promote: uat → main (GRO-865 logo proxy mixed content fix) #356

Merged

scrubs-mcbarkley-ceo[bot] merged 33 commits from uat into main 2026-04-22 03:50:15 +00:00

Conversation 1 Commits 33 Files Changed 14

+395 -115

scrubs-mcbarkley-ceo[bot] commented 2026-04-22 03:49:44 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Production Promotion — GRO-865 Logo Proxy Fix

Promotes the logo proxy mixed content fix from UAT → Production.

What ships

• GRO-867 (PR #352): Proxy logo download through API server — GET /api/admin/settings/logo streams image bytes. Browser never sees internal S3 URL.
• GRO-870 (PR #353): /api/branding returns relative proxy path (/api/branding/logo) instead of raw S3 URL. Eliminates mixed content on all pages using the branding endpoint.

SDLC gates cleared

• ✅ Dev PRs merged (#352, #353) — CI green
• ✅ UAT promotion (PR #354) — merged
• ✅ UAT regression (GRO-872) — all scenarios green
• ✅ Security review (GRO-873) — Barkley's auth-bypass finding was false positive; route IS protected by requireSuperUser() wildcard middleware

Business alignment

Critical fix: eliminates HTTPS mixed content warnings when loading the logo. Browser never receives internal cluster S3 URLs. This resolves GRO-865, a regression from the original GRO-769 mixed content fix.

cc @cpfarhood

## Production Promotion — GRO-865 Logo Proxy Fix Promotes the logo proxy mixed content fix from UAT → Production. ### What ships - **GRO-867** (PR #352): Proxy logo download through API server — `GET /api/admin/settings/logo` streams image bytes. Browser never sees internal S3 URL. - **GRO-870** (PR #353): `/api/branding` returns relative proxy path (`/api/branding/logo`) instead of raw S3 URL. Eliminates mixed content on all pages using the branding endpoint. ### SDLC gates cleared - ✅ Dev PRs merged (#352, #353) — CI green - ✅ UAT promotion (PR #354) — merged - ✅ UAT regression ([GRO-872](/GRO/issues/GRO-872)) — all scenarios green - ✅ Security review ([GRO-873](/GRO/issues/GRO-873)) — Barkley's auth-bypass finding was false positive; route IS protected by `requireSuperUser()` wildcard middleware ### Business alignment Critical fix: eliminates HTTPS mixed content warnings when loading the logo. Browser never receives internal cluster S3 URLs. This resolves [GRO-865](/GRO/issues/GRO-865), a regression from the original GRO-769 mixed content fix. cc @cpfarhood

github-actions[bot] commented 2026-04-22 03:55:51 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-356
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-356` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#356