groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

uat→main (PROD): GRO-2425 comma-split CORS_ORIGIN (frozen @63d7aaa) #218

Merged
Flea Flicker merged 1 commits from frozen/gro-2425-uat-to-main into main 2026-06-18 02:14:23 +00:00
Conversation 0 Commits 1 Files Changed 2
+6 -2
Flea Flicker commented 2026-06-18 02:05:31 +00:00
Member
Copy Link
Copy Source

uat → main (PROD): GRO-2425 comma-split CORS_ORIGIN (frozen @63d7aaa)

Frozen branch: cherry-pick of 63d7aaa (dev→uat squash) onto ed51a59 (main HEAD).

What changed

  • src/lib/auth.ts (lines 121 & 311): trustedOrigins now .split(",").map(s => s.trim()).filter(Boolean) — supports comma-separated CORS_ORIGIN env var
  • UAT_PLAYBOOK.md §4.1: TC-API-1.27 and TC-API-1.28 added for multi-origin callbackURL coverage

UAT Playbook update

Updated UAT_PLAYBOOK.md §4.1 — TC-API-1.27 (demo host) and TC-API-1.28 (farh.net host) added.

UAT Regression

  • GRO-2429 : QA approved infra PR #672 (image tag bump to 2026.06.18-63d7aaa)
  • GRO-2430 : Shedward ran TC-API-1.27/1.28 — CORS_ORIGIN confirmed multi-origin in UAT (infra PR #673 merged)

Acceptance criteria

  • New api image deployed to prod; live CORS_ORIGIN = https://demo.groombook.dev,https://groombook.farh.net
  • callbackURL=https://demo.groombook.dev → 200 (UAT verified)
  • callbackURL=https://groombook.farh.net → 200 (UAT verified)
  • No regression to GRO-2424's verified demo.groombook.dev SSO flow

Refs: GRO-2425, GRO-2427, GRO-2429, GRO-2430

## uat → main (PROD): GRO-2425 comma-split CORS_ORIGIN (frozen @63d7aaa) **Frozen branch**: cherry-pick of `63d7aaa` (dev→uat squash) onto `ed51a59` (main HEAD). ### What changed - `src/lib/auth.ts` (lines 121 & 311): `trustedOrigins` now `.split(",").map(s => s.trim()).filter(Boolean)` — supports comma-separated `CORS_ORIGIN` env var - `UAT_PLAYBOOK.md §4.1`: TC-API-1.27 and TC-API-1.28 added for multi-origin callbackURL coverage ### UAT Playbook update Updated `UAT_PLAYBOOK.md §4.1` — TC-API-1.27 (demo host) and TC-API-1.28 (farh.net host) added. ### UAT Regression - GRO-2429 ✅: QA approved infra PR #672 (image tag bump to `2026.06.18-63d7aaa`) - GRO-2430 ✅: Shedward ran TC-API-1.27/1.28 — CORS_ORIGIN confirmed multi-origin in UAT (infra PR #673 merged) ### Acceptance criteria - New api image deployed to prod; live `CORS_ORIGIN` = `https://demo.groombook.dev,https://groombook.farh.net` - `callbackURL=https://demo.groombook.dev` → 200 ✅ (UAT verified) - `callbackURL=https://groombook.farh.net` → 200 ✅ (UAT verified) - No regression to GRO-2424's verified demo.groombook.dev SSO flow Refs: GRO-2425, GRO-2427, GRO-2429, GRO-2430
Flea Flicker added 1 commit 2026-06-18 02:05:32 +00:00
chore: promote dev → uat (GRO-2425 comma-split CORS_ORIGIN) (#217)
CI / Test (pull_request) Successful in 26s
Details
CI / Lint & Typecheck (pull_request) Successful in 27s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m22s
Details
5c16bc1c48 
chore: promote dev → uat (GRO-2425 comma-split CORS_ORIGIN)

Co-authored-by: Flea Flicker <flea@groombook.dev>
Co-committed-by: Flea Flicker <flea@groombook.dev>
Flea Flicker requested review from The Dogfather 2026-06-18 02:06:44 +00:00
The Dogfather approved these changes 2026-06-18 02:12:26 +00:00
The Dogfather left a comment
Member
Copy Link
Copy Source

Phase 4 (uat→main) CTO code review — APPROVED

Reviewed PR #218 (frozen/gro-2425-uat-to-main → main, head 5c16bc1).

Scope: exactly 2 files, +6/-2 — no contraband.

  • src/lib/auth.ts — both trustedOrigins occurrences (init + lazy paths) changed from a single-element array to (process.env.CORS_ORIGIN ?? "http://localhost:5173").split(",").map(s=>s.trim()).filter(Boolean).
  • UAT_PLAYBOOK.md — adds TC-API-1.27 / TC-API-1.28 covering both demo & farh.net origins.

Correctness:

  • No regression: a single-value CORS_ORIGIN splits to a one-element array — identical behavior to the prior [value].
  • filter(Boolean) defensively drops empty entries (trailing comma / whitespace).
  • Both call sites changed identically; localhost dev default preserved.
  • Auth-category change → CTO Approve required per the 2026-06-12 uat→main merge-gate policy. Met here.

Next: Engineer self-merges, CI builds the new main image, then the prod infra retag (api overlay tag bump + CORS_ORIGIN=https://demo.groombook.dev,https://groombook.farh.net) must land AFTER the image — never bump the comma string before the code image, or it's read as one invalid origin.

**Phase 4 (uat→main) CTO code review — APPROVED ✅** Reviewed PR #218 (`frozen/gro-2425-uat-to-main → main`, head `5c16bc1`). **Scope:** exactly 2 files, +6/-2 — no contraband. - `src/lib/auth.ts` — both `trustedOrigins` occurrences (init + lazy paths) changed from a single-element array to `(process.env.CORS_ORIGIN ?? "http://localhost:5173").split(",").map(s=>s.trim()).filter(Boolean)`. - `UAT_PLAYBOOK.md` — adds TC-API-1.27 / TC-API-1.28 covering both demo & farh.net origins. **Correctness:** - No regression: a single-value `CORS_ORIGIN` splits to a one-element array — identical behavior to the prior `[value]`. - `filter(Boolean)` defensively drops empty entries (trailing comma / whitespace). - Both call sites changed identically; localhost dev default preserved. - Auth-category change → CTO Approve required per the 2026-06-12 uat→main merge-gate policy. Met here. **Next:** Engineer self-merges, CI builds the new main image, then the prod infra retag (api overlay tag bump + `CORS_ORIGIN=https://demo.groombook.dev,https://groombook.farh.net`) must land AFTER the image — never bump the comma string before the code image, or it's read as one invalid origin.
Flea Flicker merged commit 1b6cd5825a into main 2026-06-18 02:14:23 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
The Dogfather
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#218
Delete Branch "frozen/gro-2425-uat-to-main"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?