JANDES-80: Environment setup- local/staging/prod config pattern

Author: booshja

.changeset/gentle-worms-fry.md

@@ -0,0 +1,5 @@
+---
+"happy-harmony": minor
+---
+
+JANDES-80: Set up env strategy

.env.example

@@ -1,4 +1,5 @@
 CI=
+VITE_SENTRY_DSN=
 VITE_SENTRY_ORG=
 VITE_SENTRY_PROJECT=
 SENTRY_AUTH_TOKEN=

.wrangler/deploy/config.json

@@ -0,0 +1 @@
+{"configPath":"../../dist/server/wrangler.json","auxiliaryWorkers":[]}

AGENTS.md

@@ -58,7 +58,7 @@ Guidance for AI agents (Cursor/Claude) working in this repo.
 
 ## Git & PR workflow
 
-- Branch per PR; target `main`.
+- Branch per PR; target `mainline`.
 - Keep PRs narrowly scoped for easy review.
 - Commit messages: format as `<TICKET-123>: <summary>`; include what changed.
 - Changesets are required when packages change; include a brief human-readable summary and bump patch for fixes/non-breaking tweaks, minor for new features. Pipeline will fail if missing.

docs/env.md

@@ -1,49 +1,112 @@
 # Environment configuration
 
-This project separates build-time variables (used by Vite and CI) from runtime variables (provided by Cloudflare Workers).
+This project separates **build-time** variables (used by Vite/CI tooling) from **runtime** variables (provided to Cloudflare Workers at runtime).
+
+## Build-time env (Vite/CI only)
+
+- **Purpose:** tooling only (e.g., Sentry sourcemap upload during CI builds).
+- **Source:** CI environment variables; optionally `.env.local` for local experimentation.
+- **Keys:** `CI`, `VITE_SENTRY_ORG`, `VITE_SENTRY_PROJECT`, `SENTRY_AUTH_TOKEN`, `VITE_SENTRY_DSN`.
+- **Validation:** `parseBuildEnv` in `src/config/validation.ts` (used by `vite.config.ts`).
+- **Notes:**
+    - Build-time env should **not** contain runtime secrets like AWS keys or auth secrets.
+    - Sourcemap upload should typically run **only in CI**.
+    - `SKIP_ENV_LOAD=true` skips loading `.env*` files in Vite; use sparingly.
+
+## Runtime env (Cloudflare Workers)
+
+- **Purpose:** secrets and bindings used by server/runtime code (auth, SES, etc.).
+- **Source (staging/prod):** Cloudflare Workers environment variables/secrets.
+- **Source (local):** `.dev.vars` when running `wrangler dev`.
+- **Keys:**
+    - Required: `AUTH_SECRET`, `AWS_REGION`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `SES_FROM_EMAIL`
+    - Optional: `SENTRY_DSN`
+- **Access:** `getRuntimeEnv()` from `src/config/runtimeEnv.ts` (**Workers runtime only; do not import in client code**). Non-secret runtime metadata (like environment name) may be read from `process.env` when needed.
+- **Validation:** Zod schema in `runtimeEnv.ts`; errors list missing keys but never values.
 
-## Build-time env
+## Local setup
 
-- Purpose: tooling only (e.g., Sentry sourcemap upload in CI).
-- Source: `.env.local` (optional) or CI env.
-- Keys: `CI`, `VITE_SENTRY_ORG`, `VITE_SENTRY_PROJECT`, `SENTRY_AUTH_TOKEN`.
-- Validation: `parseBuildEnv` in `src/config/validation.ts` (used by `vite.config.ts`).
+- **Runtime (required for server features):**
+    1. Copy `.dev.vars.example` → `.dev.vars`
+    2. Fill in values (AUTH_SECRET, AWS keys, SES_FROM_EMAIL, etc.)
+    3. Run `pnpm dev` (uses `wrangler dev` on port 3000)
 
-## Runtime env (Workers)
+- **Build-time (optional):**
+    - Copy `.env.example` → `.env.local` only if you want to experiment with CI-like Sentry sourcemap uploads locally.
+    - In normal development, you usually don’t need build-time Sentry upload.
 
-- Purpose: secrets and bindings used by server code at runtime.
-- Source: Cloudflare bindings; local via `.dev.vars` when running `wrangler dev`.
-- Keys: `AUTH_SECRET`, `AWS_REGION`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `SES_FROM_EMAIL`, optional `SENTRY_DSN`.
-- Access: `getRuntimeEnv()` from `src/config/runtimeEnv.ts` (Workers runtime only; not for client imports).
-- Validation: Zod schema in `runtimeEnv.ts`; errors list missing keys but never values.
+- **Commands:**
+    - `pnpm dev` → Workers-parity local dev via Wrangler
+    - `pnpm dev:vite` → Vite-only fallback (not Workers-parity; avoid for runtime-dependent work)
 
-## Local setup
+## Staging / production
+
+- **Secrets** (e.g., `AUTH_SECRET`, AWS keys) should be set with Wrangler:
+    - `wrangler secret put AUTH_SECRET`
+    - `wrangler secret put AWS_ACCESS_KEY_ID`
+    - `wrangler secret put AWS_SECRET_ACCESS_KEY`
 
-- Build-time: optionally copy `.env.example` to `.env.local` and fill Sentry fields if you need CI-style sourcemap uploads locally.
-- Runtime: copy `.dev.vars.example` to `.dev.vars` and fill values; `wrangler dev` will load them.
-- Run: `pnpm dev` (uses `wrangler dev` on port 3000). `pnpm dev:vite` is available as a Vite-only fallback.
+- **Non-secrets** (e.g., `AWS_REGION`, `SES_FROM_EMAIL`, optional `SENTRY_DSN`) can be set as vars:
+    - via `wrangler.jsonc` `vars` (preferred when values are non-sensitive), or
+    - via Cloudflare dashboard for the Worker environment
 
-## Staging/production
+- **CI build-time Sentry vars** (`VITE_SENTRY_ORG`, `VITE_SENTRY_PROJECT`, `SENTRY_AUTH_TOKEN`, `CI`) are configured in the CI environment (match `.env.example` keys).
 
-- Secrets (`AUTH_SECRET`, AWS keys) should be set with `wrangler secret put`.
-- Non-secrets (`AWS_REGION`, `SES_FROM_EMAIL`, optional `SENTRY_DSN`) can be set via `vars` in `wrangler.toml` or `wrangler deploy --var KEY=value`.
-- Build-time Sentry vars for CI are configured in the CI environment (match `.env.example` keys).
-- Runtime env must be read only through `getRuntimeEnv()` inside server code.
+- **Domains:** staging uses the default `*.workers.dev` URL; production uses the custom domain `app.happyharmony.dev`.
+
+- **Rule:** runtime env must be read only through `getRuntimeEnv()` inside server code.
 
 ## Validation
 
-- Build-time keys are validated by `buildEnvSchema` in `src/config/validation.ts` and parsed via `parseBuildEnv` in `vite.config.ts` / `src/env.ts`. When `CI=true`, Sentry keys are required; otherwise they stay optional.
-- Runtime keys are validated by `getRuntimeEnv()` in `src/config/runtimeEnv.ts`; error messages list missing keys without revealing values.
+- **Build-time** keys are validated by the schema in `src/config/validation.ts`.
+    - When `CI=true`, Sentry build keys are required; otherwise they remain optional.
+- **Runtime** keys are validated by `getRuntimeEnv()` in `src/config/runtimeEnv.ts`.
+    - Error messages list missing keys without revealing values.
 
-## Sentry defaults
+## Sentry (recommended defaults)
 
-- Server (Workers): DSN from runtime `SENTRY_DSN` via `getRuntimeEnv()`. Sample rates: traces 0.1 / profiles 0.1 in production, 1.0 in dev/staging. Environment comes from `WORKERS_ENVIRONMENT`/`NODE_ENV`.
-- Client: DSN from `VITE_SENTRY_DSN` (optional). Sample rates mirror server; replays are off by default (`replaysSessionSampleRate=0`, `replaysOnErrorSampleRate=1.0`). Environment uses `import.meta.env.MODE`.
+- **Server (Workers):** DSN from runtime `SENTRY_DSN` via `getRuntimeEnv()`.
+- **Client:** use whatever TanStack Start / Sentry integration requires (avoid exposing secrets; DSN is not a secret).
+- **Privacy:** never include user-entered activity text/notes in logs, breadcrumbs, or error reports.
 
 ## Testing
 
-- Playwright uses `pnpm dev` (wrangler) so e2e hits the Workers runtime on port 3000. `.dev.vars` must be present for runtime bindings.
+- Playwright uses `pnpm dev:vite` by default, so E2E tests do **not** hit the Workers runtime unless you change the Playwright `webServer` command.
+- `.dev.vars` is required only when tests exercise runtime-dependent routes and you run via `pnpm dev` (Wrangler).
+
+## Deployment & domains
+
+- `workers_dev` is enabled so deploys always have a `*.workers.dev` URL available (used for staging and debugging).
+- Staging deploys use the `*.workers.dev` URL (no custom domain).
+- Production is served from the **Custom Domain** `app.happyharmony.dev`, managed in the Cloudflare dashboard.
+- **Do not configure `route` patterns in `wrangler.jsonc`** (we intentionally keep the apex `happyharmony.dev` free for marketing later).
+
+## Environment variable reference
+
+### Build-time (Vite/CI)
+
+| Key                   | Secret? | Used where                                        | Purpose                                                                                                   |
+| --------------------- | ------: | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| `CI`                  |      No | CI environment; `vite.config.ts`                  | Controls CI-only behavior (e.g., enabling sourcemap upload). When `true`, Sentry build vars are required. |
+| `VITE_SENTRY_ORG`     |      No | CI environment; `vite.config.ts`                  | Sentry org slug for sourcemap upload configuration.                                                       |
+| `VITE_SENTRY_PROJECT` |      No | CI environment; `vite.config.ts`                  | Sentry project slug for sourcemap upload configuration.                                                   |
+| `SENTRY_AUTH_TOKEN`   | **Yes** | CI environment; `vite.config.ts`                  | Auth token used by the Sentry Vite plugin to upload sourcemaps. Never expose to runtime/client code.      |
+| `VITE_SENTRY_DSN`     |      No | Client build-time env; `src/app/sentry.client.ts` | Client Sentry DSN for browser error reporting.                                                            |
+
+### Runtime (Workers)
+
+| Key                     | Secret? | Set where                               | Used where                           | Purpose                                                                                       |
+| ----------------------- | ------: | --------------------------------------- | ------------------------------------ | --------------------------------------------------------------------------------------------- |
+| `AUTH_SECRET`           | **Yes** | Wrangler secret / Cloudflare env secret | Server runtime via `getRuntimeEnv()` | Secret used by authentication/session crypto. Must be long and random in staging/prod.        |
+| `AWS_REGION`            |      No | Wrangler var / Cloudflare env var       | Server runtime via `getRuntimeEnv()` | AWS region used when calling SES APIs.                                                        |
+| `AWS_ACCESS_KEY_ID`     | **Yes** | Wrangler secret / Cloudflare env secret | Server runtime via `getRuntimeEnv()` | Access key for SES sending credentials (least-privilege IAM).                                 |
+| `AWS_SECRET_ACCESS_KEY` | **Yes** | Wrangler secret / Cloudflare env secret | Server runtime via `getRuntimeEnv()` | Secret key for SES sending credentials (least-privilege IAM).                                 |
+| `SES_FROM_EMAIL`        |      No | Wrangler var / Cloudflare env var       | Server runtime via `getRuntimeEnv()` | Verified “From” address used for verification/reset emails.                                   |
+| `SENTRY_DSN`            |      No | Wrangler var / Cloudflare env var       | Server runtime via `getRuntimeEnv()` | Sentry DSN for server-side error reporting. DSN is not secret, but treat it as configuration. |
 
-## Deployment
+### Local files (never commit)
 
-- `workers_dev` is enabled for the first deploy to `*.workers.dev`. Route settings remain in `wrangler.jsonc` for attaching the custom domain afterward.
+| File         | Purpose                                   | Notes                                                                              |
+| ------------ | ----------------------------------------- | ---------------------------------------------------------------------------------- |
+| `.dev.vars`  | Local runtime bindings for `wrangler dev` | Copy from `.dev.vars.example`. Do not commit.                                      |
+| `.env.local` | Optional local build-time vars            | Typically only needed if you want CI-like sourcemap upload locally. Do not commit. |

vite.config.ts

@@ -16,12 +16,8 @@ export default defineConfig((configEnv) => {
     const isSsrBuild = Boolean(ssrBuild);
     const isVitest = process.env.VITEST === "true";
     const isPlaywright = process.env.PLAYWRIGHT_TEST === "true";
-    const isCi = process.env.CI === "true" || process.env.CI === "1";
     const shouldAliasDevtools =
-        isSsrBuild ||
-        isVitest ||
-        (isPlaywright && command === "serve") ||
-        (isCi && command === "build");
+        isSsrBuild || command === "build" || isVitest || isPlaywright;
     const shouldUseCloudflare = !isVitest;
 
     const shouldSkipEnvLoad = process.env.SKIP_ENV_LOAD === "true";

wrangler.jsonc

@@ -1,22 +1,16 @@
 {
-    "$schema": "./node_modules/wrangler/config-schema.json",
-    "name": "happy-harmony",
-    "main": "./node_modules/@tanstack/react-start/dist/default-entry/esm/server.js",
-    "compatibility_date": "2026-01-07",
-    "compatibility_flags": ["nodejs_compat", "remove_nodejs_compat_eol"],
-    "workers_dev": true,
-    "observability": { "enabled": true },
-    "route": {
-        "pattern": "happyharmony.dev/*",
-        "zone_name": "happyharmony.dev",
-    },
-    "env": {
-        "staging": {
-            "name": "happy-harmony-staging",
-            "route": {
-                "pattern": "staging.happyharmony.dev/*",
-                "zone_name": "happyharmony.dev",
-            },
-        },
-    },
+  "$schema": "./node_modules/wrangler/config-schema.json",
+  "name": "happy-harmony",
+  "main": "./node_modules/@tanstack/react-start/dist/default-entry/esm/server.js",
+  "compatibility_date": "2026-01-07",
+  "compatibility_flags": ["nodejs_compat", "remove_nodejs_compat_eol"],
+  "workers_dev": true,
+  "observability": { "enabled": true },
+  "env": {
+    "staging": {
+      "name": "happy-harmony-staging"
+    }
+  }
 }
+// Custom domain (app.happyharmony.dev) is attached in Cloudflare dashboard via Custom Domains.
+// Do not add "route" here; we want to keep apex free for "marketing page(s)".