[CLAUDE] Docs: STATUS + session log cho prod go-live + ERP shell + Notifications

docs/STATUS.md

@@ -2,19 +2,33 @@
 
 > **Update rule:** trước khi bắt đầu 1 task → ghi row vào `🔥 In Progress`. Xong → chuyển sang `✅ Recently Done`.
 
-**Last updated:** 2026-04-21 17:30
+**Last updated:** 2026-04-21 15:30 (post-prod-deploy)
 
-## 📍 Phase hiện tại: **IDOR + SLA Job xong** — gần đủ feature, chờ Gitea URL cho Phase 5 deploy prod
+## 📍 Phase hiện tại: **Đã go-live prod** — 3 domain HTTPS live, CI/CD xanh, Notifications module + ERP shell
+
+### 🌐 Production URLs
+- https://api.huypham.vn — API (Let's Encrypt, auto-renew via win-acme)
+- https://admin.huypham.vn — Admin FE (HTTP→HTTPS auto-redirect)
+- https://user.huypham.vn — User FE (HTTP→HTTPS auto-redirect)
+- https://git.baocaogiaoduc.vn/vietreport-admin/solution-erp — Gitea repo + Actions
+- Default admin: `admin@solutionerp.local` / `Admin@123456` ⚠️ **RE-ROTATE sau login đầu**
 
 ## 🔥 In Progress
 
-_(không có)_
+_(không có — chờ UAT + quyết Tier 3 tiếp theo)_
 
 ## ✅ Recently Done (newest on top)
 
 | Ngày | Ai | Task | Commit |
 |---|---|---|---|
-| 2026-04-21 | Claude | **IDOR + SLA Job + Admin warning** — ContractsController List/GetDetail filter theo role (non-admin chỉ thấy HĐ mình là Drafter hoặc role eligible phase). SlaExpiryJob BackgroundService auto-approve quá hạn mỗi 15min với Decision=AutoApprove. DbInitializer warn log khi admin vẫn dùng password default | (sắp commit) |
+| 2026-04-21 | Claude | **Fix login Network Error** — SPA web.config thêm HTTP→HTTPS redirect rule (CORS chỉ allow https origin, user gõ bare domain bị block) | `397eb36` |
+| 2026-04-21 | Claude | **Notifications module E2E** — Domain entity + EF migration + Infra service + CQRS (List/UnreadCount/MarkRead/MarkAllRead) + API controller + FE bells wire real endpoint + ContractWorkflowService emit notification cho Drafter khi phase transition. Foundation sẵn cho SignalR/email outbox | `49c0ddc` |
+| 2026-04-21 | Claude | **PermissionsPage improved** — search, stats badge, bulk column toggle, empty state icon | `6c0e206` |
+| 2026-04-21 | Claude | **ERP shell**: TopBar + NotificationBell + UserMenu (avatar + role badges). Layout tách `[sidebar] [topbar + content]` — foundation cho multi-module ERP | `2b6f91c` |
+| 2026-04-21 | Claude | **Tier 1 UI polish** — SlaTimer (inline + full variant, 5 chỗ), Inbox stat cards, DataTable skeleton rows, EmptyState component + MyContracts CTA | `290936a`..`2e43799` |
+| 2026-04-21 | Claude | **CI/CD deploy xanh E2E** — self-hosted Windows runner, single job build+deploy local, npm install fresh node_modules (Vite 8 rolldown binding), appsettings rendered từ secrets, /health/live 200 sau deploy | `b40da1e` |
+| 2026-04-21 | Claude | **VPS prod setup** — SQL DB (SQLEXPRESS), IIS sites (SolutionErp-Api/Admin/User), win-acme 3 Let's Encrypt certs + auto-renew, shared gitea-runner với VIETREPORT | `169e268`..`519ba85` |
+| 2026-04-21 | Claude | **IDOR + SLA Job + Admin warning** — ContractsController List/GetDetail filter theo role (non-admin chỉ thấy HĐ mình là Drafter hoặc role eligible phase). SlaExpiryJob BackgroundService auto-approve quá hạn mỗi 15min với Decision=AutoApprove. DbInitializer warn log khi admin vẫn dùng password default | `fba0754` |
 | 2026-04-21 | Claude | **Phase 5.1 Security + Users Mgmt** — Security headers + Identity lockout + LoginHandler check + Users CQRS + UsersController + FE `/system/users` | `11e61c9` |
 | 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit + health check + Serilog file + HSTS + scripts deploy-iis/backup-sql + .gitea/workflows/deploy.yml + 4 guides + FE refresh token queue pattern | `46a2cab` |
 | 2026-04-21 | Claude | **Phase 4 Report MVP + Docs Consolidation** — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | `fe7ad8e` |
@@ -36,17 +50,28 @@ Session logs: [P0](changelog/sessions/2026-04-21-1045-phase0-scaffold.md) · [P1
 
 ## 🎯 Next up
 
-### Phase 5 còn lại (cần Gitea URL)
+### Phase 5 (prod go-live)
 
-- [ ] Setup Gitea remote + push all commits
-- [ ] Enable Gitea Actions runner (Windows + Ubuntu)
-- [ ] Set 5 secrets trong Gitea (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
-- [ ] Test CI/CD workflow lần đầu trên staging
-- [ ] Windows Server setup IIS theo [`guides/deployment-iis.md`](guides/deployment-iis.md)
-- [ ] HTTPS cert (win-acme Let's Encrypt)
-- [ ] SQL Server prod + Task Scheduler backup
-- [ ] Smoke test end-to-end prod
-- [ ] UAT 1 tuần 2-3 user thật
+- [x] Gitea remote + push all commits
+- [x] Gitea Actions runner (self-hosted Windows, shared VIETREPORT runner)
+- [x] Secrets Gitea (JWT_SECRET, DB_CONNECTION — IIS_* deprecated sau rewrite workflow)
+- [x] CI/CD workflow xanh end-to-end
+- [x] Windows Server setup IIS (SolutionErp-Api/Admin/User)
+- [x] HTTPS cert (win-acme 3 Let's Encrypt + auto-renew)
+- [x] SQL Server prod (SQLEXPRESS) + vrapp db_owner
+- [x] Smoke test E2E: /health/ready Healthy, login JWT thật, FE live
+- [ ] **UAT 1 tuần 2-3 user thật** ← next
+- [ ] SQL backup Task Scheduler (script đã có, chưa schedule)
+- [ ] Rotate credentials (SA, vrapp, JWT, runner token) — 1 số đã post chat
+
+### Tier 3 ERP roadmap còn (lớn, để dành session sau)
+
+- [ ] Form template builder UI (field spec JSON editor, upload .docx/.xlsx admin)
+- [ ] PDF export (LibreOffice headless pipeline hoặc QuestPDF re-render)
+- [ ] SignalR real-time push (extend NotificationService, IHubContext)
+- [ ] Email outbox cho Notification (MailKit, SMTP config)
+- [ ] .doc → .docx conversion UI/pipeline (3 file pending)
+- [ ] Attachment upload BE endpoint + FE drag-drop
 
 ### Phase 5.1 Security — hầu như xong