Converge CI/CD to deterministic 4-workflow architecture with bounded self-heal and provider-agnostic deployment

[Copilot]

This PR collapses a high-entropy, overlapping workflow graph into a deterministic CI/CD model to eliminate recursive automation, duplicate deploy paths, and flaky blocking checks. It preserves production deployment safeguards while making preview deployment non-blocking.

• Workflow convergence (single source of truth)

  • Replaced all existing workflow variants with exactly:
    • .github/workflows/ci.yml
    • .github/workflows/security.yml
    • .github/workflows/deploy.yml
    • .github/workflows/self-heal.yml
  • Removed duplicate CI/test/build/deploy/auto-fix workflows and all workflow-level repo mutation behavior.

• Deterministic CI + security lanes

  • ci.yml now contains only deterministic required jobs: lint, typecheck, test, build.
  • security.yml centralizes npm audit, dependency review, and secret scanning.
  • Updated webapp test execution in CI to npm --prefix webapp run test --if-present -- --ci --coverage so real test failures fail CI, while cleanly skipping when no webapp test script exists.

• Deploy hardening + provider-agnostic convergence

  • Production deploy is gated by successful ci completion on main via workflow_run.
  • Added trust boundary checks to avoid untrusted workflow_run execution contexts.
  • Production now checks out the exact github.event.workflow_run.head_sha to deploy the same commit that passed CI (race-free, deterministic behavior).
  • Preview deploy remains available but explicitly non-blocking and isolated from required checks.
  • Deployment gracefully skips when provider/secrets are not configured, so CI remains stable without Vercel account/tokens/org access.
  • Introduced provider-aware deployment gating via DEPLOYMENT_PROVIDER to decouple CI from legacy hosting assumptions.
  • Removed continue-on-error from production deploy job so real deploy attempts fail the deploy workflow when provider is enabled/configured.

• Legacy Vercel coupling removal

  • Removed hardcoded legacy GXQ.vercel.app / TradeOS.vercel.app references from active configs/docs touched by this work.
  • Removed obsolete rename-vercel-hosts.yml legacy coupling artifact.
  • Removed root vercel.json to neutralize legacy top-level Vercel coupling (webapp-scoped config remains in webapp/vercel.json).

• Future single-domain architecture (TradeOS.app)

  • Added config/deployment.ts as centralized deployment abstraction/domain resolution layer.
  • Updated runtime consumers to use centralized deployment config:
    • scripts/canary-deployment.ts
    • api/middleware/cors.ts
  • Wired DEPLOYMENT_PRIMARY_DOMAIN into deployment config fallback resolution.
  • Normalized environment templates for provider-independent deployment defaults:
    • .env.example (DEPLOYMENT_PROVIDER, DEPLOY_PREVIEW_ENABLED, DEPLOYMENT_PRIMARY_DOMAIN, normalized staging/production URLs)
    • webapp/.env.example (NEXT_PUBLIC_APP_URL)

• Bounded self-healing (no mutation loops)

  • Added scripts/converge.sh for idempotent convergence operations (lockfile normalization, deterministic regeneration, config validation, quality gates).
  • Implemented deterministic failure handling: classify → apply known fix recipe → rerun once → stop.
  • Explicitly forbids autonomous code/workflow mutation paths.

• Platform diagnostics + governance docs

  • Added scripts/doctor.ts for actionable diagnostics (env/templates, imports/cycles, TS paths, workflow graph integrity, Node/toolchain/config drift).
  • Added docs/ci-audit.md (kept/removed inventory, dependency graph, risks, migration/rollback notes).
  • Added docs/branch-protection.md with recommended required checks:
    • ci / lint
    • ci / typecheck
    • ci / test
    • ci / build
    • security / audit

• Validation evidence for provider independence

  • Verified install/build path without deployment credentials:
    • npm install (without VERCEL_TOKEN/Vercel secrets)
    • npm run build (without VERCEL_TOKEN/Vercel secrets)
  • Deploy workflow behavior is now:
    • secrets/provider missing → skip gracefully
    • provider configured + deploy fails → deploy workflow fails, while required CI checks remain provider-agnostic

# deploy.yml (production gate)
if: >
  github.event_name == 'workflow_run' &&
  github.event.workflow_run.conclusion == 'success' &&
  github.event.workflow_run.head_branch == 'main' &&
  github.event.workflow_run.event == 'push' &&
  github.event.workflow_run.head_repository.full_name == github.repository

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.4
	eslint-config-next@​16.2.4
	@​solana/​wallet-adapter-phantom@​0.9.28 ⏵ 0.9.29	+1		+1	+4
	@​solana/​wallet-adapter-solflare@​0.6.32 ⏵ 0.6.33	+1			+4
	@​solana/​wallet-adapter-react-ui@​0.9.39
	@​types/​react-dom@​19.2.3
	@​types/​react@​19.2.14
	@​solana/​wallet-adapter-react@​0.15.39
	@​types/​node@​16.18.11 ⏵ 25.6.0
	jsonwebtoken@​9.0.3
	tailwindcss@​4.2.4
	react@​19.2.5
	@​pythnetwork/​hermes-client@​2.1.0 ⏵ 3.1.0
	bcrypt@​5.1.1 ⏵ 6.0.0	+9		+1
	eslint@​10.3.0
	typescript@​4.9.5 ⏵ 6.0.3	+1
	three@​0.184.0
	@​react-three/​drei@​10.7.7
	react-dom@​19.2.5
	@​react-three/​fiber@​9.6.1
	framer-motion@​12.38.0
	@​tailwindcss/​postcss@​4.2.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: webapp/package-lock.json → npm/@react-three/fiber@9.6.1 → npm/@solana/wallet-adapter-react@0.15.39 → npm/@react-native/debugger-frontend@0.84.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.84.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[SMSDAO]

🚨 P238 FOLLOW-UP — REMOVE LEGACY VERCEL COUPLING + DEPLOYMENT CONVERGENCE

Requesting changes before merge approval.

Current CI/CD remains coupled to blocked legacy Vercel infrastructure:

• GXQ.vercel.app
• TradeOS.vercel.app

This is creating deployment instability, failing checks, and non-deterministic workflow behavior.

Required Convergence Actions

1. Remove Legacy Vercel Coupling

Audit and remove:

• hardcoded Vercel domains
• stale project/org references
• obsolete preview URLs
• blocked deployment hooks
• invalid deployment secrets
• provider-coupled CI assumptions

Required:

• no hardcoded GXQ.vercel.app references
• no hardcoded TradeOS.vercel.app references

---

2. Make CI Hosting-Provider Agnostic

CI must pass without:

• active Vercel account
• deployment tokens
• preview deployments
• org access

Core CI only:

• lint
• typecheck
• test
• build

Deployment must become optional/non-blocking until fresh infrastructure is established.

---

3. Deployment Workflow Refactor

Required behavior:

• graceful deploy skip if secrets absent
• no CI hard-fail from deployment provider issues
• preview deploys optional only
• production deploys protected and deterministic

No recursive deployment/self-healing mutation loops.

---

4. Prepare Future Single-Domain Architecture

Converge toward:
TradeOS.app

Required:

• deployment abstraction layer
• centralized domain resolution
• environment normalization
• provider-independent deployment config

Suggested:
config/deployment.ts

---

5. Environment + Workflow Cleanup

Normalize:

• .env.example
• deployment variables
• CI variables
• local development variables

Remove:

• dead Vercel IDs
• obsolete deployment references
• stale preview configuration

---

Success Criteria

Merge readiness requires:

• clean local build
• deterministic CI
• no legacy Vercel dependency
• workflows stable without deployment secrets
• localhost fully operational
• future deployment path preserved
• no hidden provider coupling

Current recommendation:
keep deployment workflows optional until new clean infrastructure is provisioned.

Production convergence target:
TradeOS.app

[Copilot]

🚨 P238 FOLLOW-UP — REMOVE LEGACY VERCEL COUPLING + DEPLOYMENT CONVERGENCE

Requesting changes before merge approval....

Implemented in 93c8861 (plus doc cleanup in 7951408). Follow-up changes remove hardcoded GXQ.vercel.app/TradeOS.vercel.app references, add provider-agnostic deployment abstraction (config/deployment.ts), make deploy workflow gracefully skip and non-blocking when provider config/secrets are absent, and normalize env/domain defaults toward TradeOS.app while keeping CI provider-independent (lint/typecheck/test/build only).

[Copilot]

Pull request overview

Converges the repository’s CI/CD automation into a deterministic, reduced workflow set and centralizes deployment/domain configuration so runtime consumers (scripts + API CORS) no longer depend on legacy Vercel hostnames.

Changes:

• Replaces the previous high-entropy GitHub Actions graph with four workflows: ci, security, deploy, self-heal, removing self-mutating/overlapping pipelines.
• Adds deterministic convergence/diagnostics tooling (scripts/converge.sh, scripts/doctor.ts) and surfaces recommended branch protection checks.
• Centralizes deployment URL/origin logic via config/deployment.ts and updates runtime consumers + docs/env templates to use TradeOS.app defaults.

Reviewed changes

Copilot reviewed 40 out of 41 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
webapp/.env.example	Adds NEXT_PUBLIC_APP_URL to document the public webapp origin.
tsconfig.json	Includes config/**/* in compilation inputs so new deployment config is built/typed.
scripts/doctor.ts	Adds a “platform doctor” diagnostic script for env/templates, workflows, TS paths, etc.
scripts/converge.sh	Adds an idempotent convergence script with bounded retry behavior for CI/self-heal.
scripts/canary-deployment.ts	Switches canary URLs to use centralized deployment config.
rename-vercel-hosts.yml	Removes legacy root-level hostname replacement workflow file.
package.json	Adds converge/doctor scripts and pins packageManager to npm@10.
docs/stuck.md	Updates documented deployment URLs to TradeOS.app.
docs/IMPLEMENTATION_SUMMARY_OLD.md	Updates documented CORS allowed domains to TradeOS.app.
docs/ENDPOINT_CONFIGURATION.md	Updates documented allowed domains to TradeOS.app.
docs/DEPLOYMENT_GUIDE.md	Updates example staging/production URLs to staging.tradeos.app / TradeOS.app.
docs/DEPLOYMENT_AUTOMATION.md	Updates documented production URL to TradeOS.app.
docs/ci-audit.md	Adds an audit record of removed/kept workflows and convergence rationale.
docs/CANARY_DEPLOYMENT.md	Updates canary deployment examples to new staging/production URLs.
docs/branch-protection.md	Adds recommended required checks aligned with the converged workflows.
docs/archive/VERCEL_DEPLOYMENT.md	Updates archived doc URLs to TradeOS.app.
docs/archive/COMPLETE_IMPLEMENTATION.md	Updates archived doc URLs to TradeOS.app.
config/deployment.ts	Introduces centralized deployment/provider config and derived allowed origins.
api/middleware/cors.ts	Uses centralized allowed-origins list for production CORS decisions.
.github/workflows/sync-railway-secrets.yml	Removes legacy Railway secret sync workflow.
.github/workflows/self-optimize.yml	Removes legacy self-optimizing (repo-mutating) workflow.
.github/workflows/self-heal.yml	Adds bounded, non-mutating “self-heal” workflow running scripts/converge.sh.
.github/workflows/security.yml	Adds centralized security lane (audit, dependency review, secret scanning).
.github/workflows/rename-vercel-hosts.yml	Removes legacy workflow that pushed/PR’d hostname mutations.
.github/workflows/powershell-merge-automation.yml	Removes legacy branch merge automation workflow.
.github/workflows/performance-monitoring.yml	Removes legacy performance monitoring workflow.
.github/workflows/gxq-scheduled-health.yml	Removes legacy scheduled health-check workflow.
.github/workflows/gxq-pr-check.yml	Removes legacy PR check workflow.
.github/workflows/gxq-master-ci.yml	Removes legacy “master CI” workflow.
.github/workflows/failed-job-handler.yml	Removes legacy failed-job retry/issue workflow.
.github/workflows/docker-build.yml	Removes legacy Docker build/push workflow.
.github/workflows/deploy.yml	Adds gated deploy workflow (preview optional; production triggered by successful ci run).
.github/workflows/deploy-railway.yml	Removes legacy Railway deploy workflow.
.github/workflows/deploy-railway-preview.yml	Removes legacy Railway preview deploy workflow.
.github/workflows/deploy-preview.yml	Removes legacy Vercel preview deploy workflow.
.github/workflows/complete-production-pipeline.yml	Removes legacy all-in-one production pipeline (incl. mutation paths).
.github/workflows/codeql-analysis.yml	Removes legacy CodeQL workflow (security lane now centralizes checks).
.github/workflows/ci.yml	Replaces prior comprehensive pipeline with deterministic lint, typecheck, test, build jobs.
.github/workflows/autonomous-oracle-pipeline.yml	Removes legacy autonomous “oracle” workflow that could push commits.
.github/workflows/auto-label.yml	Removes legacy PR auto-labeling workflow.
.env.example	Adds provider-agnostic deployment variables and updates staging/production URL defaults.

[SMSDAO]

🚨 Request Changes — PR #238 Needs Conversion to Patch-Level Fix

This PR is currently still at architectural/spec level, not yet a mergeable implementation patch.

To make this PR approvable, it must be converted into deterministic code changes with file-level diffs.

⸻

🔧 Required Actions Before Merge

1. Convert from spec → patch PR

Must include actual repo changes:
• .github/workflows/* refactor (CI independence)
• removal or neutralization of vercel.json
• environment cleanup (.env.example)
• deployment abstraction layer (provider-agnostic)
• CI gating logic updated for optional deployment

PR must clearly show what changed in code, not only design intent.

⸻

2. CI Independence Proof Required

PR description must explicitly confirm:
• npm install && npm run build works without Vercel credentials
• CI passes with:
• no VERCEL_TOKEN
• no deployment secrets
• deploy step does NOT fail when disabled or skipped

This is required for merge validation.

⸻

3. Add Deployment Guard Pattern

Must be implemented in code:
• If VERCEL_TOKEN is missing → skip deploy gracefully
• If present → deploy normally
• CI must NEVER fail due to deployment layer

Deployment must be optional, not blocking.

⸻

4. Keep PR #238 (do NOT split)

Do not open a new PR — splitting will fragment stabilization context.

Instead:
• upgrade this PR into a deterministic CI stabilization patch PR

⸻

⚠️ Expected Reviewer Questions (must be pre-answered)
• Where exactly are Vercel dependencies removed?
• What happens if deployment fails?
• How is deployment handled now?
• Does local build remain unchanged?

⸻

🧩 Merge Readiness Checklist

Repo-level
• No hardcoded Vercel domains
• No legacy project references
• No required Vercel CI gating

Workflow-level
• CI independent of hosting provider
• Deploy is optional / non-blocking
• No recursive automation loops

Runtime-level
• Clean local build
• No regression in dev workflow

⸻

⚙️ Summary

This PR is directionally correct but not yet merge-ready.

It must be upgraded from:

architectural guidance

to:

deterministic, file-level implementation patch

Once that conversion is done, it becomes safe for merge.

[Copilot]

🚨 Request Changes — PR #238 Needs Conversion to Patch-Level Fix

This PR is currently still at architectural/spec level, not yet a mergeable implementation patch....

Converted to concrete patch-level implementation in 6d721b6, 2a600b7, and 71863e9.

What changed:

• Workflow/file-level patching: .github/workflows/ci.yml, .github/workflows/deploy.yml, .env.example, config/deployment.ts, tsconfig.json, config/rpc-endpoints.ts, and removal of root vercel.json.
• CI independence: local npm install + npm run build was executed without VERCEL_TOKEN/deployment secrets; build completed successfully.
• Deployment guard behavior: deploy jobs now gate on provider/secrets and skip gracefully when absent; production checks out exact workflow_run.head_sha for deterministic deploys.
• Failure model: if deploy is disabled/missing secrets, it skips; if explicitly enabled and provider deploy fails, only deploy workflow fails while required CI checks remain provider-agnostic (lint/typecheck/test/build).
• Local dev/build flow remains unchanged (npm run build still works without deployment credentials).

[Copilot]

Pull request overview

Copilot reviewed 42 out of 43 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

api/middleware/cors.ts:145

• allowedDomains now comes from getAllowedOrigins(), and the subsequent check uses string prefix matching (origin.startsWith(domain)). This is case-sensitive (mixed-case domains like https://TradeOS.app can fail to match browser Origin headers) and can be bypassed by origins such as https://tradeos.app.evil.com. Prefer parsing/normalizing origin and doing exact origin/host comparisons against the allow-list.

    const allowedDomains = getAllowedOrigins();

    // Allow requests with no origin (mobile apps, curl, etc.)
    if (!origin) return true;

[SMSDAO]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all requested fixes from that review thread in cafb982, fb99ee3, f955117, and eab5fb1.

• scripts/converge.sh: no longer hard-requires root vercel.json; validates webapp/vercel.json and only validates root config if present. Also switched webapp test stage to npm --prefix webapp run test --if-present -- --ci --coverage (no failure masking for real tests).
• scripts/doctor.ts: missing root vercel.json is no longer treated as an error; webapp/vercel.json is required/validated, and root config presence is only warned.
• config/deployment.ts: deployment URL normalization now canonicalizes host casing to lowercase and treats blank env values as unset to avoid empty-origin/CORS mismatches.
• .env.example: canonicalized tradeos.app URLs to lowercase defaults.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.mainnet-beta.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• invalid-url-that-does-not-exist.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• quicknode-primary.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• quicknode-secondary.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 42 out of 43 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

api/middleware/cors.ts:148

• The production CORS origin check uses origin.startsWith(domain), which can be bypassed by attacker-controlled origins like https://tradeos.app.evil.com (it still starts with https://tradeos.app). Parse origin as a URL and compare the full normalized origin (scheme + hostname + optional port) against an allowlist, or at least compare hostname equality instead of prefix matching.

    // Allow requests with no origin (mobile apps, curl, etc.)
    if (!origin) return true;

    // Check if origin matches allowed domains
    return allowedDomains.some((domain) => origin.startsWith(domain));
  },

[SMSDAO]

@copilot apply changes based on feedback

[Copilot]

Implemented in 58741bf and wording refinement in d6214fe.

scripts/converge.sh now fails in --ci/--self-heal mode when git workspace drift is detected (including after lockfile normalization), and prints the changed files so lockfile drift is surfaced and fixed in a PR instead of being hidden by a successful run.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.mainnet-beta.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• invalid-url-that-does-not-exist.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• quicknode-primary.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)
• quicknode-secondary.solana.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TradeOS/TradeOS/node_modules/jest-worker/build/workers/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)