Skip to content
This repository was archived by the owner on Jul 6, 2026. It is now read-only.

fix: bring runtime-config fix from main into develop + add frontend .env.example#96

Merged
EdiAsllani merged 9 commits into
developfrom
fix/frontend-api-url-env-config
Jun 12, 2026
Merged

fix: bring runtime-config fix from main into develop + add frontend .env.example#96
EdiAsllani merged 9 commits into
developfrom
fix/frontend-api-url-env-config

Conversation

@EdiAsllani

Copy link
Copy Markdown
Collaborator

Context

Manual testing on the deployed frontend (web.project-01.gjirafa.dev) found every API call going to http://localhost:8080 — the NEXT_PUBLIC_API_BASE_URL build-time value was never baked into the deployed image, leaving the localhost fallback in the JS bundles.

Investigation showed this was already fixed on main (PRs #93#95, deployed 2026-06-11): the frontend now uses runtime config injection — the container entrypoint writes public/__env.js (window.__ENV) from APP_* env vars at startup, resolved by lib/clientEnv.ts (window.__ENVNEXT_PUBLIC_* build/dev fallback → localhost). Verified live: https://web.project-01.gjirafa.dev/__env.js serves the correct production URLs, and the deployed API correctly returns 401 for missing/invalid JWTs.

But develop had none of this — it was 7 commits behind main.

What this PR does

  1. Back-merges origin/main into develop (clean merge, no conflicts) so develop carries the runtime-config fix, prod hardening, and today's bug fixes. Develop's two unique security commits (project-member visibility + /metrics lockdown) are preserved.
  2. Adds frontend/client/.env.example documenting every frontend env var: NEXT_PUBLIC_API_BASE_URL, NEXT_PUBLIC_KEYCLOAK_URL, NEXT_PUBLIC_ADMIN_HOST (build-time only — Edge middleware can't see window.__ENV), NEXT_PUBLIC_ENABLE_RBAC, PostHog pair — plus how the three-tier resolution works and the deployed APP_* equivalents in devops/helm/loopless/values.yaml.
  3. Un-ignores .env.example in frontend/client/.gitignore (.env* was swallowing it).

Verification

  • Backend solution builds with 0 warnings / 0 errors after the merge
  • All 29 unit tests pass (incl. develop's visibility-guard tests + main's notification-flow tests)
  • Frontend tree after merge is identical to main, which is deployed and green

Audit notes (no action needed)

  • Backend CORS and Keycloak config are fully env-driven; Helm sets prod origins and authority URLs ✅
  • All client-read vars correctly use the NEXT_PUBLIC_ prefix; no server secrets exposed ✅
  • Leftover: NEXT_PUBLIC_SIGNALR_URL in ci.yml quality job env is referenced by no code (hubs derive from the API base URL) — harmless, can be removed in a future CI touch-up

🤖 Generated with Claude Code

Enes1998 and others added 9 commits June 10, 2026 15:41
…tatus, cleanup

security: gate Swagger/OpenAPI + dev pages to non-prod; add owner/member guard on standup analytics (IDOR); stop returning email from user search; fix project moderation takedown

auth: request offline_access so sessions survive browser restart

realtime: deliver new-conversation messages via per-user SignalR group

frontend: runtime env injection via window.__ENV (image now env-agnostic); responsive profile/project headers; fix archive + submit-standup cache invalidation

feat(summary): ProjectSummary status pipeline, job enqueuer, orphan cleanup, GitHub webhook secret, pgvector HNSW index

devops: Next.js standalone image + non-root runtime entrypoint; Trivy gate raised to CRITICAL,HIGH

chore: remove dead code (FE: FilterPanel/SortDropdown, unused exports, clsx/tailwind-merge; BE: MyConcreteJob, SeedData)

fix: ExecuteDeleteAsync ambiguity, GitHubSyncJob summary enqueue, migration [Migration] attributes

test: standup-analytics authorization test; unit 29/29 + integration 26/26 green

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
feat: prod hardening, security + bug fixes, runtime config, summary-s…
revert Trivy image gate CRITICAL,HIGH -> CRITICAL (backend image carries fixable HIGH CVEs; matches prior green runs #90-92)

exclude devops/aiops/sanitize.test.js from TruffleHog (fixture connection strings, no real credentials)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Fix NotificationEndpoints and InAppNotificationService to avoid null refs and improve delivery
Harden ProjectEndpoints, Program.cs, GitHubService, and TriggerCommitSync handler for reliable syncs
Update frontend RealtimeProvider, NotificationBell, messages and project pages to handle missing data
Adjust integration tests (NotificationsFlowTests)
Add new MarkRead notification feature (untracked folder)
Testing: update/verify with dotnet test and frontend test suites; rely on CI for full validation.
fix(ci): stabilize CI and fix notification & project sync issues
…nfig

Documents every NEXT_PUBLIC_* variable the frontend reads, the
window.__ENV runtime-injection mechanism (APP_* vars written to
public/__env.js by the container entrypoint), and which deployed
values live in devops/helm/loopless/values.yaml. Un-ignores
.env.example so it can be tracked.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@EdiAsllani EdiAsllani merged commit 0af43bd into develop Jun 12, 2026
6 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants