update Spliit expense sharing app v1.19.1

[BookJJun-IJ]

Summary

Update Spliit (v1.19.1) with Yundera AppStore conventions — Caddy reverse proxy, resource limits, cpu_shares, multi-language metadata.

Architecture

Service	Image	cpu_shares
nginxhashlock	yundera/nginx-hash-lock:latest	80
spliit	ghcr.io/spliit-app/spliit:1.19.1	70
db	postgres:16.13-alpine	50

• nginx-hash-lock:latest is a Yundera-maintained image
• Internal network: spliit-network (bridge)
• External network: pcs (Caddy via nginxhashlock)

Submission Checklist

Tech Checklist

• Proper file permissions — user: 0:0, volumes mapped to /DATA/AppData/$AppID/
• Migration path — PostgreSQL handles migrations
• Pre-install/post-install commands — N/A

Security Checklist

• Default authentication — Spliit is a public expense sharing app (no auth required by design)
• No hardcoded credentials — uses $PCS_DEFAULT_PASSWORD for DB
• Specific version tags — spliit:1.19.1, postgres:16.13-alpine (nginx-hash-lock:latest is Yundera image)

Functionality Checklist

• Works immediately after installation
• Data mapped to /DATA/AppData/$AppID/pgdata
• No manual configuration required
• Data persistence — PostgreSQL data persists
• cpu_shares set on all services — nginxhashlock: 80, spliit: 70, db: 50
• Fresh installation tested
• Uninstall/reinstall tested

Documentation Checklist

• Clear description — en_us, ko_kr, zh_cn, fr_fr, es_es
• Tagline in 5 languages
• Icon and screenshots provided, CDN URLs point to Yundera/AppStore@main

[krizcold]

Do note that SPLIIT 1.19.1 does not work, their Github repo failed to build and the version is not available
Please test versions before updating to ensure they install properly

[Maelisse2002]

🤖 AI Pre-Check

Decision: ⚠️ ai-reviewed:needs-review
Tech review (incl. security): needed — db volume source path edited (/DATA/AppData/spliit/ → /DATA/AppData/$AppID/, resolves to same dir) + root-exception rationale to validate.
Commit: 0dbe02b | Checklist source: CONTRIBUTING.md@main

Apps in this PR

• Spliit — update (hardening). The spliit app image is unchanged at 1.19.0 even though the PR is titled v1.19.1.

AI static checks

• ✅ Specific version tags — nginx 1.0.7, postgres 16.13-alpine, spliit 1.19.0 (fixes prior :latest on nginx)
• ✅ No hardcoded credentials — removes prior USER: admin / PASSWORD: spliit; DB uses $APP_DEFAULT_PASSWORD
• ✅ Volumes under /DATA/AppData/spliit/ (via $AppID)
• ✅ user: set on all services (0:0)
• ✅ cpu_shares set on all services (80 / 50 / 50)
• ✅ x-casaos metadata present (icon, screenshots, thumbnail, description)
• ✅ Asset URLs point to Yundera/AppStore@main
• ✅ Auth present — nginx-hash-lock sidecar (AUTH_HASH); also drops privileged + cap_add
• ➖ pre/post-install-cmd — none present

→ Tier 2 must verify (human)

• Works immediately after installation
• Fresh installation tested
• Uninstall / reinstall preserves data
• Migration from previous version succeeds

Notes for reviewers

• rationale.md claims a root exception — quote: "All three services run as user: 0:0 (root)." with reason "spliit: The Node.js application runs Prisma database migrations on startup, which requires write access to the working directory. Running as non-root causes migration failures." Volumes map only to AppData. A human must judge whether the root rationale is acceptable.
• Version mismatch: title says v1.19.1 but the spliit image stays 1.19.0. Maintainer @krizcold notes 1.19.1 "does not work, their GitHub repo failed to build and the version is not available." Net effect of this PR is hardening (pin nginx, drop privileged/cap_add, remove hardcoded basic-auth creds), not a version bump.
• Reviewed against current main; the PR's merge-base diff is a subset because main has advanced.

Next step

→ Tier 2 functional review, then tech + security review (db volume source edited; root-exception rationale to validate).

---

_{Generated by AI pre-check. Checklist read live from CONTRIBUTING.md on main. Labels are the machine-readable verdict; this comment is the human-readable explanation. Humans own the merge.}