fix(verifier): close two truth-contract gaps — typo'd issuer env + /trust allowlist#360
Open
ctol3r wants to merge 2 commits into
Open
fix(verifier): close two truth-contract gaps — typo'd issuer env + /trust allowlist#360ctol3r wants to merge 2 commits into
ctol3r wants to merge 2 commits into
Conversation
Two one-line product fixes surfaced by the institutional-readiness audit set on PR #358. Both close real risks listed in docs/architecture/mega-convergence-synthesis.md §2.C without depending on the in-flight #345/#349/#355 stack. 1) Fix typo'd env var read in apps/web/lib/crypto/receiptIssuer.ts:106. The handler reads `VITACV_ISSUER_URL` (missing the 'L'); when any operator names the var correctly as `VITALCV_ISSUER_URL`, the value is ignored and the handler falls through to the `NEXT_PUBLIC_APP_URL` path. Resolution order is now `VITALCV_ISSUER_URL` (canonical) -> `VITACV_ISSUER_URL` (back-compat for any deploy that already set the typo'd name) -> `NEXT_PUBLIC_APP_URL` -> `https://vitalcv.com`. Closes mega-convergence-synthesis.md §2.C risk #15. 2) Add `/^\/trust(\/.*)?$/` to PUBLIC_ROUTE_PATTERNS in apps/web/lib/auth/roles.ts. Before this change `/trust` (the institutional trust overview surface shipping on PR #355) reached the page only via middleware fall-through (no PROTECTED_ROUTES pattern caught it). This made the public exposure brittle and implicit; making it explicit closes the gap deterministically. `/trust-state(/...)?` was already allowlisted on the next line; this commit slots `/trust` adjacent to it. Closes mega-convergence-synthesis.md §2.C risk #14. Validation: - pnpm --filter @vitalcv/web exec vitest run __tests__/middleware.test.ts -> 38/38 passing (added 2 new cases pinning /trust and /trust/doctrine as public). - pnpm --filter @vitalcv/web exec vitest run __tests__/crypto-receipt.test.ts __tests__/es256-receipt-engine.test.ts -> 16/16 passing (no regression). - pnpm turbo run build --filter @vitalcv/web -> 13/13 successful. - Banned-strings scan: CLEAN. Truth rules: - Does NOT add any new product concept. - Does NOT depend on any in-flight PR landing first. - Preserves the existing behavior for the typo'd env var via back-compat fallback so no operator with the misspelled name in production breaks. - The `/^\/trust(\/.*)?$/` pattern is the same regex shape used for every sibling public route; no new convention introduced.
ctol3r
pushed a commit
that referenced
this pull request
May 13, 2026
Adds docs/architecture/final-runtime-reality-state.md, the TASK 7 output of the HARD OPERATIONAL CONVERGENCE wave. Strictly scoped to what is true on apex vitalcv.com RIGHT NOW (origin/main HEAD); excludes roadmap, planned features, in-flight PRs, and theoretical topology. Five required answers, each with file:line attribution: 1. What can institutions verify RIGHT NOW? Apex deploys, legacy JWKS at non-canonical path, ES256 signature oracle at /api/receipts/verify, /api/health config probe, OS association manifests. Five surfaces total. 2. What survives runtime restart RIGHT NOW? All Prisma-persisted state. Does NOT survive: ES256 keypair when env unset, lineageKey/runId continuity (not persisted), receipt issuance records by jti, lane-health snapshots. 3. What is still synthetic RIGHT NOW? /passport sample card (labeled), /api/ingest/[npi] fallback body, AASA advertisement of /verify/* (route absent on main), Macie Miller demo NPI (vitalcv_dev only). 4. What still breaks institutional continuity RIGHT NOW? 9 concrete observable failures: 404 cascade on canonical discovery paths, non-deterministic receipt jti, no lineageKey/runId claims, no replay readers, probe runner unscheduled, clerk.enabled=false, legacy JWKS media-type, OID4VCI credential_endpoint advertising non-existent path, OIDC pointer-not-flow endpoints. 5. What remains before true production-grade verifier infrastructure exists? Tier A: 6 operator-side configuration steps. Tier B: 5-PR merge train (#345, #349, #355, #358, #360). Tier C: 6-7 engineering PRs for replay persistence (per replay-topology-gap-analysis.md §7). Tier D: hygiene fix-ups (some already in flight on #360). No new product concept required at any tier. Truth contract: doc scanned CLEAN. No banned strings, no aspirational claims, no future-state invention.
Resilience hardening for the highest-impact fetch site in the web runtime per upstream-fetch-topology.md §D (PR #358 audit set). The resolve-role fetch in middleware.ts:69 has no timeout, so a slow or hanging /api/auth/resolve-role upstream blocks the middleware for the full Vercel function execution timeout (10s on hobby, 60s+ on pro). Adding AbortSignal.timeout(8000) bounds the round-trip: - On normal response (<8s): unchanged behavior. - On timeout: the existing catch clause swallows AbortError and the function falls through to the /auth/error redirect (the existing circuit-breaker path). - On network error: same as today. No behavior change on the happy path. Resilience improvement under the slow-upstream condition documented in final-production-resilience-state.md §5 Tier D. Validation: - pnpm --filter @vitalcv/web exec vitest run __tests__/middleware.test.ts -> 38/38 passing. - pnpm turbo run build --filter @vitalcv/web -> 13/13 successful. Adheres to user constraint "do not generate speculative infrastructure": this is a one-line resilience hardening on an existing fetch site, not a new feature.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VITACV_ISSUER_URL→VITALCV_ISSUER_URLtypo inapps/web/lib/crypto/receiptIssuer.ts(with back-compat fallback to the typo'd name so any existing deploy keeps working)./^\/trust(\/.*)?$/toPUBLIC_ROUTE_PATTERNSinapps/web/lib/auth/roles.tsso the institutional trust overview surface shipping on feat(verifier): completion surfaces — openid-configuration, /trust, receipt-by-lineage #355 is explicitly allowlisted (currently passes only via middleware fall-through).mega-convergence-synthesis.md§2.C (risks Add ATS readiness adapters for Greenhouse and Workday #14 and Add trust graph edge capture and API surfaces #15).Truth rules
Validation
pnpm --filter @vitalcv/web exec vitest run __tests__/middleware.test.ts— 38/38 passing (2 new cases for/trust+/trust/doctrine).pnpm --filter @vitalcv/web exec vitest run __tests__/crypto-receipt.test.ts __tests__/es256-receipt-engine.test.ts— 16/16 passing (no regression).pnpm turbo run build --filter @vitalcv/web— 13/13 successful.