chore(auth): document required server env vars (force deploy)

[koala73]

Forces Vercel to rebuild with the CLERK_PUBLISHABLE_KEY env var that was added separately. Fixes 401 on /api/notification-channels introduced by #2024.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
worldmonitor	Ignored		Apr 2, 2026 10:03pm

[greptile-apps]

Greptile Summary

This PR adds a single documentation comment to server/auth-session.ts identifying CLERK_PUBLISHABLE_KEY and CLERK_JWT_ISSUER_DOMAIN as required server-side environment variables. The functional purpose is to trigger a Vercel rebuild so that the separately-added CLERK_PUBLISHABLE_KEY env var is picked up, restoring correct JWT audience validation on /api/notification-channels (broken since #2024 when CLERK_PUBLISHABLE_KEY was added to getAllowedAudiences() but not yet provisioned in Vercel).

Key points:

• The only code change is one comment line — no logic is modified.
• The underlying logic (getAllowedAudiences consuming CLERK_PUBLISHABLE_KEY) was already in place; this deploy makes the env var available so that function returns a non-empty audience set.
• One pre-existing style issue found: the Clerk API fetch inside lookupPlanFromClerk is missing a User-Agent header, which violates the project's documented convention in AGENTS.md.

Confidence Score: 5/5

Safe to merge — change is a doc comment only, with no logic or behaviour altered.

The diff is a single comment line addition with no executable code changes. The sole risk is that the Vercel rebuild may not behave as expected if the env var was not correctly provisioned separately, but that is outside the scope of this code change.

No files require special attention.

Important Files Changed

Filename	Overview
server/auth-session.ts	Single-line doc comment added to file header documenting CLERK_PUBLISHABLE_KEY and CLERK_JWT_ISSUER_DOMAIN as required server env vars; no logic changes introduced.

Sequence Diagram

sequenceDiagram
    participant Client
    participant EdgeGW as Vercel Edge Gateway
    participant AuthSession as server/auth-session.ts
    participant ClerkJWKS as Clerk JWKS Endpoint
    participant ClerkAPI as Clerk Backend API

    Client->>EdgeGW: Request with Bearer token
    EdgeGW->>AuthSession: validateBearerToken(token)
    AuthSession->>ClerkJWKS: Fetch JWKS (cached, lazy via getJWKS())
    ClerkJWKS-->>AuthSession: Public keys
    AuthSession->>AuthSession: jwtVerify(token, jwks, { issuer, audience: [convex, CLERK_PUBLISHABLE_KEY] })
    alt JWT has `plan` claim
        AuthSession-->>EdgeGW: { valid: true, userId, role }
    else Standard session token
        AuthSession->>ClerkAPI: GET /v1/users/:userId (Bearer CLERK_SECRET_KEY)
        ClerkAPI-->>AuthSession: User public_metadata.plan
        AuthSession-->>EdgeGW: { valid: true, userId, role }
    end
    EdgeGW-->>Client: Response

Loading

Comments Outside Diff (1)

1. server/auth-session.ts, line 76-78 (link)

   Missing User-Agent header in server-side fetch

   AGENTS.md lists "Always include User-Agent header in server-side fetch calls" as a critical convention, but the Clerk API request in lookupPlanFromClerk omits it. This is a pre-existing issue in this file that was not introduced by this PR, but it's worth fixing while touching the file.

   Context Used: AGENTS.md (source)

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

_{Reviews (1): Last reviewed commit: "chore(auth): document required server en..." | Re-trigger Greptile}