fix: critical ingress routing + production hardening

Critical fix:
- Remove /dashboard and /zero-prompt from API ingress rules. These
  paths are Next.js pages that need auth middleware protection.
  Frontend accesses API sub-routes via /api/ prefix already.

Hardening:
- Add trustHost:true to NextAuth config (reverse proxy support)
- Read approval from DB on sign-in instead of deriving from domain
  (prevents 5-min access window for revoked users)
- Use consistent email domain extraction (rsplit equivalent)
- Use shared _PROTECTED_APP_NAMES constant in delete endpoint
- Export UserMenu from shared barrel
- Add web/.env.example documenting required env vars

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ComBba

.do/app.yaml

@@ -34,16 +34,9 @@ ingress:
       match:
         path:
           prefix: /health
-    - component:
-        name: api
-      match:
-        path:
-          prefix: /zero-prompt
-    - component:
-        name: api
-      match:
-        path:
-          prefix: /dashboard
+    # /dashboard and /zero-prompt are Next.js pages (auth-protected).
+    # Their API sub-routes (/dashboard/stats, /zero-prompt/start, etc.)
+    # are accessed via /api/ prefix by the frontend (DASHBOARD_API_URL).
     # Everything else → frontend (Next.js handles its own routing)
     - component:
         name: web

agent/server.py

@@ -2070,7 +2070,7 @@ async def dashboard_auth_check_user(email: str):
 @app.get("/dashboard/apps")
 async def dashboard_list_apps():
     """List all live DigitalOcean apps with age and status."""
-    from .tools.digitalocean import list_apps
+    from .tools.digitalocean import _PROTECTED_APP_NAMES, list_apps
 
     apps = await list_apps()
     result = []
@@ -2086,15 +2086,15 @@ async def dashboard_list_apps():
             "phase": active.get("phase", "UNKNOWN"),
             "created_at": app.get("created_at", ""),
             "updated_at": app.get("updated_at", ""),
-            "protected": name in {"vibedeploy"},
+            "protected": name in _PROTECTED_APP_NAMES,
         })
     return result
 
 
 @app.delete("/dashboard/apps/{app_id}")
 async def dashboard_delete_app(app_id: str):
     """Delete a specific generated app. Refuses to delete the production app."""
-    from .tools.digitalocean import delete_app, list_apps
+    from .tools.digitalocean import _PROTECTED_APP_NAMES, delete_app, list_apps
 
     apps = await list_apps()
     target = None
@@ -2106,7 +2106,7 @@ async def dashboard_delete_app(app_id: str):
         raise HTTPException(status_code=404, detail="app_not_found")
 
     name = target.get("spec", {}).get("name", "")
-    if name in {"vibedeploy"}:
+    if name in _PROTECTED_APP_NAMES:
         raise HTTPException(status_code=403, detail="cannot_delete_production_app")
 
     result = await delete_app(app_id)

web/.env.example

@@ -0,0 +1,11 @@
+# === Google OAuth (required for authentication) ===
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# === NextAuth.js (required) ===
+AUTH_SECRET=          # Generate with: npx auth secret
+AUTH_URL=http://localhost:9001
+
+# === Agent API ===
+NEXT_PUBLIC_AGENT_URL=http://localhost:8080
+VIBEDEPLOY_API_KEY=   # Server-side only API key for agent backend

web/src/components/shared/index.ts

@@ -1 +1,2 @@
 export { ErrorBoundary } from "./error-boundary";
+export { UserMenu } from "./user-menu";

web/src/lib/auth.ts

@@ -6,6 +6,7 @@ import { DASHBOARD_API_URL } from "@/lib/api";
 const FIVE_MINUTES_MS = 5 * 60 * 1000;
 
 export const { handlers, signIn, signOut, auth } = NextAuth({
+  trustHost: true,
   providers: [
     Google({
       clientId: process.env.GOOGLE_CLIENT_ID!,
@@ -40,11 +41,24 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
     },
 
     async jwt({ token, user, trigger }) {
-      // On initial sign-in, extract domain and set approval
+      // On initial sign-in, extract domain and read approval from DB
       if (trigger === "signIn" && user?.email) {
-        const domain = user.email.split("@")[1] ?? "";
+        const domain = user.email.split("@").pop() ?? "";
         token.domain = domain;
-        token.approved = domain === "2weeks.co";
+        // Read actual approval status from DB instead of deriving from domain
+        try {
+          const res = await authenticatedFetch(
+            `${DASHBOARD_API_URL}/dashboard/auth/check-user?email=${encodeURIComponent(user.email)}`,
+          );
+          if (res.ok) {
+            const data = await res.json();
+            token.approved = Boolean(data.approved);
+          } else {
+            token.approved = domain === "2weeks.co";
+          }
+        } catch {
+          token.approved = domain === "2weeks.co";
+        }
         token.approvedCheckedAt = Date.now();
       }