto | VM | Pasta | Papel |
+|----------|-----|-------|-------|
+| **Wizard** | VM112 | `projects/wizard/` | Onboard, Carbonio, purge, domínios |
+| **Ops Desk** | VM122 | `projects/ops-desk/` | API, worker, frontend MVP, RBAC |
+| **Finance** | VM123 | `projects/finance/` | FOSSBilling, Odoo, OpenPanel, console |
+| **Integrations** | VM104 | `projects/integrations/` | Wazuh SIEM |
+
+## Specs (raiz — partilhadas)
+
+```
+specs/001-031/     # Spec Kit — podem referir VM112 + VM122 + VM123
+contracts/         # OpenAPI, eventos partilhados
+docs/vms/          # Ficha por VM
+deploy/manifest.yaml  # O que cada VM faz pull/deploy
+```
+
+## Deploy por VM
+
+Ver `deploy/manifest.yaml` — cada VM recebe apenas os paths do seu projecto.
+
+## Retrocompatibilidade
+
+Symlinks na raiz (`api`, `worker`, `frontend`, `deploy/vm*`) apontam para `projects/` — VMs antigas continuam a funcionar até actualizarem scripts.

projects/finance/README.md

@@ -0,0 +1,34 @@
+# Finance — VM123 (FOSSBilling / Odoo / OpenPanel)
+
+**IP:** `10.10.10.123` · SSH WAN `:2523`
+
+## Conteúdo
+
+```
+deploy/
+  vm123-finance-stack/    # Docker stack, bootstrap, OpenPanel bridge
+  vm122-fossbilling/      # Integração FOSS (legado path)
+app/
+  vm123/                  # Clientes Odoo, FOSS, OpenPanel, provision
+```
+
+## Console UI
+
+Deploy separado em `specs/019-ops-console-active-operations/deploy/` → `/opt/ligbox-ops-console`
+
+## Specs relacionadas (raiz `specs/`)
+
+| Spec | Nome |
+|------|------|
+| 019 | ops-console-active-operations |
+| 023 | billing-recurrence-desk-visibility |
+| 024 | openpanel-fossbilling |
+
+## Bootstrap (VM123)
+
+```bash
+cd projects/finance/deploy/vm123-finance-stack
+./bootstrap-vm123.sh
+```
+
+→ [Ficha VM123](../../docs/vms/VM123.md)

projects/ops-desk/README.md

@@ -0,0 +1,36 @@
+# Ops Desk — VM122 (Motor de Operações)
+
+**IP:** `10.10.10.122` · SSH WAN `:2522` · Deploy: `/opt/ligbox-ops-platform`
+
+## Conteúdo
+
+```
+api/                  # FastAPI — serviço principal
+worker/               # Jobs async (audit, leads, onboard)
+frontend/             # UI MVP desk
+assets/               # Ícones, estáticos
+tests/                # Testes API
+docker-compose.mvp.yml
+legacy-app/           # Cópia histórica app/ (canónico: api/app/)
+```
+
+## Specs relacionadas (raiz `specs/`)
+
+| Spec | Nome |
+|------|------|
+| 003 | desk-auth-rbac |
+| 004 | desk-account-management |
+| 009 | ops-audit-overview |
+| 010 | desk-assist-takeover |
+| 012 | abandoned-onboarding-lead |
+| 015 | desk-module-registry |
+| 027 | desk-rbac-function-matrix |
+
+## Arrancar (VM122)
+
+```bash
+cd /opt/ligbox-ops-platform   # ou projects/ops-desk no hub
+docker compose -f docker-compose.mvp.yml up -d
+```
+
+→ [Ficha VM122](../../docs/vms/VM122.md)