This repository was archived by the owner on Jul 6, 2026. It is now read-only.
fix: bring runtime-config fix from main into develop + add frontend .env.example#96
Merged
Merged
Conversation
Fix CI/CD pipeline
…tatus, cleanup security: gate Swagger/OpenAPI + dev pages to non-prod; add owner/member guard on standup analytics (IDOR); stop returning email from user search; fix project moderation takedown auth: request offline_access so sessions survive browser restart realtime: deliver new-conversation messages via per-user SignalR group frontend: runtime env injection via window.__ENV (image now env-agnostic); responsive profile/project headers; fix archive + submit-standup cache invalidation feat(summary): ProjectSummary status pipeline, job enqueuer, orphan cleanup, GitHub webhook secret, pgvector HNSW index devops: Next.js standalone image + non-root runtime entrypoint; Trivy gate raised to CRITICAL,HIGH chore: remove dead code (FE: FilterPanel/SortDropdown, unused exports, clsx/tailwind-merge; BE: MyConcreteJob, SeedData) fix: ExecuteDeleteAsync ambiguity, GitHubSyncJob summary enqueue, migration [Migration] attributes test: standup-analytics authorization test; unit 29/29 + integration 26/26 green Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
feat: prod hardening, security + bug fixes, runtime config, summary-s…
revert Trivy image gate CRITICAL,HIGH -> CRITICAL (backend image carries fixable HIGH CVEs; matches prior green runs #90-92) exclude devops/aiops/sanitize.test.js from TruffleHog (fixture connection strings, no real credentials) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix/ci quality
Fix NotificationEndpoints and InAppNotificationService to avoid null refs and improve delivery Harden ProjectEndpoints, Program.cs, GitHubService, and TriggerCommitSync handler for reliable syncs Update frontend RealtimeProvider, NotificationBell, messages and project pages to handle missing data Adjust integration tests (NotificationsFlowTests) Add new MarkRead notification feature (untracked folder) Testing: update/verify with dotnet test and frontend test suites; rely on CI for full validation.
fix(ci): stabilize CI and fix notification & project sync issues
…g into develop line
…nfig Documents every NEXT_PUBLIC_* variable the frontend reads, the window.__ENV runtime-injection mechanism (APP_* vars written to public/__env.js by the container entrypoint), and which deployed values live in devops/helm/loopless/values.yaml. Un-ignores .env.example so it can be tracked. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Manual testing on the deployed frontend (
web.project-01.gjirafa.dev) found every API call going tohttp://localhost:8080— theNEXT_PUBLIC_API_BASE_URLbuild-time value was never baked into the deployed image, leaving the localhost fallback in the JS bundles.Investigation showed this was already fixed on
main(PRs #93–#95, deployed 2026-06-11): the frontend now uses runtime config injection — the container entrypoint writespublic/__env.js(window.__ENV) fromAPP_*env vars at startup, resolved bylib/clientEnv.ts(window.__ENV→NEXT_PUBLIC_*build/dev fallback → localhost). Verified live:https://web.project-01.gjirafa.dev/__env.jsserves the correct production URLs, and the deployed API correctly returns 401 for missing/invalid JWTs.But
develophad none of this — it was 7 commits behindmain.What this PR does
origin/mainintodevelop(clean merge, no conflicts) so develop carries the runtime-config fix, prod hardening, and today's bug fixes. Develop's two unique security commits (project-member visibility +/metricslockdown) are preserved.frontend/client/.env.exampledocumenting every frontend env var:NEXT_PUBLIC_API_BASE_URL,NEXT_PUBLIC_KEYCLOAK_URL,NEXT_PUBLIC_ADMIN_HOST(build-time only — Edge middleware can't seewindow.__ENV),NEXT_PUBLIC_ENABLE_RBAC, PostHog pair — plus how the three-tier resolution works and the deployedAPP_*equivalents indevops/helm/loopless/values.yaml..env.exampleinfrontend/client/.gitignore(.env*was swallowing it).Verification
main, which is deployed and greenAudit notes (no action needed)
NEXT_PUBLIC_prefix; no server secrets exposed ✅NEXT_PUBLIC_SIGNALR_URLinci.ymlquality job env is referenced by no code (hubs derive from the API base URL) — harmless, can be removed in a future CI touch-up🤖 Generated with Claude Code