[CLAUDE] Rebrand: 3 domain huypham.vn → solutions.com.vn + migrate script

User request: anh trỏ 3 subdomain mới về VPS IP 103.124.94.38:
  - api.huypham.vn        → api.solutions.com.vn
  - admin.huypham.vn      → admin.solutions.com.vn
  - user.huypham.vn       → eoffice.solutions.com.vn

Verified DNS: cả 3 resolve 103.124.94.38 ✓

Update 17 file repo:
FE (4): fe-admin/.env.production + fe-user/.env.production
        (VITE_API_BASE_URL → https://api.solutions.com.vn)
        fe-admin/src/lib/{api,realtime}.ts + fe-user equivalents (comment)
BE (1): appsettings.Production.json.example — CORS AllowedOrigins
CI/CD (1): .gitea/workflows/deploy.yml — smoke test URL
Scripts (3): setup-iis-sites (DomainApi/Admin/User), setup-ssl (3 host),
             deploy-all (verify curls)
Docs (5): STATUS, HANDOFF, PROJECT-MAP, vps-setup, gotchas
Skill (1): iis-deploy-runbook — 3 site table + description
Email admin@huypham.vn giữ nguyên (Let's Encrypt contact — không phải
domain serve).

Thêm scripts/migrate-domains.ps1 — 1-shot VPS migration:
  1. Pre-flight: resolve DNS 3 domain → verify IP VPS khớp
  2. Add HTTP binding mới cho 3 IIS site (giữ binding cũ làm fallback)
  3. Run win-acme xin 3 cert Let's Encrypt qua HTTP-01 challenge
     (auto add HTTPS binding + http→https redirect)
  4. Verify /health/live + /health/ready + 2 FE endpoint
  5. (Optional -RemoveOld) xóa binding huypham.vn sau verify OK
Rollback: nếu fail, binding cũ vẫn active → site serve qua huypham.vn.

Anh chạy trên VPS:
  cd C:\solution-erp\scripts  ;  .\migrate-domains.ps1
  # Sau 1-2 ngày verify stable:
  .\migrate-domains.ps1 -RemoveOld -SkipCert

.claude/skills/iis-deploy-runbook/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: iis-deploy-runbook
-description: Ops runbook cho SOLUTION_ERP deploy trên Windows Server IIS — 3 site (api/admin/user.huypham.vn), win-acme Let's Encrypt, NSSM gitea-runner shared với VIETREPORT, LibreOffice soffice headless. Dùng khi debug 500/502 prod, restart site, rotate cert, fix CI/CD runner, troubleshoot WebSocket, thêm site mới.
+description: Ops runbook cho SOLUTION_ERP deploy trên Windows Server IIS — 3 site (api/admin/eoffice.solutions.com.vn), win-acme Let's Encrypt, NSSM gitea-runner shared với VIETREPORT, LibreOffice soffice headless. Dùng khi debug 500/502 prod, restart site, rotate cert, fix CI/CD runner, troubleshoot WebSocket, thêm site mới.
 when-to-use:
   - "prod 500 error"
   - "IIS site fail"
@@ -27,7 +27,7 @@ Internet
 ┌─────────────────────────────────────────────────────┐
 │ IIS (Windows Server VPS)                            │
 │                                                      │
-│ ┌─ api.huypham.vn  ─┐  ┌─ admin.huypham.vn ─┐  ┌─ user.huypham.vn ─┐
+│ ┌─ api.solutions.com.vn  ─┐  ┌─ admin.solutions.com.vn ─┐  ┌─ eoffice.solutions.com.vn ─┐
 │ │ SolutionErp-Api    │  │ SolutionErp-Admin  │  │ SolutionErp-User  │
 │ │ → out-of-process   │  │ (static SPA, URL   │  │ (static SPA, URL  │
 │ │   Kestrel :5443    │  │  Rewrite /api → 5443)│ │  Rewrite...)      │
@@ -46,9 +46,9 @@ Internet
 
 | Site | Binding | Physical path | Apool | Purpose |
 |---|---|---|---|---|
-| `SolutionErp-Api` | `*:443:api.huypham.vn` HTTPS | `C:\inetpub\apps\SolutionErp\Api\` | out-of-process Kestrel | ASP.NET Core 10 API (port 5443 internal) |
-| `SolutionErp-Admin` | `*:443:admin.huypham.vn` HTTPS + `*:80` redirect | `C:\inetpub\apps\SolutionErp\Admin\` | static (no app pool .NET) | React build fe-admin |
-| `SolutionErp-User` | `*:443:user.huypham.vn` HTTPS + `*:80` redirect | `C:\inetpub\apps\SolutionErp\User\` | static | React build fe-user |
+| `SolutionErp-Api` | `*:443:api.solutions.com.vn` HTTPS | `C:\inetpub\apps\SolutionErp\Api\` | out-of-process Kestrel | ASP.NET Core 10 API (port 5443 internal) |
+| `SolutionErp-Admin` | `*:443:admin.solutions.com.vn` HTTPS + `*:80` redirect | `C:\inetpub\apps\SolutionErp\Admin\` | static (no app pool .NET) | React build fe-admin |
+| `SolutionErp-User` | `*:443:eoffice.solutions.com.vn` HTTPS + `*:80` redirect | `C:\inetpub\apps\SolutionErp\User\` | static | React build fe-user |
 
 **SPA web.config:** 2 FE có `URL Rewrite` rule:
 1. HTTP → HTTPS redirect (bắt buộc, CORS whitelist chỉ https)
@@ -94,7 +94,7 @@ curl http://127.0.0.1:5443/health/live
 curl http://127.0.0.1:5443/health/ready
 
 # Từ ngoài
-curl https://api.huypham.vn/health/ready
+curl https://api.solutions.com.vn/health/ready
 ```
 
 ## Let's Encrypt cert — win-acme
@@ -237,9 +237,9 @@ Xem gotcha #26:
 
 Xem `docs/gotchas.md` CORS + HTTPS redirect:
 ```
-1. User gõ http://admin.huypham.vn → không redirect → CORS block
+1. User gõ http://admin.solutions.com.vn → không redirect → CORS block
 2. Fix: SPA web.config PHẢI có HTTP→HTTPS rule (đã có)
-3. Test: curl -I http://admin.huypham.vn → expect 301 Location: https://...
+3. Test: curl -I http://admin.solutions.com.vn → expect 301 Location: https://...
 ```
 
 ### DB connection fail
@@ -349,9 +349,9 @@ VietReport.
 **Hiện trạng SOLUTION_ERP — risk THẤP:**
 
 - API host trong IIS app pool out-of-process → ANCM quản lý port Kestrel ephemeral
-- FE gọi trực tiếp `https://api.huypham.vn` qua CORS (không ARR proxy)
+- FE gọi trực tiếp `https://api.solutions.com.vn` qua CORS (không ARR proxy)
 - Không có standalone Kestrel service trên port cố định
-- **Nhưng** tương lai nếu thêm reverse proxy (fe-admin/user → `/api` → api.huypham.vn, hoặc /hubs for SignalR) → PHẢI dùng 127.0.0.1 không localhost
+- **Nhưng** tương lai nếu thêm reverse proxy (fe-admin/user → `/api` → api.solutions.com.vn, hoặc /hubs for SignalR) → PHẢI dùng 127.0.0.1 không localhost
 
 ## Related