fix: wire marketplace reviews sync to production Worker endpoint

[aaf2tbz]

Summary

Two small changes to packages/daemon/src/routes/marketplace-reviews.ts:

• Pre-configure sync URL — DEFAULT_CONFIG.endpointUrl now points to https://reviews.signetai.sh/api/reviews/sync (the Cloudflare Worker from Signet-AI/marketplace#1). New installs are pre-configured; users don't need to set the URL manually.
• Add X-Signet-Sync: 1 header — the Worker requires this on all sync requests as a lightweight origin gate to filter non-Signet clients.

Sync remains opt-in (enabled: false default). Once the Worker is live, a follow-up can flip enabled: true as the default.

Dependencies

Pair with Signet-AI/marketplace#1 — the Worker must be deployed by Nicholai before the sync URL resolves. A TODO comment in the code marks where to flip the default once live.

Test plan

• PATCH /api/marketplace/reviews/config with just { "enabled": true } uses the pre-configured URL (no need to set endpointUrl)
• POST /api/marketplace/reviews/sync outbound request includes X-Signet-Sync: 1 header
• Existing tests pass: bun test packages/daemon/src/routes/marketplace-reviews.test.ts

🤖 Generated with Claude Code

[NicholaiVogel]

Hi @aaf2tbz - I'm @NicholaiVogel's PR-reviewing agent powered by pr-reviewer. I'm taking a look at the fixes in fix: wire marketplace reviews sync to production Worker endpoint (commit b472716f) now and I'll follow up shortly with feedback.

[NicholaiVogel]

The two marketplace-reviews.ts changes are clean. However, the diff bundles 10+ files of unrelated changes (session tracking, review queue tab, health check, context budget, novelty sampling) that aren't described in the PR summary — this is a scope/reviewability concern, not a safety issue. One functional bug found in the omitted counter logic.

Confidence: 7.0/10

• Style consistency & maintainability: 8
• Repository conventions adherence: 7
• Merge conflict detection confidence: 6
• Security vulnerability detection confidence: 8
• Injection risk detection confidence: 9
• Attack-surface risk assessment confidence: 7
• Future hardening guidance confidence: 7
• Scope alignment confidence: 3
• Existing functionality awareness: 7
• Existing tooling/pattern leverage: 8
• Functional completeness confidence: 7
• Pattern correctness confidence: 8
• Documentation coverage confidence: 6

{
  "style_maintainability": 8,
  "repo_convention_adherence": 7,
  "merge_conflict_detection": 6,
  "security_vulnerability_detection": 8,
  "injection_risk_detection": 9,
  "attack_surface_risk_assessment": 7,
  "future_hardening_guidance": 7,
  "scope_alignment": 3,
  "duplication_awareness": 7,
  "tooling_pattern_leverage": 8,
  "functional_completeness": 7,
  "pattern_correctness": 8,
  "documentation_coverage": 6
}

[aaf2tbz]

Rebuilt the branch cleanly from main — PR now contains only the intended marketplace-reviews.ts change (1 file, 9 lines). The extra files from the previous diff were unmerged work-in-progress commits that the branch had been cut on top of by mistake.

[NicholaiVogel]

Hi @aaf2tbz - quick follow-up pass on fix: wire marketplace reviews sync to production Worker endpoint (commit e8a94cee); taking another look at the fixes and I will report back shortly.

[NicholaiVogel]

Prior review's scope concern is resolved — the incremental diff is now exactly the two described changes. Both changes are functionally correct. Two minor issues: (1) the TODO comment is misleading (the URL is already the live production value, not a placeholder), and (2) readConfig() falls back to "" instead of REVIEWS_SYNC_URL when an existing config file has a missing or empty endpointUrl, so existing installs that previously had no URL configured won't pick up the new default without a manual PATCH — inconsistent with the PR's stated goal of pre-configuring new and existing installs.

Confidence: 7.8/10

• Style consistency & maintainability: 8
• Repository conventions adherence: 8
• Merge conflict detection confidence: 7
• Security vulnerability detection confidence: 8
• Injection risk detection confidence: 8
• Attack-surface risk assessment confidence: 7
• Future hardening guidance confidence: 7
• Scope alignment confidence: 9
• Existing functionality awareness: 9
• Existing tooling/pattern leverage: 8
• Functional completeness confidence: 7
• Pattern correctness confidence: 8
• Documentation coverage confidence: 7

{
  "style_maintainability": 8,
  "repo_convention_adherence": 8,
  "merge_conflict_detection": 7,
  "security_vulnerability_detection": 8,
  "injection_risk_detection": 8,
  "attack_surface_risk_assessment": 7,
  "future_hardening_guidance": 7,
  "scope_alignment": 9,
  "duplication_awareness": 9,
  "tooling_pattern_leverage": 8,
  "functional_completeness": 7,
  "pattern_correctness": 8,
  "documentation_coverage": 7
}

Unmapped findings (not on changed lines):

• packages/daemon/src/routes/marketplace-reviews.ts:138 - readConfig() falls back to "" (not REVIEWS_SYNC_URL) when an on-disk config has a missing or non-string endpointUrl:

endpointUrl: typeof raw.endpointUrl === "string" ? raw.endpointUrl : "",

Existing installs whose stored config has endpointUrl: "" or no endpointUrl key will continue to get an empty string, and the pre-configured URL will never take effect for them without a manual PATCH. If the intent is to migrate all installs to the new URL, the fallback should be REVIEWS_SYNC_URL:

endpointUrl: typeof raw.endpointUrl === "string" && raw.endpointUrl.length > 0
  ? raw.endpointUrl
  : REVIEWS_SYNC_URL,

Low severity since sync is opt-in, but worth aligning with the stated goal.

[aaf2tbz]

Both points addressed in d26f68f:

1. Misleading TODO — removed. Comment now reads: Production sync endpoint. Pre-configured so users only need to set enabled: true.
2. readConfig() fallback — endpointUrl now falls back to REVIEWS_SYNC_URL when the on-disk value is empty or missing, so existing installs pick up the production URL on next daemon start without a manual PATCH.

[NicholaiVogel]

Hi @aaf2tbz - quick follow-up pass on fix: wire marketplace reviews sync to production Worker endpoint (commit d26f68f4); taking another look at the fixes and I will report back shortly.

[NicholaiVogel]

Both issues from the prior review are resolved: (1) the misleading TODO comment has been replaced with a clear, accurate comment, and (2) readConfig() now falls back to REVIEWS_SYNC_URL when an existing config file has a missing or empty endpointUrl, fixing the upgrade path for existing installs. No new issues introduced. Ready to approve.

Confidence: 8.1/10

• Style consistency & maintainability: 8
• Repository conventions adherence: 8
• Merge conflict detection confidence: 7
• Security vulnerability detection confidence: 8
• Injection risk detection confidence: 8
• Attack-surface risk assessment confidence: 7
• Future hardening guidance confidence: 7
• Scope alignment confidence: 9
• Existing functionality awareness: 9
• Existing tooling/pattern leverage: 8
• Functional completeness confidence: 9
• Pattern correctness confidence: 9
• Documentation coverage confidence: 8

{
  "style_maintainability": 8,
  "repo_convention_adherence": 8,
  "merge_conflict_detection": 7,
  "security_vulnerability_detection": 8,
  "injection_risk_detection": 8,
  "attack_surface_risk_assessment": 7,
  "future_hardening_guidance": 7,
  "scope_alignment": 9,
  "duplication_awareness": 9,
  "tooling_pattern_leverage": 8,
  "functional_completeness": 9,
  "pattern_correctness": 9,
  "documentation_coverage": 8
}

[NicholaiVogel]

worker's deployed and responding at signet-reviews.nicholaivogelfilms.workers.dev. D1 database is up, migrations applied. dashboard flow goes through the daemon API so everything lines up. clean PR, approve.