fix: production-readiness blockers — Polar prod fallback, CI gate, base-image pinning#38
Draft
cooper (czxtm) wants to merge 1 commit into
Draft
fix: production-readiness blockers — Polar prod fallback, CI gate, base-image pinning#38cooper (czxtm) wants to merge 1 commit into
cooper (czxtm) wants to merge 1 commit into
Conversation
…e-image pinning) - auth: fail-fast in production when Polar product IDs are unconfigured instead of silently serving sandbox products (which would not charge real cards). Adds a `strict` flag so the webhook inverse-lookup still resolves ids across envs. - ci: add a lightweight PR gate (vp check + vp test via setup-vp), kept separate from the heavy Nix `om ci` workflow which stays workflow_dispatch-only. - nix(containers): refuse to build from an unpinned base image (still lib.fakeSha256) with a clear, actionable error instead of a cryptic hash mismatch; document pinning via nix-prefetch-docker. https://claude.ai/code/session_01TMCMpDmbLomRBZbg3FpvMV
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+18
to
+35
| name: check & test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Vite+ toolchain | ||
| uses: voidzero-dev/setup-vp@v1 | ||
| with: | ||
| cache: true | ||
|
|
||
| - name: Install dependencies | ||
| run: vp install | ||
|
|
||
| - name: Format, lint, and typecheck | ||
| run: vp check | ||
|
|
||
| - name: Run tests | ||
| run: vp test |
Contributor
|
Preview deployed to |
Contributor
|
Docs preview deployed to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Production-readiness blockers
From this session's production-readiness audit. The hosted E2E smoke harness already landed in #37; this PR fixes the three prod blockers surfaced by the audit.
1. 🔴 Polar silently fell back to sandbox in production
packages/auth/src/lib/polar-products.tsreturnedprocess.env.POLAR_*_PRODUCTION ?? SANDBOX_*forproduction. If a prod env var was missing (orSTACKPANEL_DEPLOY_ENV/NODE_ENVwas unset), real users would get sandbox products and checkouts would not charge real cards — with no error.strictflag (defaulttrue);planForProduct()(webhook inverse-lookup, which walks all envs) calls it withstrict:falseso it still resolves ids outside a prod runtime.2. 🔴 No build/test/typecheck gate on PRs
ci.yml(om ci) andtest-fixtures.ymlhave theirpush/pull_requesttriggers commented out (CodeQL + preview deploys run, but nothing compiles/tests the code)..github/workflows/ci-checks.yml: a lightweight PR gate runningvp check+vp testviasetup-vp(the repo's documented Vite+ CI integration), kept separate from the heavy Nixom ci(which staysworkflow_dispatch-only).3. 🔴 Container base images not pinned
nix/stackpanel/lib/containers.nix:node/alpine/distroless/nginxcarried placeholder digests (sha256:latest, etc.) +lib.fakeSha256; onlybun(the prod runtime) is pinned.pullBaseImagenow refuses to build from an unpinned base image with a clear, actionable error instead of a crypticfakeSha256mismatch, and documents pinning vianix-prefetch-docker.Validation & caveats
containers.nixwas notnix eval-validated — this sandbox has no Nix. Standardassert lib.assertMsgidiom; please confirm in a Nix env.ci-checks.ymlruns on this PR — it may surface pre-existing check/test failures (that's the point of adding the gate).nix-prefetch-docker(Nix tooling) and is left as a follow-up with instructions in-code.https://claude.ai/code/session_01TMCMpDmbLomRBZbg3FpvMV
Generated by Claude Code
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.