Document production auth readiness

[BASIC-BIT]

Summary

• document production Convex Auth JWT key requirements
• record verified production Google and Discord OAuth account sessions
• capture the stdin-based key setup path for PEM values

Validation

• pnpm lint:markdown
• pnpm build:docs
• production Discord sign-in smoke: https://vrdex.net/sign-in -> authenticated /account

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
vr-dex-web	Ready	Preview, Comment	Jun 22, 2026 5:39am

[github-actions]

Storybook Component Screenshot Preview

Outcome: success
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: storybook-component-preview

Screenshots: primitive component stories captured on desktop and mobile.

This lane is separate from full-route Playwright screenshots and focuses on design-system component regressions.

[github-actions]

Storybook Image Diff

Outcome: success
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: storybook-image-diff

Changed Storybook baselines: none in this PR.

This check compares design-system component screenshots against committed baselines. Inline images show only added or modified Storybook baseline PNGs.

[github-actions]

Playwright Hosted Data-Flow

Outcome: success
Target: https://staging.vrdex.net
Hosted extended profile flow: enabled
Hosted auth helpers: enabled
Hosted adapter helpers: enabled
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: playwright-hosted-data-flow

This optional check runs the mutation-backed profile flow against a configured hosted dev/staging target with isolated E2E test data.

[github-actions]

Playwright Data-Flow Preview

Outcome: success
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: playwright-data-flow

Captured flow:

• test-gated profile submission form
• gated helper rejection without the Playwright token
• Convex profile creation
• submission success state
• public profile page readback
• discovery search readback

Artifacts include screenshots, traces, and recorded video for the flow run.

[github-actions]

Playwright Image Diff

Outcome: success
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: playwright-image-diff

Changed screenshot baselines: none in this PR.

This check compares public route screenshots against committed baselines. Inline images show only added or modified baseline PNGs.

[github-actions]

Playwright Public Screenshot Preview

Outcome: success
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669
Artifact: playwright-public-preview

Screenshots: all public route checks passed on desktop and mobile.

Full screenshot set is available in the artifact. Pixel diff baselines are handled by the separate Playwright Image Diff check.

[github-actions]

Vercel Preview Deployment

Preview: https://vr-dex-3ekarpjn6-basicbit.vercel.app
Deployment check: https://vr-dex-3ekarpjn6-basicbit.vercel.app/deployment
Run: https://github.com/BASIC-BIT/VRDex/actions/runs/27931988669

[greptile-apps]

Greptile Summary

This PR documents the completed production auth readiness work: production Convex Auth environment variables, verified Google and Discord OAuth flows against https://db.vrdex.net, and the stdin-based path for setting PEM-valued JWT keys.

• convex-environments.md promotes the "Custom Domain Plan" section to a completed runbook, adds a production Convex Auth env-name block, and refines JWT key setup guidance to mention the stdin approach.
• vercel-preview.md adds a "Hosted production environment" section capturing production Vercel env vars and the current verified auth status for both OAuth providers.

Confidence Score: 4/5

Documentation-only change with no runnable code; safe to merge with the two minor doc inconsistencies noted.

The staging callback note in vercel-preview.md describes the custom-domain migration as still pending, while convex-environments.md records it as already complete. A developer reading only the former file might re-add the old convex.site redirect URI when rotating credentials. The JWT stdin setup also lacks a concrete example command. Neither issue affects running code.

The staging Auth-callback paragraph in vercel-preview.md (line 111) should be updated to reflect the already-completed migration status.

Important Files Changed

Filename	Overview
docs/deployment/convex-environments.md	Adds production Convex Auth env names, updates custom-domain section from plan to completed runbook, and refines JWT key setup guidance. Minor gap: stdin piping syntax is described but not demonstrated with an example command.
docs/deployment/vercel-preview.md	Adds hosted production environment section with Vercel env vars and verified OAuth status. Staging callback note uses conditional "once…verified" language that contradicts the already-completed state recorded in convex-environments.md.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant User
    participant Vercel as Vercel (vrdex.net)
    participant Convex as Convex API (superb-pig-954.convex.cloud)
    participant ConvexAuth as Convex Auth HTTP (db.vrdex.net)
    participant OAuth as OAuth Provider (Google / Discord)

    User->>Vercel: GET /sign-in
    Vercel->>User: Sign-in page
    User->>ConvexAuth: Initiate OAuth (via Convex Auth)
    ConvexAuth->>OAuth: Redirect to provider
    OAuth->>User: Auth consent
    User->>OAuth: Grant
    OAuth->>ConvexAuth: "Callback to /api/auth/callback/{provider}"
    ConvexAuth->>ConvexAuth: Mint session cookie (JWT_PRIVATE_KEY + JWKS)
    ConvexAuth->>Vercel: Redirect to /account
    Vercel->>Convex: Server-side Convex query (CONVEX_URL)
    Convex->>Vercel: Authenticated data
    Vercel->>User: Authenticated /account page

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant User
    participant Vercel as Vercel (vrdex.net)
    participant Convex as Convex API (superb-pig-954.convex.cloud)
    participant ConvexAuth as Convex Auth HTTP (db.vrdex.net)
    participant OAuth as OAuth Provider (Google / Discord)

    User->>Vercel: GET /sign-in
    Vercel->>User: Sign-in page
    User->>ConvexAuth: Initiate OAuth (via Convex Auth)
    ConvexAuth->>OAuth: Redirect to provider
    OAuth->>User: Auth consent
    User->>OAuth: Grant
    OAuth->>ConvexAuth: "Callback to /api/auth/callback/{provider}"
    ConvexAuth->>ConvexAuth: Mint session cookie (JWT_PRIVATE_KEY + JWKS)
    ConvexAuth->>Vercel: Redirect to /account
    Vercel->>Convex: Server-side Convex query (CONVEX_URL)
    Convex->>Vercel: Authenticated data
    Vercel->>User: Authenticated /account page

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
docs/deployment/vercel-preview.md:111
**Staging custom-domain note is stale/conditional when it's already complete**

The note says callbacks "should use `https://db.staging.vrdex.net` once the Convex HTTP Actions custom domain is verified … and the domain is selected as `CONVEX_SITE_URL`" — framing all three conditions as future gates. However, `docs/deployment/convex-environments.md` line 112 records that all three conditions are already satisfied: the domain is verified, both OAuth providers accept the new callback URL, and `CONVEX_SITE_URL` is selected. A reader looking only at this file will think the migration is still pending and might re-add the old `convex.site` callback URL when rotating credentials.

### Issue 2 of 2
docs/deployment/convex-environments.md:78
**stdin piping example is absent**

The line says to set `JWT_PRIVATE_KEY` and `JWKS` "with the values piped through stdin" but never shows the actual shell incantation. A developer following these instructions cold won't know whether to use `echo … |`, a heredoc, `pbpaste |`, or another form. Without an example, the warning about PEM dashes is helpful context but the instructions are not actionable.

_{Reviews (1): Last reviewed commit: "Document production auth readiness" | Re-trigger Greptile}

[BASIC-BIT]

Accepted Greptile's two doc findings.

• Updated the staging callback-host wording to say the db.staging.vrdex.net migration is already complete.
• Added a concrete PowerShell stdin example for setting JWT_PRIVATE_KEY and JWKS without exposing PEM values as positional CLI options.

Pushing the follow-up commit next.