fix: add keys to deployment

.eslintrc.json

@@ -13,7 +13,8 @@
     "convex/_generated",
     "routeTree.gen.ts",
     "context-repos",
-    "__tests__"
+    "__tests__",
+    "context-repos"
   ],
   "parser": "@typescript-eslint/parser",
   "parserOptions": {

.github/workflows/cleanup-preview.yaml

@@ -8,6 +8,9 @@ jobs:
   cleanup:
     name: Delete Preview Worker
     runs-on: ubuntu-latest
+    concurrency:
+      group: preview-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
 
     steps:
       - name: Delete Preview Worker
@@ -16,4 +19,3 @@ jobs:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           command: delete --name crate-app-pr-${{ github.event.pull_request.number }} --force
-

.github/workflows/deploy-preview.yaml

@@ -12,6 +12,12 @@ jobs:
   deploy:
     name: Build & Deploy Preview
     runs-on: ubuntu-latest
+    concurrency:
+      group: preview-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+
+    env:
+      WORKER_NAME: crate-app-pr-${{ github.event.pull_request.number }}
 
     steps:
       - name: Checkout
@@ -33,22 +39,61 @@ jobs:
 
       - name: Build
         env:
-          VITE_DISCOGS_CONSUMER_KEY: ${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}
-          VITE_DISCOGS_CONSUMER_SECRET: ${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}
           VITE_CONVEX_URL: ${{ secrets.VITE_CONVEX_URL }}
         run: pnpm build
 
       - name: Clean wrangler cache
         run: rm -rf .wrangler
 
+      - name: Install Wrangler CLI
+        run: npm install -g wrangler
+
+      # Deploy first to ensure the Worker exists, then set secrets deterministically.
       - name: Deploy Preview to Cloudflare Workers
         id: deploy
         uses: cloudflare/wrangler-action@v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           workingDirectory: dist/server
-          command: deploy --name crate-app-pr-${{ github.event.pull_request.number }}
+          command: deploy --name ${{ env.WORKER_NAME }}
+
+      - name: Set Worker Secrets
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}" | wrangler secret put DISCOGS_CONSUMER_KEY --name "$WORKER_NAME"
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}" | wrangler secret put DISCOGS_CONSUMER_SECRET --name "$WORKER_NAME"
+
+      - name: Smoke check Discogs runtime bindings
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          set -euo pipefail
+          URL="https://crate-app-pr-${PR_NUMBER}.govi218mu.workers.dev/api/auth/discogs/debug"
+          echo "Checking ${URL}"
+          # Give Workers a moment to apply secret updates
+          sleep 3
+
+          BODY="$(curl -fsSL --retry 15 --retry-all-errors --retry-delay 3 "${URL}")"
+          echo "Debug response: ${BODY}"
+
+          export BODY
+          node -e '
+            const json = JSON.parse(process.env.BODY || "{}");
+            const bindings = Array.isArray(json.availableBindings) ? json.availableBindings : [];
+            const ok =
+              json.hasCredentials === true &&
+              bindings.includes("DISCOGS_CONSUMER_KEY") &&
+              bindings.includes("DISCOGS_CONSUMER_SECRET");
+            if (!ok) {
+              console.error(json);
+              process.exit(1);
+            }
+            console.log("hasCredentials:", json.hasCredentials);
+            console.log("availableBindings:", bindings);
+          '
 
       - name: Comment PR with Preview URL
         uses: actions/github-script@v7
@@ -57,31 +102,29 @@ jobs:
             const prNumber = context.payload.pull_request.number;
             const previewUrl = `https://${prNumber}-pr.crate.audio`;
             const fallbackUrl = `https://crate-app-pr-${prNumber}.govi218mu.workers.dev`;
-
-            // Find existing comment
+
             const { data: comments } = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: prNumber,
             });
-
-            const botComment = comments.find(comment => 
-              comment.user.type === 'Bot' && 
-              comment.body.includes('🚀 Preview Deployment')
+
+            const botComment = comments.find((comment) =>
+              comment.user.type === 'Bot' && comment.body.includes('🚀 Preview Deployment'),
             );
-            
+
             const body = `## 🚀 Preview Deployment
-            
+
             | Environment | URL |
             |-------------|-----|
             | Preview | [${previewUrl}](${previewUrl}) |
             | Fallback | [${fallbackUrl}](${fallbackUrl}) |
-            
+
             **Commit:** \`${context.sha.substring(0, 7)}\`
             **Updated:** ${new Date().toISOString()}
-            
+
             > This preview will be automatically deleted when the PR is closed.`;
-            
+
             if (botComment) {
               await github.rest.issues.updateComment({
                 owner: context.repo.owner,
@@ -97,4 +140,3 @@ jobs:
                 body,
               });
             }
-

.github/workflows/deploy-production.yaml

@@ -39,13 +39,14 @@ jobs:
       - name: Build
         env:
           VITE_CONVEX_URL: ${{ secrets.VITE_CONVEX_URL }}
-          VITE_DISCOGS_CONSUMER_KEY: ${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}
-          VITE_DISCOGS_CONSUMER_SECRET: ${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}
         run: pnpm build
 
       - name: Clean wrangler cache
         run: rm -rf .wrangler
 
+      - name: Install Wrangler CLI
+        run: npm install -g wrangler
+
       - name: Deploy to Cloudflare Workers (Production)
         uses: cloudflare/wrangler-action@v3
         with:
@@ -54,3 +55,11 @@ jobs:
           workingDirectory: dist/server
           command: deploy
 
+      - name: Set Worker Secrets
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}" | wrangler secret put DISCOGS_CONSUMER_KEY --name crate-app
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}" | wrangler secret put DISCOGS_CONSUMER_SECRET --name crate-app
+

.github/workflows/deploy-staging.yaml

@@ -39,13 +39,14 @@ jobs:
       - name: Build
         env:
           VITE_CONVEX_URL: ${{ secrets.VITE_CONVEX_URL }}
-          VITE_DISCOGS_CONSUMER_KEY: ${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}
-          VITE_DISCOGS_CONSUMER_SECRET: ${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}
         run: pnpm build
 
       - name: Clean wrangler cache
         run: rm -rf .wrangler
 
+      - name: Install Wrangler CLI
+        run: npm install -g wrangler
+
       - name: Deploy to Cloudflare Workers (Staging)
         uses: cloudflare/wrangler-action@v3
         with:
@@ -54,3 +55,11 @@ jobs:
           workingDirectory: dist/server
           command: deploy
 
+      - name: Set Worker Secrets
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_KEY }}" | wrangler secret put DISCOGS_CONSUMER_KEY --name crate-app
+          echo "${{ secrets.VITE_DISCOGS_CONSUMER_SECRET }}" | wrangler secret put DISCOGS_CONSUMER_SECRET --name crate-app
+

.gitignore

@@ -57,3 +57,9 @@ context-repos/
 
 # Cursor IDE rules
 .cursor/
+.dev.vars
+
+# Context repositories (local reference repos, not part of the project)
+context-repos/
+# Local Netlify folder
+.netlify

.prettierignore

@@ -13,4 +13,4 @@ node_modules/
 pnpm-lock.yaml
 
 # Context repos
-context-repos/
+context-repos/

app/api/auth/discogs/debug.ts

@@ -0,0 +1,47 @@
+import { createFileRoute } from '@tanstack/react-router';
+import {
+  getDiscogsCredentials,
+  hasDiscogsCredentials,
+  getEnvironment,
+  getCloudflareEnv,
+} from '@/lib/config/env';
+
+/**
+ * Debug endpoint for verifying Discogs credentials are properly configured.
+ *
+ * This endpoint is useful for:
+ * - Verifying secrets are loaded in production after deployment
+ * - Debugging local development setup
+ * - Checking .dev.vars is properly configured
+ *
+ * @route GET /api/auth/discogs/debug
+ */
+export const Route = createFileRoute('/api/auth/discogs/debug')({
+  server: {
+    handlers: {
+      GET: async ({ request }) => {
+        const origin = new URL(request.url).origin;
+        const { consumerKey, consumerSecret } = getDiscogsCredentials();
+        const cfEnv = getCloudflareEnv();
+
+        const debugInfo = {
+          origin,
+          hasCredentials: hasDiscogsCredentials(),
+          credentials: {
+            hasConsumerKey: !!consumerKey,
+            consumerKeyLength: consumerKey?.length || 0,
+            hasConsumerSecret: !!consumerSecret,
+            consumerSecretLength: consumerSecret?.length || 0,
+            // Show first 4 chars to verify correct key (safe to expose)
+            keyPrefix: consumerKey?.substring(0, 4) || 'N/A',
+          },
+          environment: getEnvironment() || 'not-set',
+          // List all available env keys (without values) for debugging
+          availableBindings: Object.keys(cfEnv),
+        };
+
+        return Response.json(debugInfo);
+      },
+    },
+  },
+});