Skip to content

release: production-ready launch candidate#31

Merged
DevCalebR merged 14 commits intomainfrom
codex/release/production-ready
Mar 9, 2026
Merged

release: production-ready launch candidate#31
DevCalebR merged 14 commits intomainfrom
codex/release/production-ready

Conversation

@DevCalebR
Copy link
Copy Markdown
Owner

@DevCalebR DevCalebR commented Mar 9, 2026

This branch merges production launch work:

  • P0 security hardening
  • recording security proxy
  • product UX / legal pages
  • production master roadmap
  • launch checklist
  • health endpoint
  • error boundaries

Do NOT merge the PR.

DevCalebR added 10 commits March 2, 2026 00:14
@DevCalebR
hardening: g14 secure recording access UX
136196c
@DevCalebR
docs: mark g14 done in production readiness log
6bc928e
@DevCalebR
chore: production roadmap + P0 security hardening
51796f7
@DevCalebR
feat: external buy flow + public legal/contact pages
82b58ba
@DevCalebR
chore: add production master roadmap and launch checks
c52b68f
@DevCalebR
Merge remote-tracking branch 'origin/chore/p0-security-roadmap' into …
0048be9 
…codex/release/production-ready
@DevCalebR
Merge remote-tracking branch 'origin/hardening/g14-recordings-ux' int…
812059b 
…o codex/release/production-ready

# Conflicts:
#	docs/PRODUCTION_READINESS_GAPS.md
@DevCalebR
Merge remote-tracking branch 'origin/chore/product-ux-legal' into cod…
b321616 
…ex/release/production-ready
@DevCalebR
Merge branch 'codex/chore/production-master-roadmap' into codex/relea…
a6b0707 
…se/production-ready

# Conflicts:
#	README.md
#	app/api/health/route.ts
#	app/api/stripe/checkout/route.ts
#	app/api/stripe/portal/route.ts
@DevCalebR
hardening: finalize recording proxy on release candidate
e5eacbd
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
callbackcloser Ready Ready Preview, Comment Mar 9, 2026 6:19am

Request Review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e5eacbdd44

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

lib/request-origin.ts
Comment on lines +39 to +40
// If no origin/referrer is provided, do not hard-fail to avoid blocking non-browser clients.
return true;
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Reject malformed Origin headers in request-origin guard

When the request includes an unparsable Origin value (for example Origin: null from opaque/sandboxed browser contexts), parseOrigin returns null and the function falls through to the permissive branch that returns true. Because the Stripe mutation routes now depend on this helper for CSRF protection in production, those malformed-origin browser requests are accepted instead of denied.

Useful? React with 👍 / 👎.

lib/request-origin.ts
Comment on lines +26 to +27
const expectedOrigin = parseOrigin(appBaseUrl);
if (!expectedOrigin) return true;
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Deny requests when expected app origin is unresolved

If appBaseUrl is missing or invalid, expectedOrigin becomes null and this helper immediately allows the request. That creates a fail-open path where production checkout/portal POSTs lose origin validation entirely during env misconfiguration, which defeats the protection this commit introduces.

Useful? React with 👍 / 👎.

@DevCalebR DevCalebR merged commit f6087f8 into main Mar 9, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevCalebR